Capital One breach: 106 million customers
Georgia Tech breach: 1.3 million customers
Facebook breach: 50 million customers
These are just a few examples of what seems to be a regular news feature these days: data breaches at large, reputable and — presumably — secure companies.
But even with today’s sophisticated safeguards in place, determined hackers can sometimes find a way in. When they do, we read about yet another data breach.
Equifax breach: 143 million customers
We hear these breaches lead to problems such as identity theft, but what does that mean and how does it happen? We also hear there’s identity theft protection available. But how does it protect us? What does it protect? And who does it protect us from?
In this article, we’ll explore the answers to all those questions. We’ll share the potential problems that large-scale data breaches can cause as well as the dangers of small-scale hacking. We’ll show the costs these problems incur for both individuals and companies. And we’ll show how an identity theft protection benefit can help mitigate, avoid and sometimes even solve those problems.
The real dangers of a data breach: identity theft and internet fraud
Techopedia defines a data breach as “an incident that involves the unauthorized or illegal viewing, access or retrieval of data by an individual, application or service.”
So, by itself, a data breach is extremely concerning for the company involved but doesn’t always lead to identity theft. Sometimes unauthorized access is a mistake. In general, a data breach is a warning sign for identity theft, not the actual symptom. The symptom is when illegally accessed data is exploited or sold. That’s when internet fraud and identity theft occur.
The FBI defines internet fraud as “the use of Internet services or software with Internet access to defraud victims or to otherwise take advantage of them.” Data breaches can result in basic fraud when thieves use your data to target you and those linked to you. This can vary from simple email schemes to phishing attempts to the activation of ransomware on your device.
Identity theft is a specific type of fraud where thieves use your identity to achieve fraudulent aims. Creating new accounts with your information, making purchases with your credit cards, and filing false tax returns to steal the refunds are just a few examples.
The problem with a breach isn't just about the information stored there, it's about how a thief could make use of that information to exploit other accounts and areas of your life. It’s about using personal information and known passwords to unlock other accounts. It’s about learning enough about you and your habits that someone else could use your identity for their own gain.
That's exactly what's happening on the dark web. Hackers breach a company's databases, retrieve what they can, and then sell that data to identity thieves and fraudsters on the dark web. Because the dark web is so complex and technologically diverse — like a digital wild west — even the most sophisticated monitoring programs are not enough to hunt those deals down. That's why it takes real people — dedicated, trained specialists — like the ones employed at InfoArmor, to warn you when your personal information is up for sale.
Phishing: another way for hackers to steal your data
As companies step up their cybersecurity efforts, some hackers see it as a challenge and step up their efforts, too. In fact, some of the hacking tools available on the dark web are just as sophisticated as the security software they're built to overcome.
Other hackers prefer a much easier route. Rather than breaking through and bypassing security, they prefer to be invited in. They'll let your employees open up the gates instead of breaking through. They'll politely ask for personal data and your employees will, unknowingly, give it to them. This “end around” way of hacking your employees’ data is called phishing.
Phishing is one of the most recognized forms of hacking. That's because it targets employees themselves rather than company databases.
On the front end, phishing is often no more than a simple email. It will seem to come from a familiar, reputable source — your bank, your healthcare, even your company itself.
Meanwhile, on the back end, the energy put into a phishing attempt can vary. Some phishers attach code designed to run when the email is opened. Others link to forms where you can submit the information requested — asking you to login first, of course, so they can capture your username and passwords. And still others not only direct you to their capture forms, but also construct elaborate mimic sites that look and feel just like the real thing. Look closely at them, though, and you'll find at least one substantive difference in the phishing site’s URL.
The end result of a phishing attempt is different from a breach because the only data stolen is from those the scam “worked” on. Phishers are also more likely to move quickly to exploit any data they receive, as opposed to breaches, where hackers must put their stolen data on sale and look for buyers on the dark web.
Sometimes, hackers are even hired to phish a specific company. As we showed in a previous blog post, the going rate for their illicit services will blow your mind.
Quantifying the threat: What does identity theft cost your employees?
Employees dealing with identity theft face an uphill battle against time, stress, and their finances.
On average, an identity theft case takes 100 to 200 hours to remedy, according to the Identity Theft Resource Center’s Aftermath studies. That’s roughly 12 to 25 full workdays.
The average time period for this to occur, from submitting a claim to finalizing paperwork, is about six months.
The average out-of-pocket costs are $1500 — not including any funds actually stolen.
And these are just the “average” numbers. Some identity theft cases take years to unravel and cost tens of thousands of dollars.
The stress employees go through during this time is unimaginable for those who haven’t faced it. Stolen funds, locked or closed accounts, ruined reputations — these are just a few of the things victims deal with as they struggle to work, complete their claims, and repair the damage.
Quantifying the threat: what does identity theft cost your business?
Employers also incur costs from their distracted and stressed employees. According to Gallup’s State of the American Workplace, distracted employees account for:
70% more employee safety incidents
25–59% higher turnover
21% lower profitability
17% lower productivity
And phishing attacks alone are estimated to cost American businesses over $500 million per year.
These are just a few of the ways identity theft can affect your bottom line. What is 100 hours of an employee’s time worth? That’s a very conservative estimate of what each case of identity theft is costing you. What is the cost of onboarding a new employee when their struggles with identity theft lead to turnover? Another direct cost.
Then there are potential costs such as regulatory fines, litigation expenses, and reputational damage, all of which are discussed in the C-Suite Imperative: Offer Identity Theft Protection to Employees as a Benefit.
So how can you get protection for yourself and your employees at the same time? By making sure more of your employees are protected, both in and out of the workplace. And the best way to do that is by providing identity theft protection as an employee benefit.
What is identity theft protection?
