Identity Theft and Data Breaches are no laughing matter
Posted by Adrian Sertl on Tue, Apr 05, 2011
Clients of the online marketing firm, Epsilon, have been in full damage control mode after the company announced on the 1st of April, and this is no joke, that on the previous day they had detected a significant data breach. According to Epsilon the compromised data consisted of customer names along with their e-mail addresses but that social security numbers and banking information were however not among the stolen data. In an update posted yesterday, Epsilon said roughly two per cent of its clients have been affected by the data breach which may seem like a small number in the grand scheme of things but when you consider the companies that make up Epsilon’s clientele (CitiBank, CapitalOne, Best Buy, the Home Shopping Network, Walgreens, and TiVo just to name a few) two per cent translates into potentially millions of people whose personal information has been stolen.
Epsilon is undertaking an investigation into how the breach took place and as of this writing the cause remains unknown. The affected companies themselves are currently contacting their own customers to both explain the situation and to warn them to monitor their inboxes because of the elevated risk of an e-mail based phishing attack. In most US states corporations are required by law to notify their customers immediately of a data breach of any size or scope because in many instances failure to do so can result in penalties, not excluding serious criminal or civil consequences.
It is also interesting to point out that not all companies that operate in the United States are required to have programs in place to prevent identity theft from occurring. In fact, according to the Federal Trade Commission, the only companies that are required to comply with their Red Flags Rule are “financial institutions” and “creditors”; the long and short of it is that the rules only apply to an entity that stores customer accounts which contain banking information used for transactions. So with the knowledge that not all companies need an identity theft prevention plan there is one question that begs an answer; what would be the harm in implementing one anyway?
For a large corporation devising an identity theft prevention/mitigation plan would be a very good business practice, even if we only look at it from an optics point of view. Customers, both current and potential, want the assurance that if they decide to do business with you any personal information that is collected should be kept under lock and key; this is even more starkly true when conducting business online. While the reality is that data breaches and identity theft attacks are an unfortunate part of the online landscape having an up to date action plan and ongoing employee training can go a long way in preventing diminished brand loyalty.
To their credit Epsilon, as expected, does have a privacy policy put in place which states that it is their intent to keep any and all collected information as secure as possible. It is also important to note that their e-mail lists work on an ‘opt-in’ policy so nothing is collected without prior consent. Finally the company did act very rapidly, in conjunction with its own clients, to get the word out that a breach had taken place. It should be the hope of everyone involved that their swift actions minimize the any damage done to consumers they rely upon.