ncl consumer data insecurity report: examining data breaches june 2014

The Consumer Data Insecurity Report: Examining the Data Breach — Iden ty Fraud Paradigm in Four Major Metropolitan Areas

Sponsored by: Independently produced by:


2

CONTENTS Forward .................................................................................................................................................................. 3 Overview ................................................................................................................................................................ 4 Execu ve Summary ................................................................................................................................................ 5 Key Findings ........................................................................................................................................................... 7

General .............................................................................................................................................................. 7 Business ............................................................................................................................................................. 7 Government ....................................................................................................................................................... 8

Metropolitan Area Fraud Vic m Profiles ............................................................................................................. 10 The Data Breach — Iden ty Fraud Paradigm ....................................................................................................... 13 How Consumers React to Fraud ........................................................................................................................... 17 Vic ms’ Expecta ons ........................................................................................................................................... 21 Methodology ........................................................................................................................................................ 30 Appendix .............................................................................................................................................................. 31

TABLE OF FIGURES Figure 1: Fraud Vic ms Who Received Data Breach No fica ons, by Metropolitan Area .................................. 10 Figure 2: How Compromised Informa on Was Misused, by Metropolitan Area ................................................ 11 Figure 3: Types of Fraud Experienced by Fraud Vic ms, by Metropolitan Area .................................................. 12 Figure 4: Type of PII Breached and Misused, by Industry .................................................................................... 13 Figure 5: Type of Financial Account Informa on Breached and Misused, by Industry........................................ 14 Figure 6: Type of Organiza on Where Informa on Was Compromised .............................................................. 15 Figure 7: Number of Iden ty Fraud Occurrences for Data Breach Vic ms and Non‐Data Breach Vic ms ......... 16 Figure 8: Ac ons Taken by Vic ms as a Result of Experiencing Iden ty Fraud ................................................... 17 Figure 9: Agencies Contacted A er Fraud by All Fraud Vic ms and Vic ms Whose PII Was Breached, by Type of Organiza on Where Breach Occurred .................................................................................................... 18 Figure 10: How Fraud Affected Data Breach Vic ms’ Level of Trust, by the Industry Where Breach Occurred.. 19 Figure 11: Data Breach Fraud Vic ms’ Level of Confidence That the Industry in Which Breach Occurred Could Protect Them From Future Fraud .............................................................................................................. 20 Figure 12: Perceived Effec veness of Fraud Preven on Ac vi es Among All Fraud Vic ms and by Metropolitan Area ............................................................................................................................................... 21 Figure 13: Industries That Should Be Held Accountable and Business Avoidance Postbreach, by Fraud Vic ms Whose Informa on Was Breached at FIs, Retailers, and Other Organiza ons ................................................... 22 Figure 14: Organiza ons That Should Be Held Responsible for Protec ng Accounts During Recent Fraud, According to Non‐data breach Vic ms and Data Breach Vic ms ........................................................................ 23 Figure 15: Organiza ons That Should Be Held Responsible for Restoring Iden ty A er Recent Fraud, According to Non‐data breach Vic ms and Data Breach Vic ms ........................................................................ 24 Figure 16: Agreement With Statement, by Type of Organiza on Where Informa on Was Breached ................ 25 Figure 17: Fraud Vic ms’ A tudes Regarding Data Breaches ............................................................................. 26 Figure 18: Agreement With Statement, by Metropolitan Area ........................................................................... 27 Figure 19: When No fica on Should Be Provided A er a Data Breach, by Fraud Vic ms .................................. 28 Figure 20: Type of Organiza on Where Informa on Was Compromised, by Most Recent Fraud incident ........ 31 Figure 21: Informa on Compromised in Most Recent Fraud Incident, by Vic m Type ....................................... 31 Figure 22: Rate of Fraud Vic miza on by Type of Data Breached ....................................................................... 32


3

FORWARD This white paper was sponsored by the Na onal Consumer League. It explores the

a tudes, experiences, and percep ons of fraud vic ms in four metropolitan

areas: Chicago, Los Angeles, Miami, and Minneapolis. The white paper was

independently produced by Javelin Strategy & Research, a Greenwich Associates

LLC company. Javelin maintains complete independence in its data collec on,

findings, and analysis.


