October 1, 2011 by Eduard Goodman, Chief Privacy Officer, Identity Theft 911
You’ve probably heard about the identity fraud epidemic in the United States. Unfortunately, this problem isn’t limited to our neighbours to the south. The number of Canadians falling prey to identity fraud is on the rise.
In fact, over the past three years, the number of reported identity-related crimes in Canada has skyrocketed by 32% for a loss of $9.4 billion in 2010, according to the Canadian Anti-Fraud Centre’s Annual Report. The numbers are likely higher because a large number of these crimes go undiscovered or unreported.
Indeed, the problem prompted this comment from the head of the criminal analysis unit for the Royal Canadian Mounted Police: “Identity theft is now probably the most important problem for Canadian consumers.”
So what exactly are identity theft and identity fraud?
The terms are interchangeable in the United States, but they hold different meanings in Canada. The Department of Justice Canada defines them as:
The preliminary steps of collecting, possessing, and trafficking in identity information for the purpose of eventual use in crimes such as personation, fraud or misuse of debit card or credit card data.
The subsequent, actual deceptive use of the identity information of another person in connection with various crimes. Identity theft therefore takes place in advance of and in preparation for identity fraud.
Although the crimes are better defined in Canada, the methods used to commit them are similar in all common law countries – including the United States, the United Kingdom, Australia and New Zealand – because they have similar consumer credit systems.
The U.S. consumer credit system evolved to require authenticators for privacy and security purposes, since more than one person might have the same name and birthday. The primary authenticator needed to be something unique to each citizen. The Social Security number (SSN), issued to each citizen by the Social Security Administration, became that identifier.
In Canada, the primary authenticator is the Social Insurance number (SIN). Reliance on the SIN parallels use of the SSN in the United States and, to a lesser degree, the use of the National Insurance Number in the United Kingdom and its equivalent in Australia and New Zealand.
Combine these government-issued national identifiers with centralized credit reporting bureaus, and you have a
perfect recipe for a high percentage of identity fraud in these countries.
Criminals hold the key to our social and financial identities because they can gain access to our personal information through government agencies and businesses.
Identity Fraud at the Business Level
Businesses of all types keep our personal information on file, often unprotected and easily accessed by criminals. Large-scale data breaches exposing consumers’ personal and financial information are becoming a weekly occurrence worldwide.
Canada isn’t isolated from this trend. Recent breaches here underscore how vulnerable Canadians’ information can be. Honda Canada’s breach exposed the names, addresses and vehicle identification numbers of more than 280,000 Canadians who had created personal accounts on MyHonda and MyAcura Web sites. Statistics Canada, the nation’s largest statistical agency, experienced a number of breaches over the past five years that have exposed citizens’ personal information. But the agency did not publicly report the breaches.
Liability for failure to act by Canadian entities is affecting the cost of doing business. A lost USB drive containing H1N1 vaccination records has led to a $40-million class action lawsuit. The suit, filed on behalf of 80,000 Canadians, was given the right to proceed by Ontario Superior Court Justice Peter Lauwers in April. It alleges a breach of a fiduciary duty, violation of privacy and breach of the Canadian Charter of Rights and Freedoms by the regional health department of Durham Region, Ontario – all because a nurse lost the USB drive in a parking lot.
Risks for Brokers
Regardless of the business size or industry sector, some level of potential liability always exists for data breaches that expose personal information. Even a small business that only sells products B2B and never touches the consumer could still experience a situation that affects the personal information of its employees.
Certain industry sectors, however, are particularly vulnerable to data breach incidents. Education, medicine, financial services and insurance areas tend to be among the highest risk for consumers. This is due to a number of factors ranging from the amount and type of data collected, to the amount of access and security available. But every business that takes in personal information, including bank, debit, credit and account information, has a risk.
For insurance agents and brokers, the risks are based on the nature of their job. Many brokers meet with clients outside of the office, and thus they rely increasingly on smart phones, tablets and laptops to gather their customers’ personal information for homeowners, auto and life insurance applications. But alongside the convenience of using these technologies comes the duty to protect data on these devices using passwords and encryption. That way, if a device is lost or stolen, the privacy of hundreds or even thousands of people isn’t jeopardized.
Brokers also face low-tech risks of creating data exposures when they improperly dispose of paper records. These documents can contain various forms of personal information. Life insurance policies hold personal medical information. Auto insurance policies list driver’s license numbers, and credit card/banking numbers. When they’re left next to a dumpster, they’re a treasure trove of information for thieves.
It’s not all gloom and doom. Brokers can protect themselves and their clients from unnecessary data exposures by following these basic, affordable practices:
Hope for the Best, Plan for the Worst
The biggest challenge to information security is that it only takes a small lapse in judgment by one person to cause a data exposure. When that happens, what do you do next? Be proactive about your response to a data security incident. Make sure you have a plan in place before something occurs.
Create an internal team responsible for developing and administering an incident response plan. This team should be empowered to make executive-level decisions should an event occur. In a small business setting, the team may consist solely of the owner.
Thoughtful incident response plans identify experts who will deal with the situation. These experts should include legal counsel, data risk management experts and fraud remediation specialists. Smaller companies should vet these experts in advance so they know whom to approach in a crisis. For larger operations, it pays to have these experts on retainer so the
y can be consulted immediately following a situation. Also, it’s worthwhile to maintain outside regulatory contacts, including the company’s provincial privacy commissioner and insurance provider.
When planning, it’s important to have in place proper risk-shifting strategies, such as data breach insurance. Data breach insurance is an emerging offering tied to cyber-insurance policies. It’s also increasingly common as an add-on to existing commercial policies or available as mono-line policies in the United States because of the costly notification requirements.
In the United States, businesses and government agencies are required to provide written notification of a data breach exposing unencrypted information to all affected individuals. The United States is currently the only country with this requirement, at least for now. But that doesn’t mean consumer notification in Canada isn’t a good idea, or that it isn’t on the horizon.1 This is why having the right insurance coverage in place to cover these costs is important.
Insurance Coverage for Data Breaches
There are two types of data breach coverages:
First-party coverages typically cover costs involved in providing for notice, administrative handling and consulting of the breach, and the provision of fraud detection tools such as credit monitoring and fraud remediation services for any affected individuals. They may often also include limited coverage for brief legal consultation on the handling of the breach itself. (No defensive costs.) The most robust of these first-party coverages also provides for data breach consulting services for all incidents regardless of whether or not a claim accrues.
Third-party coverages cover liability from the perspective of those affected. In other words, they will often cover legal costs to defend civil actions as well as government or regulatory actions. Emerging coverages might cover the costs of related fines, penalties or civil judgments associated with a data breach incident or identity fraud victims.
The evolution of both first- and third-party coverages is on a fast track in both the United States and Canada. Both are becoming increasingly available by Canadian insurers for purchase by Canadian commercial entities and businesses.
So What Does it all Mean?
Today, information is a commodity businesses and government use to serve Canadians in a myriad of positive ways. However, it is also misused by criminals to commit identity fraud. That’s why it is so important for both business and government entities to plan for what happens if they lose this precious personal data and to properly insure against the risks inherent with living in our 21st century information society.
In the end, whatever the nature and cause of a data security breach, we all need to recognize that identity fraud crimes always have more than just one victim. Of course, you have the individual whose information was misused by a criminal. But then you have the financial institutions and businesses that have to cover the fraud losses. Finally, you have the Canadian consumer, who pays higher costs for goods and services because businesses pass their fraud costs on to the customer. They may also wind up paying higher taxes to cover the costs of securing information from criminals who fraudulently obtain government documents and benefits. In the end everybody loses.