|
My name is Joseph Ansanelli and I am the CEO of Vontu, Inc. Our company
provides information security software to help organizations protect consumer
data by monitoring for the inappropriate distribution of non-public personal
information via the internet. I am honored to provide testimony on information
security, consumer data and the risks for consumers. Identity Theft is the Risk
for Consumers The FTC recently provided an excellent answer to the question
"What's at Risk for the Consumer?" They estimate that approximately 10
million people in the last year alone were victims of Identity Theft. These
victims reported $5 billion in out-of-pocket expenses and countless hours of
lost time repairing their credit histories. In the last five years, almost 30
million people or 10 percent of the US population were victims of identity
theft. Clearly, identity theft is what is at risk for consumers. Losing Consumer
Trust is the Risk for Business This is not only a risk for consumers, but is a
risk for business as well. As part of the same FTC report, the losses to
businesses totaled nearly $48 billion.
Additionally, there is a risk that is not mitigated through insurance or
other strategies - loss of consumer trust. Vontu recently commissioned a survey
of 1000 consumers in the United States to better understand the effect that
security of customer data has on consumer trust and commerce. Some of the
findings include: · Security drives purchasing decisions - More than 75 percent
of consumers said security and privacy were important in their decisions from
whom they purchase. · Consumers will speak with their wallets - Fifty percent
said that they would move their business to another company if they did not have
confidence in a company's ability to protect their personal data. · Insider
theft increases concerns about a company's data security efforts - More than 50
percent of the consumers surveyed said an insider breach would cause them to be
more concerned about how a company secures their information
Clearly, financial costs and loss of consumer trust, as a result of identity
theft, are what is at risk for business. The question is how does cybersecurity
play into these risks? The Insider - A Major Cause of Identity Theft While most
security testimony has focused on the threats related to hackers breaking into
computer networks from the outside, my remarks today will focus a new and
growing security threat - insiders. The sad fact is that many identity thieves
never have to break through a firewall. Their employer has issued them a
username and password that gives them access to a virtual treasure trove of
consumer data.
Everyday, companies throughout this country create and store millions of
records that contain social security numbers, credit card numbers and other
types of non-public personal information. At most of those companies, a
significant percentage of employees have legitimate access to this data. This
has created a potentially explosive combination of companies storing more
consumer information and at the same time providing insiders with more access to
that data.
Last year, the volatility of this combination made headlines. A customer
service employee of Teledata Communications Inc. who had easy access to consumer
credit reports allegedly stole 30,000 customer records. This theft caused
millions of dollars in financial losses and demonstrates that even though any
computer system can be hacked, it is much easier, and in many cases far more
damaging, for information to be stolen from the inside.
Teledata is the single largest identity theft crime ever prosecuted. However,
I am convinced that this kind of crime continues today, yet it often goes
unrecognized. Insiders use their legitimate access to copy sensitive information
and with a few clicks of their mouse, send it outside the company.
Law enforcement and regulators are also starting to raise the issue of the
growing danger to consumers from insiders. Special Agent Tim Cadigan testified
this summer that the Secret Service has assembled special teams to investigate
the growing number of incidents where fraud rings enlist corporate employees in
schemes to steal consumer information.
Mr. Howard Beales, Director of the Federal Trade Commission's Bureau of
Consumer Protection, said in January that the FTC continues to see evidence that
insiders were stealing consumer data at an increasing rate and using it to
commit identity crimes. In September, the FTC reported that about a quarter of
all consumers who knew that their information had been stolen believed that
insiders were responsible.
Lastly, consumer credit information provider TransUnion recently issued a
publicly available report stating that the top cause of identity fraud is now
theft of records from employers or other businesses.
The problem of better protecting consumer data is no longer just an issue of
keeping out the hacker but also one of ensuring that those with access to the
data keep the information secure. Consumer Data Security Standard It is clear
that we need new efforts to minimize this growing risk to consumers and
businesses. However, I do not believe new government regulations alone can solve
this problem. Instead, the right solution is to build a partnership of
government and industry using both "the carrot and the stick".
To begin with, I suggest this committee develop a Consumer Data Security
standard - possibly as part of the proposed Consumer Privacy Protection Act of
2003 (HR 1636). This standard would ensure a national, unified and standard
approach to protecting consumer information and thereby stop one of the primary
sources of identity theft. It should be self-regulating with oversight from
appropriate agencies when problems arise and include a requirement for companies
to: 1. Protect and ensure the confidentiality of all non-public personal
information; 2. Detect potential misuse of consumer information; 3. Ensure
compliance by its workforce with their data security policies; 4. Correct
problems as they are discovered.