4

OVERVIEW As the use of consumers’ personally iden fiable informa on (PII) by businesses

con nues to evolve, sensi ve data is constantly being placed at risk of

compromise. To ensure that consumers can take necessary ac ons to protect

themselves a er a breach has occurred, 47 states have enacted data breach

no fica on laws.1 Yet despite the patchwork of state laws and industry‐specific

federal legisla on and regula ons,2,3 the past couple of years have been especially

trying for both consumers and breached organiza ons. Among all types of

sensi ve data, financial informa on is most favored by criminal organiza ons,

which are now more than ever successfully targe ng this data for the and

subsequent misuse.

To be er understand the data breach‐iden ty fraud paradigm, Javelin surveyed

fraud vic ms in four major metropolitan areas across the U.S.: Chicago, Los

Angeles, Miami, and Minneapolis. In comparing the experiences of fraud vic ms

who had suffered a data breach with those who did not, the effects of data

breaches on the integrity of consumer iden es are readily apparent. It is evident

that data breaches have become part of the public consciousness, specifically

because of their role in facilita ng iden ty fraud. This has severe implica ons for

all stakeholders, as affected consumers are holding a variety of organiza ons

accountable for failing to protect their PII from being compromised, bought, sold,

and misused by fraudsters, hackers, and other criminal en es. Changing the

status quo is cri cal to maintaining consumer trust in an environment where PII is

successfully stolen en masse, on an all too regular basis.

1 h p://www.ncsl.org/research/telecommunica ons‐and‐informa on‐technology/security‐breach‐no fica on‐laws.aspx, accessed June 2, 2014.

2 h p://ithandbook.ffiec.gov/media/resources/3372/frb‐sr‐05‐23.pdf, accessed May 14, 2014. 3 h p://www.hhs.gov/ocr/privacy/hipaa/administra ve/breachno fica onrule/index.html, accessed June 2, 2014.


5

EXECUTIVE SUMMARY Despite the broad patchwork of data security breach no fica on laws and

regula ons currently in place, data breach‐fueled iden ty fraud is on the rise. In

2013, nearly 1 in 3 data breach vic ms suffered iden ty fraud, compared with 1 in

9 in 2010.4 Yet not only has the actual connec on between data breaches and

fraud con nued to grow, but also media coverage of recent high‐profile data

breaches has served to reinforce the connec on between data breaches and fraud

in the minds of consumers. Consumer trust is of paramount value for businesses,

and being compromised in a data breach puts these businesses at risk of losing

customers.

Businesses are being heavily targeted for financial account informa on by

criminals and hackers, which has contributed to the substan al growth of certain

types of iden ty fraud. Na onally, there was a drama c increase in the volume of

exis ng card fraud (ECF), which grew from $8 billion in 2012 to $11 billion in total

fraud losses in 2013.5 Examining the experiences of fraud vic ms in four major

metropolitan areas reveals that while there are some similari es related to

na onal fraud trends among vic ms in these separate regions, there are also

important dis nc ons among them.

Consumer awareness of breaches is on the rise, as all consumers, and fraud

vic ms specifically, were more likely to be no fied of a data breach in 2013,

compared with 2012.6 Given such awareness of imminent or poten al threat to

their iden es, consumers believe that taking appropriate steps to safeguard their

data will help with protec ng their iden ty. Unfortunately, certain remedies that

have been relied upon by affected organiza ons and promoted by government

officials are ineffec ve in the preven on of fraud in many cases, yet con nue to be

prescribed to vic ms.

