Identity Theft Risk Management

An effective identity theft risk management program must consider and prioritize all risks associated with identity theft threats, ineffective controls or lack thereof, and identity theft consequences including fraud losses, lost productivity, unhappy customers, negative media coverage, and penalties arising from non-compliance with regulatory requirements and contractual agreements.

The excessive collection, retention and sharing of personal information as well as their storage in computer systems which are sometimes unprotected or connected to the public networks make computer incidents much more devastating for companies and their millions of customers as system intrusions have a much higher impact that non-technical or physical theft of personal information such as hard copy reports containing personal information because digital information can be stored, carried around, shared and thus stolen in much higher quantities or with mighty speed. Many business databases have millions of customer information records such as email addresses, names, credit card numbers, date of birth, and unique identifiers such as a social security number used in the United States which can easily be used to commit fraud.

External intrusions and unauthorized employee activities to steal personal information as well as attempts made by outsiders and insiders to commit fraud pose some of the greatest identity theft risk management challenges for companies.

The Insider Factor

Damage inflicted by insiders is common and can be enormous and although some employees may have authorized access to business information for legitimate business reasons, their access to systems and information is often overlooked and not fully monitored to detect suspicious activities. This lack of control is often due to the perception that since their access is authorized, they are entitled to the information and they will not abuse their entitlement. This assumption can not be further from the truth as they are neither entitled nor can we assume that they will not abuse their access privileges. Companies are better off implementing internal controls specifically designed for restricting and monitoring insider activities including suspicious activities not related to their work, inconsistent with policies and procedures, or during unusual times of the day.

Data Breach Incidents

With the rising instances of personal data breach incidents, companies are not just concerned with the protection of their customers’ personal information in their possessions from external and internal threats, but they are also concerned with personal information stolen from other companies which can be used to defraud their companies. Companies often face Identity theft and fraud risks regardless of where the information was obtained from. High quality personal information stolen from any source which can be used to easily commit fraud has a wider identity theft ripple effect on many other companies. Affected companies may have the best information protection practices; however, if their identity theft risk management efforts do not address their operations, they are likely to experience fraud due to another company’s negligence.

Identity Theft Risk Management Categories

In general, identity theft risk management efforts are usually concentrated around three general areas which are protection of personal information, compliance, and fraud management (prevention, detection and resolution).

Definition of Risk

Risk is the probability or threat of damage, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities which may be avoided through preemptive action.

Identity theft risks exist around personal data protection in the accumulation, retention and sharing stages as well as identity fraud and compliance in the business operations.

As companies increasingly share information with third parties to reduce costs associated with product development, operations, and data storage, they must trust and rely on third party risk management efforts.

Risk Assessment

Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat or hazard. Quantitative risk assessment requires calculations of two components of risk; the magnitude of the potential loss, and, the probability that the loss will occur.

Acceptable Risk

Acceptable risk is a risk that is understood and tolerated usually because the cost or difficulty of implementing an effective countermeasure for the associated vulnerability exceeds the expected loss value.

Risk Factors

Risk is the function of three factors:

•Value of the assets
•Likelihood of the threat
•Impact or the extent of the harm

Risks must be identified through a risk assessment and a value must be placed on the risk in order to make a determination on a possible countermeasure. The following formula can be used to identify a risk:

Risk = Consequence × Threat likelihood × Vulnerability

Below is an example:

Threat = New account fraud using stolen ID
Threat likelihood = High or .9
Vulnerability = Low or .3 because of excellent fraud detection controls
Consequence = $3000 if fraud succeeds

Therefore, identity theft risk is calculated as follows: (3000)*(.9)*(.3) or $810

Risk Mitigation

In order to manage risks efficiently, a cost vs. benefit analysis must be performed to determine whether a countermeasure is necessary, the type and timing of the countermeasure, and the degree by which the countermeasure will decrease the likelihood or the consequence of the threat.

Identity Theft Compliance Risk

The Red Flags Rule was created to address identity fraud prevention regardless of where personal information are stolen from. This law is a huge step in the right direction for the identity theft and fraud management professionals. For many years, the focus has been around information protection especially from a regulatory standpoint, however, we now recognize that information stolen from any source can affect any company which is why the Red Flags Rule was created to force and guide companies facing high risks of identity theft to develop and implement an effective identity theft prevention program which addresses program management, executive oversight, risk assessments, identity theft red flag management online or offline, policies and procedures, training, and vendor risks.

Identity Management Institute created and administers the Certified Red Flag Specialist® which is closely aligned with the US government requirements and guidelines for identifying and detecting identity theft red flags to prevent fraud when information protection fails and after personal information is stolen regardless of theft source.

Learn about identity theft risk management certifications at Identity Management Institute.