Fraud Notification Process
By Henry Bagdasarian
There are currently many laws that require consumer fraud notification on the part of the companies. These laws in general require companies to notify consumers each and every time they become aware of stolen or lost consumer information if companies suspect the compromised information might potentially lead to identity fraud. Some time ago, I wrote a piece of article about why the words "identity theft" might be a misleading term when describing this crime and this article provides a good opportunity to reinforce that theory one more time. Notice above I said if companies suspect there is potential for identity fraud as a result of the misplaced, lost or stolen personal information when determining whether consumer fraud notification is necessary or required. In other words, if consumer information is lost or stolen but the company concludes that the lost or stolen personal information is safe and will not lead to identity fraud based on reasonable assessment, then the company does not need to notify consumers that they face the risk of identity theft. The term identity theft by itself means nothing if the lost or stolen information is useless.
The consumer fraud notification process can be broken down into three high level steps also known as DIP; a) Discovery of lost or stolen data and devices containing sensitive information, b) Identification of any personal information, and c) Probability assessment of fraud.
Discovery - With regards to consumer fraud notification and compliance with such laws and requirements, the first challenge for companies is to have timely knowledge when personal information is disclosed to unauthorized people. The laws don’t specifically mention of a time period in which companies must discover any unapproved disclosure of information but rather require timely assessment of the situation for consumer fraud notification upon discovery of such unauthorized disclosures. Companies rely on many sources to gain evidence for or detect signs of lost or stolen information. They rely on employees to report such cases, review system logs for any unauthorized access or suspicious information download, or in the worst-case scenario, upon actual occurrence of fraud based on the stolen information. After fraud occurs, dots may be connected during the fraud investigations to identify the fraudster and how the person obtained the information to commit the identity fraud. Sometimes, and although extremely difficult, depending on where the fraudster obtained the information to commit the fraud as well as the fraud pattern and victims, companies may discover that certain company confidential information was compromised and used to commit the identity frauds. Companies should try to avoid discovery of stolen information through actual fraud analysis as the purpose of proactive discovery, identification and notification of lost or stolen data is fraud prevention. Proactive attempt to discover any unauthorized access to personal and confidential information includes system monitoring and employee awareness and education for reporting any lost or stolen information via established procedures.
Identification - The next challenge for companies is to determine if the lost or stolen information included any personal information. From my own experience, when employees report a lost or stolen laptop and are asked whether they had stored any confidential information on their computers, in some cases, they can’t even answer the question. If companies don’t want to completely rely on clueless employees to determine whether lost or stolen information included personal information of their clients and employees, then they must control and monitor the flow of the information within the company at all times. They must restrict the employees’ ability to store any confidential information on their laptops or other mobile devices unless it is properly approved and logged for future reference. The task of following the trail of all confidential information during its lifecycle is of course extremely time consuming, operationally inefficient and difficult. However, if companies want to have more control than just reliance on their employees to determine whether lost information and devices included personal information, they must follow the trail if they’re not willing to accept additional risk of delayed consumer fraud notification and non-compliance with the laws. One other way to resolve the lost or stolen laptop and other mobile device issue is to encrypt the device so that even if confidential information were stored on the device, it would be useless to the thieves. Now if companies can’t clearly and speedily identify encrypted devices, management faces another challenge. All devices must either be restricted from storing data or be encrypted and tracked for future reference.
Fraud Probability - The last challenge is to decide whether mass consumer fraud notification must be sent out. This is a very difficult decision for companies. Consumer fraud notification means the company will be on the front pages of major media outlets, might lose credibility and clients, face potential law suits after the data breach goes public, and even face government audits. In this last stage, companies must decide if disclosed personal information can lead to identity fraud. One way companies try to avoid such massive consumer notifications that would cost a huge amount of money and effort is by encrypting or de-identifying the confidential information so that even when and if they are lost or stolen, they are useless to the people who possess the information because they will be unable to read and understand the scrambled information unless they have the code to convert the scrambled information back to its original and readable form. Such preventive measures like data encryption will protect companies from massive consumer fraud notification when information is lost because if the information is useless and can’t be understood, then there is no potential for identity fraud or information misuse. Unfortunately, if companies are unable to conclude whether lost information included personal information, or if they can’t conclude whether the devices containing client information were encrypted, consumer fraud notification must be on the list for consideration by their Legal group. In addition, encryption alone does not solve all problems as information can be shared by phone, hand written, or printed in which case, additional measures must be considered.
The entire process of discovery, identification, and fraud probability assessment is very important and challenging when considering whether to send mass consumer fraud notification or not. Such notification process must be carefully executed and as expeditiously as possible.
Return from DIP fraud notification article to workplace information protection section.