4 2014 Iden ty Fraud Report: Card Data Breaches and Inadequate Consumer Password Habits Fuel Disturbing Fraud Trends, Javelin Strategy & Research, February 2014.

5 Ibid. 6Ibid.


6

Fraud vic ms themselves do not seem to discriminate between business

organiza ons and financial ins tu ons when assigning blame for a data breach. In

reac on to a data breach, vic ms will specifically avoid doing business with

affected organiza ons — diminishing the future profitability of these businesses.

And while vic ms hold all organiza ons involved accountable for informa on

compromise, they feel differently as to who is responsible for protec ng accounts

and undoing damage caused by fraud, based on whether their lost informa on

was compromised in a data breach or an event unrelated to a data breach.

According to vic ms, the government has a significant role to play and issues to

address in the fight against data breaches. Vic ms expect the federal government

to ensure that businesses adhere to data security standards, while at the same

me they believe that exis ng regula ons are generally insufficient. Tacit support

from vic ms for stronger federal protec ons has joined the chorus of voices from

the financial industry who had supported changes to previously proposed

legisla on. While the passage of a na onal data breach law has remained elusive,

the damage that breaches represent to the integrity of consumer iden es and

the success of businesses might prove too difficult for legislators to con nue to

ignore.


7

KEY FINDINGS

General While data breaches are the predominant source of misused creden als, data

breach no fica on might help prevent against mul ple fraud incidents.

Defrauded data breach vic ms overwhelmingly a ribute their fraud to the breach

of their creden als (61% say they are certain that this was the source of the

misused creden als). However, data breach vic ms are 15% less likely to suffer

mul ple fraud events compared with all fraud vic ms (50% vs. 59% suffered only

one fraud incident).

Nearly a third of fraud vic ms fails to take any ac on to prevent further fraud.

This means that vic ms are more likely to take no ac on than to respond to the

fraud in any other way. The second and third most common ac ons taken are

receiving email or mobile alerts about credit card or checking accounts (24%) and

pu ng fraud alerts on credit reports (23%).

Business Breaches gravely affect consumer confidence, especially for retailers. Six in 10

vic ms whose informa on was compromised in a retailer breach said their level of

trust in the retailer declined significantly. This diminished confidence is less for

vic ms of breached FIs (28% say their confidence declined significantly). Retailers

are also up against the lowest degree of confidence in their ability to protect

vic ms’ informa on in the future. Only 10% of vic ms whose PII was breached at

a retailer were very confident that the organiza on could protect them from

future fraud.

Large retailer breaches are a locus of data breaches and consumer fraud. Half of

defrauded data breach vic ms indicate that their informa on was compromised in

a large retailer data breach. Further s ll, among those defrauded data breach

vic ms who knew that breached informa on was used to commit the fraud, 33%

say that the informa on was compromised from this same segment of businesses.


8

Vic ms believe not only businesses but also FIs should be held accountable, with

1 in 5 vic ms avoiding doing business with these organiza ons a er his or her

informa on is breached. Fi y‐two percent of fraud vic ms believe businesses and

organiza ons should be held accountable in the wake of a data breach, and 48%

say the same of FIs. Nineteen percent of vic ms whose informa on was breached

at one of these loca ons say that they would avoid doing business with the

organiza on in the future.

Organiza ons should prepare for more stringent federal legisla on regarding

data protec on, and con nued consumer lawsuits. Just over a quarter of fraud

vic ms believe that current federal data security requirements are sufficient for

protec ng health care and financial data. This indicates there is poli cal will for

passing pending na onal legisla on for greater accountability for all custodians of

sensi ve PII. Vic ms also overwhelmingly believe that consumers should be able

to take legal ac on against breached organiza ons regardless of where their

informa on was breached.

