When thinking about your 2016 New Year’s resolutions, include some data security resolutions on your list! The Kentucky Chamber of Commerce in coordination with Wyatt Tarrant & Combs, LLP, hosted a Cyber Security and Data Privacy seminar on December 17, 2015. This blog post highlights several ideas for resolutions that came from thoughts expressed by speakers during the seminar. In the coming year, think about what you should be doing to protect your personal identity as well as to protect the personal information of your customers, clients, patients and employees. Here are ten resolutions to get you started:
RESOLUTION #1 – I will NOT use a credit or debit card at a gas pump. This resolution can serve a two-fold purpose: a) You can make progress toward your 10,000 steps by walking to the cashier window, and b) you can protect yourself from identity theft. Dan Jackman, a cyber security task force officer with the FBI, stated during the seminar that thieves are stealing credit card information from gas pumps and explained how they do it. According to Officer Jackman, there are ONLY five different pump keys for the entire Commonwealth of Kentucky. So, dishonest fraudsters take a job with a gas station just to get access to the pump key so they can open the pump casing and change out credit card readers, not just at that station but dozens of stations using the same key. By gaining access to the inside of the pump, they can replace the card reader in a way that it cannot be detected when closing and locking the pump casing. The fraudster makes the switch in the dead of the night. Credit/debit cards are being ripped off in a matter of seconds within the time they are used at a pump with a fake card reader. Apparently, this type of theft is rampant in Kentucky.
Officer Jackman recommends going to the window to use a credit card or pay cash (thereby making this a two-part resolution because you will get some steps). If you cannot break the habit of paying at the pump, then use a prepaid card to limit your losses. Avoid using a debit card tied to your checking account.
RESOLUTION #2 – I will be cautious when using my debit card. Because debit cards are tied directly to our lifeline, i.e., checking account, Officer Jackman recommended, “tear ’em up!” Okay, this may be too hard for some of us but do take more precautions when pulling out your debit card. Officer Jackman advised against using your debit card to pay for merchandise on-line and if you must use a debit card at a store terminal, select the option to have treated it as a “credit” card. Never let your debit card out of your sight, such as allowing a waiter to carry it off to process your meal tab. When using the debit card for banking transactions (such as withdraws, funds transfers, deposits), use it ONLY at an actual bank terminal that is in a highly secured area or at a convenient store ATM clearly identified as a bank terminal. If your debit card is tied to the account from which you also pay your mortgage, car payment, student loans, etc., consider setting up a separate account for these crucial funds so they will not be compromised in the event of debit card theft.
And, by all means, if you bank on-line, regularly check your on-line bank account debits, credits and balances or promptly check your bank statements. Although Visa and MasterCard have developed a number of fraud prevention procedures to limit debit card risk, immediately investigate unfamiliar transactions and promptly report suspicious transactions to your bank. Prompt reporting means within 2 days! Under Regulation E, your liability for debit card fraud is $50 but only if you notify the bank within two days of discovering the fraud. Your liability may increase to $500 if you take more than 2 days and if you take longer than 60 days from the date your bank statement was mailed, you may be unable to recover any of the stolen funds unless your bank has set more consumer friendly limits on liability. Know your bank’s fraud liability policies.
In recent cases where hackers have gained access to debit card transaction information held by retailers, it has sometimes taken several months for cardholders to receive reimbursement. Some financial institutions offer online “alerts” of unusual transactions. Finally, beware of emails or telephone calls asking for your card or account number, even if they appear to be from your bank.
RESOLUTION #3 – I will change all of my passphrases on a regular basis, use different passphrases for different accounts and use “passphrases” instead of old-fashioned passwords. It may sound onerous, but Officer Jackman said that combining the name of a book with the name of an author (not the author of the book) can actually be easier for the consumer to remember but more difficult for a fraudster to guess. Using a phrase from a song is another alternative. Officer Jackman said passphrases are more difficult to crack – the old “letter, number, symbol” password is no longer as effective. Many individuals when forced to use complex passwords default to one password across multiple accounts thereby weakening the security for all of the accounts protected by the same password.
