Back in February, the Mandiant cybersecurity firm released a report chronicling six years of Chinese state-sponsored corporate cyber espionage and online intellectual property theft. It stirred fear, trembling, and outrage in the business community, especially among the 115 U.S.-based blue chip firms that had been targeted. American businesses, we were told, were locked in cyberwar.
But what did their war have to do with us, the typical e-consumer?
The more savvy among us web users and e-commerce shoppers were already at least somewhat wary when it came to our individual online security. We armed our devices with antimalware software, we filtered spam, we didn’t respond to emails in broken English from the widows of toppled Nigerian prime ministers promising a fortune in return for our bank account numbers. Cyber thieves, hackers, con-artists? We were on to them!
But, come on now, what does the People’s Liberation Army have to do with us?
Read the Verizon data breach report released in April. It disclosed that, in 2012, nearly one out of five “data breach attacks were connected to state-sponsored organizations.”
Businesses that do business on the Internet are the immediate targets of data breach attacks. The ultimate targets, however, are consumers: us. We are not just potential victims of random hackers, thieves, and scammers, but the targets of state-sponsored attacks. We are in this cyberwar. Ground zero is us.
A report released earlier this month by Javelin Strategy and Research revealed “billions of dollars” in consumer fraud and losses. In 2012, 1,611 breaches occurred—up 48 percent from 2011. Break it down: The average stolen credit card results in a $1,600 loss. If a data breach nets a Social Security number, however, it becomes possible for attackers to take over the victim’s financial accounts or, even better (for the attacker), to open new accounts in the victim’s name. When an SSN is compromised, the average loss is $5,100. In most cases, the victim can recover at least a portion of the loss, but typically will spend $776 out of pocket and devote some twenty hair-pulling hours to resolve the matter.
And “resolve” is very much a relative term. When your SSN is compromised, you may find yourself spending years—maybe the rest of your life—looking over your digital shoulder.
Okay, so what’s the answer? What can we do?
There are some proactive steps to take. Deal with online firms either well known to you personally or well-known generally: the brand names. When you do business online, read the e-merchant’s privacy and security policies. All businesses have legal obligations to provide “reasonable” safeguards against data breaches and to notify customers when such breaches occur. The actual laws, however, vary widely from state to state. You cannot rely on them for a full fix. For this reason, if an e-business is proud of its security and promotes it as a selling point, so much the better. If it does not, communicate with the company. Tell management that you would like to do business with them, but you have concerns about security.
Before you transmit to an e-merchant any personal or financial information, look closely at the website address as displayed in your browser. Chances are, the address of the opening page will be preceded by “http://.” That’s fine. But when you click to the page that asks for your payment information, you should see “https://,” often accompanied by a locked padlock icon. This tells you that the business is using not just hypertext transfer protocol (http), but hypertext transfer protocol secure (https), which provides data encryption and secure identification of the server. It’s an elementary but absolutely essential layer of online security. Don’t disclose personal or financial information on web page lacking that final s.
That’s the good news for consumers. The bad news is that, beyond this handful of protections, there is relatively little the individual can do proactively to be protected against the fallout from a data breach.
Companies, as just pointed out, do have legal obligations. While most states require e-merchants to provide a level of security defined (more or less vaguely) as “reasonable,” most state laws focus less on preventing breaches than on reporting them after they are detected. Although this may strike you as pretty lame (Horses galloped off! Quick, close the stable doors!), it is actually very important. Consider:
● In 2012, 12 percent of all consumers had their online data breached.
● In 2012, 51 percent of all fraud victims also received a data breach notification.
These figures are staggering, but, even more stunning, is what most of that 51 percent typically does with the breach notification they receive. They throw it away.
Just as it is a mistake for us, individual e-consumers, to think of ourselves as noncombatants in the ongoing cyberwar, so it is a mistake—a potentially life-changing mistake—to assume that we are powerless when a company we do business with suffers a data breach. Instead of throwing away a breach notification, heed it as a call to action:
- Read it—carefully. Chances are the company breached will offer you free identity protection services for some period following the breach. This is neither a scam nor an empty gesture of phony contrition. It is a valuable offer. Accept it. Credit monitoring services can help notify you of unusual or suspicious activity on your credit report, such as attempts to open credit accounts in your name. Often, these services also include direct assistance to you in resolving any fraud that may occur.
- If the breach notification offers no free identity protection help, consider signing up for such a service and paying for it yourself.
- Immediately contact your bank and the holders of your credit accounts to notify them of the breach and to ask about its potential effect on your accounts.
- If you are informed that your Social Security number has been compromised, contact the three major credit reporting firms (Equifax, Experian, and TransUnion) and have them flag your report with a fraud alert. This will tell lenders that any application for credit made in your name should be scrutinized—which generally means a phone call to you before an account is opened. If you want to take even more aggressive action, ask for a security freeze, which will prevent any lender from even accessing your credit file. Neither of these steps will adversely impact your credit rating; however, you will have to order any freeze temporarily lifted if you need to secure credit, rent an apartment, or apply for a job.
- If your banking, credit, and other financial accounts offer e-mail or text alert services, sign up for them. These may warn you of any unusual activity in your accounts and give you a fighting chance to stop a fraud before it occurs.
Feeling hassled yet? Welcome to the war.
June 14, 2013