Government Immediate and comprehensive data breach no fica ons are needed. While

nearly 9 in 10 vic ms believe that data breach no fica ons should be immediate,

most states make allowances for delayed no fica ons.7 Data breach no fica ons

offer an opportunity for organiza ons to educate affected consumers about the

circumstances of the breach, their effect on the integrity of consumers’ iden es,

efforts undertaken by the breached organiza on to protect their iden es going

forward, and how consumers can ul mately protect themselves. The current

patchwork of state laws and federal regula ons are proving insufficient as the

connec on between breaches and fraud has never been stronger and as

consumers vote with their wallet, changing their patronage behaviors postbreach.



9

Government should facilitate the coopera ve development of a clear, ac onable

set of data security best prac ces. The business community is well incen vized to

stand side‐by‐side with consumers in advoca ng for change. Among affected

industries, consumers indicate that they are most likely to lose trust in retailers

a er a breach. For this industry especially, in light of con nued media scru ny and

pressure from the financial industry and government officials, par cipa ng in

efforts to shape the na onal debate is crucial. Government must do more as only

28% of vic ms consider exis ng federal regula ons to be sufficient for protec ng

sensi ve informa on such as financial account data and protected health

informa on (PHI), yet 70% believe the federal government should be responsible

for ensuring that businesses meet data security standards.


10

METROPOLITAN AREA FRAUD VICTIM PROFILES The threat that data breaches represent to the integrity of consumer iden es is

not unique to any region of the country. Examining the experiences of fraud

vic ms in four metropolitan areas, though, reveals that while there are some

similari es among vic ms in these separate regions, there are also important

dis nc ons among them.

Javelin’s annual iden ty fraud study elucidates the strong correla on between

data breach and iden ty fraud. This connec on is prominent in the areas

highlighted in this study — in Los Angeles and Miami, 4 in 5 fraud vic ms had

received a breach no fica on. This effect is compara vely subtle in the Midwest

ci es — in Chicago a li le over 7 in 10 had received a breach no fica on, while in

Minneapolis 2 in 3 received a breach no fica on (see Figure 1).

4 in 5 Fraud Vic ms in Los Angeles and Miami Have Been No fied That Their PII Was Compromised in a Data Breach

Figure 1: Fraud Vic ms Who Received Data Breach No fica ons, by Metropolitan Area

72%

82%

66%

80%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

Chicago Los Angeles Minneapolis Miami

Percent of fraud victims

May 2014, n = 50Base: Fraud victims by metropolitan area.

© 2014 Javelin Strategy & Research

Q8. Have you EVER been notified by a business or other institution that your personal or financial information has been lost, stolen or compromised in a data breach?


11

When it comes to informa on misuse, making quick purchases seems to be the

most effec ve way for criminals to use stolen informa on. In 2013, online

purchase (40% of fraud vic ms) and in‐store purchase (36%) were the leading

methods in which fraud vic ms’ informa on was misused, according to Javelin’s

annual ID fraud study.8 The same holds true for fraud vic ms in Chicago, Los

Angeles, Miami, and Minneapolis. While in Minneapolis, online purchase (50%)

trumps all other areas in the extent of vic ms affected by this method (See Figure

2), in‐store purchase seems to be the most common method for informa on

misuse in Los Angeles (44%) (See Figure 2).

Na onally, there was a drama c increase in the volume of ECF, with total fraud

losses growing from $8 billion in 2012 to $11 billion in 2013.9 And given the

prevalent misuse of compromised informa on for online and in‐store purchases

reported by fraud vic ms in Chicago, Los Angeles, Miami, and Minneapolis (see

Fraudulent Purchases Are the Most Common Means of Misuse, With Online Purchases Favored in the Midwest and In‐Person Transac ons More Popular on the Coasts

Figure 2: How Compromised Informa on Was Misused, by Metropolitan Area



8%

0%

2%

2%

2%

2%

6%

6%

4%

6%

34%

50%

20%

6%

10%

2%

6%

8%

6%

10%

10%

6%

39%

31%

13%

6%

4%

4%

4%

4%

2%

6%

15%

8%

44%

35%

11%

0%

0%

2%

2%

2%

2%

2%

9%

13%

28%

43%

0% 10% 20% 30% 40% 50% 60%

Another way

Make P2P transfers or payments

Buy prepaid cards

Obtain health care

Pay bills

Make ACH/wire transfers

Buy gift cards

Write checks

Withdraw cash from an ATM

Make purchases over the phone or through the mail

Make purchases in person

Make purchases online


Chicago

Los Angeles

Miami

Minneapolis



Q14a. You mentioned that the perpetrator misused your personal or account information. How was your information misused? Was it used to...?


