Protecting Your Company, Employees and Customers from Identity Theft Presented by: Bill Morrow CSIdentity Chairman and CEO

1
Protecting Your Company, Employees and Customers
from Identity TheftPresented by Bill
MorrowCSIdentity Chairman and CEO
2
Agenda

• Risks Businesses Face Today
• Identity Theft Overview
• Identity Theft Protection and Data Security
• Questions Answers

3
Risk and The Opportunity Cost

• Risk to expose oneself to the chance of injury
  or loss, to venture upon, take or run the chance
  of an outcome put oneself in danger or hazard.

• With RISK taking there is an opportunity or
  payback for a sacrifice OR consequences to pay
  for not taking a risk. In todays business
  environment and with identity theft, there is an
  opportunity cost -- the cost of doing nothing.
• There is no payback for accepting or allowing the
  RISK to occur.

• Consequences for inaction are greater than ever
  before not just from a lost revenue
  perspective but also from a legislative point of
  view with state and federal regulations setting
  compliance standards.

4
Managing Risk

• Identity theft is ever-evolving and criminals are
  becoming more sophisticated, scheming ways to
  infiltrate businesses, find the gaps in security,
  manipulate the system and discover ways to
  further deceive consumers.
• Businesses need to be ahead of the curve, and
  stay ahead of criminals, to protect their assets
  including revenue, customer base and employees.
• Legislation is established as a result of
  incidents - reacting to discovered threats.
  However, today there are unrealized threats and
  areas where your company is unknowingly
  unprotected.
• Its important to be proactive versus reactive
  when it comes to fraud and identity theft.
• Manage risk close the gaps.

5
Identity Theft and Related Fraud Risks

• Hiring employees who use false identity data to
  mask a criminal history and gain access to your
  networks and data from the inside
• Retaining employees who have committed criminal
  offenses after being hired and screened
• Employee errors, loose policies or internal fraud
  causing data breaches of company, customer and
  employee data
• Thieves or hackers externally accessing your
  network and data
• Criminals buying and selling your company and
  customer data to other criminals who use it to
  commit more crimes
• Maintaining incomplete current safeguards that
  may allow for gaps in security

6
Spear-phishing Whaling
Do you know who your colleagues report suspicious
e-mails to? Would you or your senior management
team recognize a whaling e-mail or use a USB from
an unknown source?
7
Criminal Chat Room Activity
8
Identity Theft Overview
9
Identity Theft Has Evolved And Grown Significantly
Source Deloitte Research, Identity Theft
Understanding the Experience of Private Sector
Organizations, 2006.
10
The Evolution Of Identity Theft Makes Banks The
Number One Target Of Identity Thieves

• Banks are targeted
• 7 of the top 10 targeted institutions
• Responsible for more than 25 of complaints
• Why are banks targeted?
• Consumers only involved in fraud detection on
  their personal existing accounts
• Credit monitoring does not provide information on
  debit accounts
• Communication providers are targeted
• 3 of the top 10 targeted institutions
• Responsible for 15 of identity theft complaints
• Fraudulent Phone Fraudulent Bank
• Reinforces control of identity
• Both used to verify identity authenticity
• Creates significant merchant losses

11
Identity Theft Is Not Simply Credit Card Fraud

• Businesses and consumers are targeted in multiple
  ways.

• Employment Fraud
• 1.8 M applicants use stolen identities
• 30 of applicants falsify credentials
• Phone Fraud
• Service obtained under stolen identity
• Third parties authenticate using phone
• Government Documents Fraud
• False DL/Passport defeat verification
• False IRS, SSA, HHS claims
• Criminal Fraud
• Crimes committed with false identities
• Prevents detection during employment
  or other screening activities

2006 FTC Identity Fraud Theft Statistics
FTC Data Clearinghouse 2006. Survey results
include some cases of identity theft where the
individual was impacted by more than one area
(i.e. credit take-over and credit new account). 
For purposes of presenting in a pie chart, survey
results were pro-ratably adjusted for these cases
in order that a relative comparison of types of
identity theft could be presented.
12
FTC Data Trend Shows Decline In Credit-Related
Identity Theft
Credit-related identity theft is declining while
non-credit-related identity theft has increased
since 2002. Identifying both types of identity
fraud and theft is key.
Non-Credit Related
Credit Related
Down 40
Up 17
2002 2003 2004 2005 2006
Credit Related 30 23 19 18 18
Non-Credit Related 70 77 81 82 82
FTC Data Clearinghouse 2006.
13
Identity Theft Crimes Impact Individuals In
Countless Ways

• Unable to secure a job
• Wrongly arrested
• Tax liabilities
• IRS audits
• Fraudulent tax refunds
• IRS notice of undeclared income
• Unable to buy a home
• Unable to buy a car
• Unable to pay for college
• Theft/loss of government benefits
• Fraudulent payday loans issued
• Property deeds compromised property sold
  fraudulently

• Damage to professional reputation
• Unable to open new bank accounts
• Existing bank accounts shut down
• Existing bank accounts drained
• Unable to open new credit accounts
• Existing credit terminated
• Existing credit used fraudulently
• Unable to take out loans
• Fraudulent loans
• Health insurance used fraudulently
• Erroneous health records due to fraud
• Loss of security clearances