RESOLUTION #4 – I will freeze my credit. Officer Jackman suggested that the most effective method to protect your credit is simply to “freeze” your credit (it generally costs $10 per credit reporting company and does not need to be renewed annually, as it will last until it is “unfrozen”). He recommends freezing credit over using a credit monitoring service. Officer Jackman elaborated by saying it is easy to unfreeze your credit when applying for a loan (e.g., bank, auto dealership, furniture store, etc.) or a job. Simply lift the freeze for only one reporting agency and only with regard to a specific prospective creditor or employer. In particular, Officer Jackman sees many identity theft situations (often involving consumer social security numbers and other sensitive information) at auto dealerships and furniture stores. The Federal Trade Commission (FTC) has posted FAQs on freezing credit (click here)
RESOLUTION #5 – I will NOT rely solely on anyone else to protect my identity. There is no silver bullet for protecting your personally identifiable information. You must remain vigilant. Do not rely on someone else to protect you. Some of the identity protection services, such as Lifelock, have been under scrutiny by the FTC. See this recent FTC press release (click here).
RESOLUTION #6 – I will NOT log into a public Wi-Fi network. There is no security for your personal information when you log into public Wi-Fi networks supplied for your convenience at airports, city plazas, coffee shops, malls, etc. Even logging into an otherwise secure banking, healthcare, or other secure portal over a public Wi-Fi network can expose your password to a fraudster monitoring activity over the network. Once the fraudster has stolen your passphrase over the unsecured, public network, they have the key to your confidential information. Also, ensure that your children and other family members do not log-into their social media or other accounts that require a password over a public Wi-Fi.
RESOLUTION #7 – I will check any contracts between my business and vendors. Review, or have reviewed, contracts between your business and third-party vendors to make sure a) your vendors agree to have in place adequate data privacy and security measures and b) your business is protected in the event of a breach by the vendor. Consider these questions when reviewing these contracts: Has the vendor agreed to operate in compliance with any applicable laws? Does the vendor have cyber liability insurance and is your business named an additional insured on that policy? Has the vendor had an audit? (If so, obtain a copy and review it.) Does the vendor have a written information security plan? Is the vendor required to have certain security measures in place? Is information required to be encrypted when it is at rest and in transit? Is your data stored in the United States? Is the vendor required to promptly inform someone in your business in the event of a security incident? These are just a few of the questions to consider when reviewing your business vendor contracts. Consider having your legal counsel review vendor agreements where the vendor will have access to confidential consumer or business data.
RESOLUTION #8 – I will review the liability insurance coverage for a data loss by my business. Check your cyber liability insurance. If you have only commercial general liability coverage without an endorsement specifically providing coverage for a data loss, then your business is likely unprotected by a hacking incident or employee negligence that causes a loss of consumer or business data. Policies vary widely in the types of coverage provided because the coverage of data losses is still new and evolving. Some of the questions to ask include: Does my policy cover the potential data loss scenarios that could lead to a claim by a consumer or a third party? Does it cover employee actions or just actions by people outside of my company? Have I made any representations in the application for insurance for which my business is not in compliance? Is the amount of coverage adequate? Is my business covered for fines and penalties under applicable state and federal data breach laws? If I have various policies, has my broker reconciled my coverages? There is a trend to hold Directors and Officers accountable for data breaches. Have I reviewed my Directors and Officers (D&O) insurance for coverage and is it adequate? These are just a few of the questions to ask when reviewing your cyber liability insurance coverage.
RESOLUTION #9 – I will review my business data privacy and security policies and procedures. Does your business have a written information security plan, including a network security risk management and information security response plan? Review the plan to make sure that your business can, and does, follow it. As a follow up, conduct a “table top exercise” where team members meet in an informal setting to discuss their roles when responding to various data loss or data breach situations to test the effectiveness of your security response plan. Be sure to update your plan with what you learn.
RESOLUTION #10 – I will consider reporting fraud. If either your business or you have been subjected to a fraud involving cyber security, then consider reporting the fraud to IC3.gov (click here), which is the FBI’s Internet Crime Complaint Center. The FBI collects complaints at IC3.gov and analyzes internet crime trends. According to Officer Jackman, if fraud is reported and there is restitution, then “the FBI will make sure you are in the mix”.
We could go on with our list of identity theft prevention tips for your New Year’s list of resolutions but we’ll stop here for now. Additional identity theft prevention tips are available at Identify Theft Resource Center (click here) and at the FTC’s Consumer Information website (click here). In the meantime, hopefully, the 10 tips we have listed will help you and your business get off on the right foot for 2016.
These are a few thoughts for resolutions from the Data Privacy and Security Team at Wyatt Tarrant & Combs. We wish you a Happy, Healthy and Prosperous, Data Secure 2016!