12

Figure 2), it is not surprising that they were most likely to experience the same

type of fraud (see Figure 3). Vic ms in Chicago are affected the most by ECF, with

82% of vic ms, while Minneapolis vic ms arguably fare be er with 70% of vic ms

in the area having experienced ECF (see Figure 3).

Exis ng noncard fraud (ENCF), which also grew significantly na onally from 2012

to 2013,10 is the second most popular fraud type across all areas. A major

contributor to the growing incidence of ENCF is the confluence of poor password

habits and the exfiltra on of password lists by hackers. As consumers reuse

passwords across a greater number of online sites, their risk of fraud rises — when

passwords are compromised in a data breach, each password could expose

mul ple consumer accounts to unauthorized access.11 Among the areas examined,

fraud vic ms in Miami and Minneapolis were more likely to experience ENCF

compared with fraud vic ms in Los Angeles and Chicago (see Figure 3).

Tracking With Na onal Fraud Rates, Exis ng Card Fraud Most Likely to Plague Vic ms Regardless of Where They Live

Figure 3: Types of Fraud Experienced by Fraud Vic ms, by Metropolitan Area


11 Ibid.

82%76%

70%74%

38%42%

50% 50%

16%

30%

20%

36%

18%

26% 24%

50%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

Chicago Los Angeles Minneapolis Miami


Existing card fraud Existing non‐card account fraud New‐account fraud Account takeover fraud



Q12A through Q12D: Thinking about the most recent fraud incident, what type of personal/financial information was misused?


13

THE DATA BREACH — IDENTITY FRAUD PARADIGM The days of Dumpster diving and pickpocke ng as mainstays of a fraudster’s PII‐gathering

efforts have come and gone. Personally iden fiable informa on stored and transmi ed by

organiza ons, regardless of industry, now a racts the a en on of skilled criminal

organiza ons around the world. Once in possession of this data, much of it can be readily

misused to commit fraud or, instead, sold or traded in underground forums to other

criminals for subsequent misuse. In 2013, nearly 1 in 3 data breach vic ms experienced

iden ty fraud.12 Yet not only has the actual connec on between data breaches and fraud

con nued to grow, but also media coverage of recent high‐profile data breaches has served

to reinforce the connec on between data breaches and fraud in the minds of consumers.

Although access to highly sensi ve or account‐specific PII might render criminals more

capable of perpetra ng fraud, the informa on they seek is not restricted to this data. Social

Security numbers are clearly the most comprised nonfinancial PII, especially at FIs (23% of

fraud vic ms and industries other than retailers (32%). However, less sensi ve, nonfinancial

PII such as full name and physical address is right at the top of personal informa on

compromised as reported by fraud vic ms across industries (see Figure 4).

The Proverbial ‘Keys to the Kingdom,’ Social Security Numbers Are the Most Compromised Type of Nonfinancial PII