Unfortunately, there are many types of programs out there claiming to provide identity theft protection. The only feature that all of them have in common is some form of credit monitoring — and for some, that’s all they do.
In this section, well look at a broad range of features that may or may not be covered in an identity theft protection program. You can also take a deeper look at privacy protection definitions and why they matter. The more of these features that your identity theft benefit covers (and the more thorough that coverage is) the less risk exposure for both your company and your employees.
Credit report monitoring
Credit-based account monitoring
Social media monitoring
Dark web monitoring
Credit report monitoring is the "low hanging fruit" of privacy protection. It's basically just looking at credit reports and score changes, identifying events that impacted scores in a negative direction, and verifying with the customer that those changes were legit.
Credit-based account monitoring scans the accounts that impact your credit score the most: banking, credit cards, investments, etc. It looks for suspicious activity as well as financial error. Potential problems could include duplicate charges, failed login attempts, unusual purchase behaviors and geographic anomalies. Not all programs will pick up on all of these situations, however, so make sure you know what your monitoring software is capable of.
Social media monitoring looks for signs of hacking on your social media accounts. Account takeovers are big here. Good social media monitoring will also let you scan your account for vulgar and explicit language, violent or threatening messaging, and potentially damaging content.
Dark web monitoring involves searching the dark web for signs of hackers selling breached data to thieves, such as National Provider Index numbers (NPI). This is not possible to do with automated scans alone due to the nature of the dark web’s infrastructure and the secretiveness of the thieves. Because this is such a labor intensive process, reliant on human agents, only a handful of identity protection benefits offer true dark web monitoring.
Recovery insurance also varies widely by program. Be careful to learn exactly what is insured and what is not when making an identity theft benefit decision.
At its most basic, recovery insurance covers the costs associated with an identity theft recovery. These can include filing fees, claim fees, statement requests, postage, etc. A slightly better solution may or may cover additional costs such as: legal fees, out of work costs, emergency quality of life funds, etc. And in the very top tier are a few identity theft protection solutions that actually replace stolen funds regardless of whether they can eventually be recovered.
PrivacyArmor with its $1,000,000 identity theft insurance policy is one of these.
Customer support is another promise where all the value is in the implementation. It’s easy to provide FAQ sheets, forums, and educational content. Providing human support for guidance and Q&A is the next step. And in the very top tier you’ll find support advocates who are available 24x7 and do as much of the recovery work for you as possible. That’s the level of service our Privacy Advocates provide.
What identity theft protection is not
There are several myths regarding identity theft protection that need to be dispelled here.
It does not protect and monitor every account you’ve ever logged into
Every privacy protection program is a little bit different in terms of what it monitors and how it accomplishes those tasks. Credit-based accounts such as banking and credit cards are the most common. A few monitor social media accounts. But all those other accounts — shopping, news sites, membership portals, etc. — are seldom monitored, if at all.
You can’t just turn it on and be protected
One of the biggest misconceptions about identity theft protection is that it's a turnkey solution. You just flip the switch on and you’re covered. The truth is that identity theft protection doesn’t — and really can't (or at least, shouldn’t) — perform important tasks such as shutting down or blocking your accounts, changing your passwords, and initiating claims on suspicious activity all on its own. So your identity theft protection should do the next best thing: alert you when you those activities might be warranted so you can consider them.
It’s not just monitoring software running in the background
This misconception speaks to the value of what identity theft protection really is. The problem is that some privacy protection solutions are exactly that and nothing more. If people think your identity theft benefit is just a glamorized monitoring software, they may be less tempted to elect it. A good protection benefit, however, is much more than that. Not only can the application and sophistication of the AI used in monitoring algorithms vary greatly, but also the implementation of human elements — such as PrivacyArmor's 24x7 advocates and dark web investigators — can provide a tremendous amount of additional value.
Why identity theft protection as an employee benefit makes sense
Since identity theft protection benefits both company and employee, including it as part of your employee benefits package is the most natural solution.
Offering it as a benefit also provides the following advantages:
Gives the issue visibility
Shows the company recognizes identity theft as a problem and is endorsing a solution
Provides a "platform" for the company to share privacy and identity theft related news and updates, even if the employee doesn't opt-in to the actual service
Forces a decision, where the employee needs to make a conscious choice regarding their identity theft protection, but also lets your workforce know it’s available should they need it or change their minds down the road
The importance of that last point is critical. Even if they don't choose to elect privacy protection coverage, you've made them think about the issue. This in itself can lead them some employees to be more sensitive to identity theft related issues. Potentially, knowing they passed on protection could even encourage them to make better decisions involving their data security.
As a company, you have a variety of options when choosing identity theft protection as an employee benefit.
First, there is the type of program you offer. You could go with simple "monitor and inform" software, or you could offer a full-fledged solution, such as PrivacyArmor, which offers many features above and beyond account scanning. Some of the most important features to look for in a complete solution are:
Dark web monitoring
Insurance for stolen funds as well as recovery costs
Your second major choice is the employee subscription rate you want to target. This is dependent on what percentage of the subscription cost your company wants to invest in. Here you have three options:
Fully company funded with no additional cost to the employee so it’s automatically part of their benefits package
Partially subsidized, where the company pays a designated portion and the employee pays the remainder
Fully employee funded, where the subscription cost is passed straight through to the employee
The good news is that you get to decide what makes the most sense for your company.
Helping you choose an identity theft benefit
Need more compelling evidence that your company needs an identity theft benefit? Check out our free ebook, Why Companies Should Care When Employees Have Their Identities Stolen.
Know you need it but not sure which one? Our Identity Protection Service Checklist will help you compare any other solution out there with our own PrivacyArmor product.
Or simply give us a call. We’d love to chat and we’re here to help.