2016 Data-Breach Response Report: Best & Worst Values
6:31 PMPosted by: Unknown
Data beaches have become a fact of technology-age life, with 1,303 breaches exposing more than 190.8 million records since January 2015, according to the Identity Theft Resource Center. In fact, breaches have become so commonplace that a cottage industry catering identity theft-related services to victims has emerged, enabling breached organizations to save face and cajole angry victims.
It’s therefore fair to wonder which victims have received the best and worst deals. In search of an answer, WalletHub evaluated 20 major data breaches dating back to 2007, including those affecting Target and the Office of Personnel Management. We compared the corresponding post-breach services in terms 12 relevant metrics, such as the types of features offered to victims. Below, you can find the results of our analysis, followed by a Q&A with a panel of leading data breach experts and a detailed methodology.
Main FindingsPoor Protection: Post-breach services are completely inadequate, with none of the affected organizations earning a score above 70/100 relative to WalletHub’s ideal response.
Note: No organization received a WalletHub Score above 70.
Major Features Missing: None of the responses included credit freezes, ongoing credit-report access or free credit scores – all major elements of identity protection.
Fraud Resolution: 90% of breached organizations offer access to an “Identity Resolution agent,” who ostensibly provides customized support.
Best & Worst Credit Monitoring: South Carolina’s Revenue Department won with 44 months of triple-bureau monitoring and real-time alerts, while Jimmy John’s, Dairy Queen and Costco offered no credit monitoring.
Best & Worst Supplementary Monitoring: The Office of Personnel Management gave victims internet surveillance, SSN tracking and change-of–address alerts, while eight organizations offered no supplementary monitoring.
Best & Worst Overall Responses: OPM provided the most comprehensive package of post-breach benefits, while Costco had the worst response due to a complete lack of such services.
Detailed Findings Ask The Experts: Comparing Post-Breach ResponsesFor a closer look at how post-breach service contracts are awarded and why some breached organizations provide victims with far better packages than others, we posed the following questions to a panel of leading industry experts. You can find their bios and responses below.
- What services/compensation should victims of a data breach receive, and who should foot the bill?
- What are the most important aspects of post-breach victim services?
- To what extent do post-breach services enable an organization to begin to rebuild?
- Why would a consumer trust a breached organization to effectively handle the aftermath of a breach when it couldn't prevent the problem in the first place?
- What are the dos and don’ts of post-breach victim services?
Ric Messier Assistant Professor and Director of the Cyber Security & Digital Forensics Program at Champlain College
Charlotte A. Tschider Affiliated Professor with the Mitchell Hamline School of Law’s Cybersecurity and Privacy Law Certificate Program
Suku Nair University Distinguished Professor and Chair of the Computer Science and Engineering Department at Southern Methodist University
Miloslava Plachkinova Assistant Professor of Cybersecurity in the Department of Information and Technology Management at The University of Tampa
Bart Miller Professor of Computer Sciences and Chief Scientist in the DHS Software Assurance Marketplace Research Facility at University of Wisconsin-Madison
Tom Winston Assistant Professor in the Department of Information Sciences and Technology at George Mason University, Volgenau School of Engineering
Ric Messier Assistant Professor and Director of the Cyber Security & Digital Forensics Program at Champlain College
Charlotte A. Tschider Affiliated Professor with the Mitchell Hamline School of Law’s Cybersecurity and Privacy Law Certificate Program
Suku Nair University Distinguished Professor and Chair of the Computer Science and Engineering Department at Southern Methodist University
Miloslava Plachkinova Assistant Professor of Cybersecurity in the Department of Information and Technology Management at The University of Tampa
Bart Miller Professor of Computer Sciences and Chief Scientist in the DHS Software Assurance Marketplace Research Facility at University of Wisconsin-Madison
Tom Winston Assistant Professor in the Department of Information Sciences and Technology at George Mason University, Volgenau School of EngineeringWalletHub evaluated the services offered to victims of 20 high profile data breaches in the last 10 years using public records and a rubric comprised of 12 relevant metrics across three overarching categories: 1) Credit Monitoring; 2) Supplementary Monitoring; and 3) Fraud Resolution. This rubric, which represents what WalletHub believes to be the ideal response, can be found below.
Upon the completion our analysis, we sent our findings to each of the 19 organizations included in the report for verification. Eight organizations cooperated fully in the process (Target, CVS Caremark, Kmart, Staples, Neiman Marcus, T-Mobile, SC Dept. of Revenue, Premera), while two provided partial information (The Home Depot and Michael's), seven responded but could not meet our deadline (TJX, Dairy Queen, Anthem, Excellus, GA Secretary of State, Jimmy John's and Costco) and two declined the opportunity to comment entirely (OPM, UCLA Health).
Please note that we obtained the South Carolina Dept. of Revenue’s overall score by averaging results of its two post-breach service providers. Furthermore, we used the currently effective coverage term (3 years) to evaluate OPM’s breach response, as a court-mandated extension to 10 years has not been implemented yet.
Sources: Data used in this report were obtained from OpenGov.com, the Identity Theft Resource Center, news reports and WalletHub research.
from Wallet HubWallet Hub
via Finance Xpress
0 comments