These requirements are similar to those required under Gramm Leach Bliley and
HIPAA. Are the industries covered by these regulations unique in their need to
protect personal data? It seems that any business that manages sensitive
financial or other non-public personal information exposes consumers to identity
theft. Whether it is providing your social security number when purchasing a
mobile phone or using your credit card to buy groceries, you are exposing your
personal information to theft - a cross-industry, unified approach is needed.
Additionally, this committee may want to make notification a part of this
standard. In our survey, consumers said they wanted to be notified early and
often when security and privacy violations occur. In fact, 80 percent said they
want to be notified when companies are 75 percent sure that a violation has
occurred.
This Consumer Data Security standard is the "stick" to ensure that
there is a base level of responsibility for consumer data protection. Safe
Harbor As mentioned earlier, a partnership between government and business is
required to better protect consumer information. Unfortunately, today many of
the current and proposed Federal and State regulations serve as a disincentive
to proactively search for insider breaches or inappropriate disclosures of
consumer information. For example, the risk of civil lawsuits or regulatory
censure discourages some companies from going beyond what is considered a base
requirement. Future legislation should include a regulatory "carrot"
through a "safe harbor" to encourage companies to go beyond basic
security requirements and aggressively pursue potential leaks of data without
fear of severe penalties.
This approach of the "carrot and stick" would not only encourage
most companies to adopt new consumer protections quickly, it would free limited
government resources to concentrate on the most egregious violations of the
standard itself. Additionally, this proposal would help to solve one of the
unaddressed issues regarding Identity Theft in both of the current Fair Credit
Reporting Act bills approved this year by the House and the Senate.
In closing, the increasing costs of identity theft coupled with consumers'
increased demands for security protection are driving these issues to the top of
the agenda for consumers, business and government. If more is not done by all
parties involved with respect to protecting electronic information, the costs
will continue to grow, potentially affecting the country's ability to expand its
leading position in the world economy.
I hope these comments will prove helpful to the subcommittee as it continues
its deliberations on improving consumer data security. I welcome the opportunity
to continue working with you, and am happy to answer any questions you might
have.
Thank you.
2003 Customer Information Trust Survey
Those organizations that sit on the highest perch when it comes to customer
trust have the farthest to fall if they lose that trust according to the 2003
Customer Information Trust Survey commissioned by security technology innovator
Vontu, Inc.
Consumers have the greatest amount of trust that companies within the health
care industry have measures in place to protect personal information from
identity thieves. Web retailers and retailers scored near the bottom in consumer
trust in a ranking of 14 major industries. However, even the companies that
scored well with consumers can face serious financial consequences if security
breaches within their organization lead to a loss of consumer trust. Some of the
major findings of the survey are:
- Security is important in the purchasing decision. More than 75 percent of
the consumers said security and privacy was important in their decisions
from whom they purchase.
- Not all security breaches are equal in the eye of the customer. More than
54 percent said security breaches by insiders or employees, now one of the
fastest growing contributors to identity theft, would have the greatest
impact on their trust in an organization.
- Consumers choose with their wallets. Fifty percent said that they would
move their business to another company if they did not have confidence in a
company's ability to protect their personal data.
Vontu Information Trust Rankings*
Hospital or Clinic 82%
Pharmacy 79%
Bank 78%
Charity/Religious Org. 78%
Airlines 60%
Car Rental Company 53%
Utility 48%
Credit Card Company 47%
Cable Company 42%
Restaurants 42%
Hotels 41%
Web Retailers 41%
Retail Stores 38%
Grocery Store 25%
* The Vontu Information Trust Rankings rate 14 major industries based on the
level of trust consumers surveyed said they had that these organizations would
protect personal information from identity theft.
Two examples of the questions from the survey are:
- How important is privacy and security to your purchasing decision?
Very important 19%
Important 57%
Not important 9%
Unsure/No Comment 14%
- If an insider (such as an employee of the company) stole your data rather
than an outsider (such as a computer hacker), would it change your answers
to previous question about trust?
Yes - More concerned about insider 54%
Yes - Less concerned about insider 12%
No - No difference 17%
Unsure/No comment 18%
©2003 Vontu Inc.
|