14
Consumers Are Targeted By Growing And Evolving
Identity Theft Crimes
Identity Theft Is Growing
Identity Theft Is Evolving
65 Increase
Non-Credit 93 Increase
Victims
12.3 M
15 M Victims
Victims
6.37 M
9.1 MVictims
2.73 M
2.7 M
2002
2006
2002
2006
Credit 1 Decrease
Identity-theft-related fraud IDC, 2006
FTC, 2006
Individual Losses Are Increasing
International Black Market Identity Trade
131 Increase in One Year
17.3 CAGR
1.6 B
1.5 B
1.3 B
3,257
1.1 B
0.9 B
0.7 B
1,408
2005
2006
2007
2008
2009
2010
2005
2006
Gartner, 2007
IDC, 2006
15
Businesses Are Targeted Both To Commit Fraud And
To Steal Identities
Cost per Record Exposed in Data Breach
197
149
2006
2007
Source Ponemon Institute
Aggregate Business Identity Losses (not due to
breaches)
( in billions)
57
57
53
53
2006
2003
Source Javelin Strategy and Research Survey
2006.
16
Protect Your Company From Data Security Breaches

• Businesses are also targeted because they control
  identity data for hundreds of thousands or
  millions of identities in centralized
  repositories.

• 85 percent of companies have experienced a data
  breach in the past two years.
• 1 to 3 data breaches occur daily.
• Approximately 90 percent of most breaches are due
  to people and policy issues.
• 6.3 million average cost per breach, up from
  4.8 million in 2006.
• 197 average cost per record lost.
• Companies suffer legal liabilities, loss of
  market share (2.67), brand equity and customers
  with increased churn.

People, process and policy security breaches
Source Ponemon Data Breach Study, November 2007.
17
Identity Theft Protection and Data Security
18
Regulatory Landscape

• Agencies, financial institutions and businesses
  face a myriad of federal and state regulatory
  requirements, for example
• Patriot Act
• Sarbanes-Oxley
• Fair Credit Reporting Act
• Fair and Accurate Transactions Act
• Gramm-Leach-Bliley Act
• State data privacy and security laws

19
Identity Theft Defense Framework

• Understand environment, criminals, and motives
• Why would the data you control be desired?
• How would a criminal conduct transactions with
  your organization using a stolen identity?
• Are you vulnerable to internal risks from
  employees, contractors, and vendors?
• Understand risk areas
• What types of transactions are high risk and
  where would they occur?
• Are their gaps between systems or organization
  silos that can be exploited?
• Install controls to identify and prevent theft
  and fraud
• Who do you hire?
• Who has access?
• Who conducts transactions who authorizes, who
  overrides, and who is responsible?
• Who monitors and audits?
• Plan for post-fraud response
• What constitutes a breach and what defines the
  severity of breach?
• Who is notified and how is information conveyed
  to exposed victims?
• What victim protection solutions will be extended
  based on data exposed and severity of breach?

20
Identity Data Security Requirements

• Thirty-nine states (including Texas) have data
  security and privacy legislation.
• Federal legislation mimicking California data
  security and privacy legislation is pending
• Define data requiring compliance Personal
  Confidential Information (PCI).
• Name associated with Social Security number,
  drivers license, account data (debit or credit),
  usernames and passwords, and other sensitive data
• Protect PCI data from exposure.
• Storage database, desktop, laptop, paper
• Transfer e-mail, other network, backup tape
  (other medium), physical
• Destruction data storage timelines, physical
  storage and destruction policies
• Define a policy for responding to data security
  breaches.
• Proactively develop data breach response plan as
  part of overall disaster recovery efforts
• Promptly implement breach plan upon breach
  identification
• Notify consumer victims and extend victim
  protection services in response to a breach

21
Properly Created Plans Provide Overlapping
Compliance Capabilities Reducing Risks and
Liabilities
Components Compliance Requirements / Satisfaction
1. Verify Employee Identities and Background Social Security verification confirms only the accuracy of the SSN, not the identity and fails to detect applicants concealing elements of their background GLBA, FCRA
2. Verify Customer Identities For all transactions account origination, transactions, and account changes GLBA, FCRA, FACTA
3. Employee Awareness Employee identity protection solutions with identity monitoring and ongoing training reinforce data security awareness GLBA and State Laws
4. Customer Awareness Provide identity theft awareness materials and/or retail programs online and in physical environments GLBA
5. Data Protection Identify personal confidential information, its location, encryption, access and storage requirements and risk by identity element GLBA, FACTA
6. Exposure Detection Detect when accounts or customer identities have been exposed to reduce fraud losses and protect customer FACTA
7. Incident Response Plan Prepare an incident response plan based on type of breached data and severity of breach now GLBA, FACTA, State Laws
8. Victim Protection and Assistance Deploy the incident response plan promptly to educate victims to their level of risk and protection available GLBA and State Laws
22
About CSIdentity
23
CSIdentity Targets Identity Fraud Across
Industries And Markets
Consumer Comprehensive identity theft protection
and personal security solutions.
Government Detection of altered, fabricated and
stolen identities used by individuals crossing
borders and utilizing the United States
transportation systems.
Business Identity theft and fraud detection, HR
Benefits, breach management solutions, data
solutions and security tools.
24
Multiple Security Layers Provide Comprehensive
Fraud Detection and Protection
Vendors
Employees
Customers
CSIdentity Solutions
ID Verification Monitoring
SAFESM Security AuthenticationFor Employees
Vendors
Enterprise Account Protection Blanket Solutions
CSIdentity ProtectorSM
Data Breach Mitigation Solutions
25
Questions Answers