Figure 4: Type of PII Breached and Misused, by Industry


12%

5%

4%

4%

9%

7%

11%

11%

12%

12%

7%

14%

16%

12%

18%

32%

11%

2%

2%

1%

2%

0%

1%

4%

6%

6%

5%

19%

15%

16%

22%

15%

16%

3%

3%

3%

4%

4%

4%

6%

12%

12%

12%

12%

14%

17%

22%

23%

0% 5% 10% 15% 20% 25% 30% 35%

Other 1

Military ID card

Username and password for nonfinancial Internet accounts such…

A passport

Mobile phone and personal details on the phone

Medical records

Health insurance information

Username and password for Internet payment accounts such as…

Email account and password such as that for Yahoo! Mail or Gmail

Driver's license number

Username and password for your online banking accounts

PIN on your credit card

ATM PIN on your debit card

Physical address

Full name

Social Security number


Financial institution

Retail

Other

May 2014, n = 57, 69, 96Base: Fraud victims whose misused information was

compromised at above types of organizations.© 2014 Javelin Strategy & Research

Q12A. Thinking about the most recent fraud incident you experienced, what type of financial information was misused?


14

Financial account informa on, though, is the most heavily targeted by criminals

and hackers (see Figure 5). This is unsurprising when considering that consumers

whose card data was compromised experienced exis ng‐card fraud (ECF) at a rate

nearly eight mes higher than that of all consumers (35.7% vs. 4.6%, respec vely).

The rela onship between breached cards and fraud is increasing, with consumers

whose credit or debit card number was breached in 2013 experiencing a 37%

higher fraud rate than those whose card numbers were breached in 2012 (see

appendix, Figure 22). This is not to say that breached SSNs are not of great value

to criminals. The the of SSNs places consumers at a substan al risk of fraud. SSN

breach vic ms experience new‐account fraud (NAF) at a rate nearly 18 mes

higher than that of all consumers.13

Card Data Is the Foremost Target for Data The and Subsequent Misuse

Figure 5: Type of Financial Account Informa on Breached and Misused, by Industry


19%

9%

9%

12%

16%

14%

25%

35%

5%

1%

16%

4%

6%

10%

27%

41%

7%

7%

12%

12%

12%

16%

29%

41%

0% 10% 20% 30% 40% 50%

Other

Another type of financial account (investment account /retirement account / insurance account / car loan / student…

A store credit or debit card account number

Other types of payment card number (gift card / prepaid card)

An Alternative payments provider such as PayPal, Amazonpayments, Google Checkout

A bank account number (including checking, savings, or moneymarket account)

A debit card account number issued by my bank

A major credit card account number issued by my bank


Financial institution

Retail

Other



Q12A. Thinking about the most recent fraud incident you experienced, what type of financial information was misused?


15

Late 2013 saw a rash of major retailer breaches, including those at Michaels,

Neiman Marcus, and Target, where millions of records were compromised.14 It is

not surprising that large retail merchant leads the list of organiza ons where

consumers’ informa on was compromised (50%). A distant second on this list is

the credit card issuer (22%), followed by consumers’ primary bank (16%).

This contrasts significantly with consumer percep ons before the aforemen oned

major retailer breaches, in which it was believed that the majority of breaches

occurred within the financial industry.15 Given the high‐profile nature of these

breaches, the responsibility for these breaches was readily apparent to

consumers. In previous retailer breaches, which received negligible media

coverage, consumers might have been confused by FI and card issuer no fica on

efforts designed to prepare them for card reissuance or a reduc on in transac on

approvals, and mistakenly assigned responsibility for breaches to FIs or card

issuers.16

Large Retailers Are the Locus of the Highest Rate of Breach No fica ons

Figure 6: Type of Organiza on Where Informa on Was Compromised

14 h p://www.ny mes.com/2014/04/19/business/michaels‐stores‐confirms‐breach‐involving‐three‐million‐customers.html?_r=0, accessed June 2, 2014.

15 2014 Data Breach Fraud Impact Report: Consumers Shoot the Messenger and Financial Ins tu ons Take the Bullet, Javelin Strategy & Research, June 2014.

16 Ibid.

4%

4%

4%

5%

5%

5%

5%

5%

6%

7%

7%

8%

8%

8%

14%

16%

22%

50%

0% 10% 20% 30% 40% 50% 60%

Other organization

Virtual wallet provider

Small retail merchant

Restaurant or hotel

Cloud application

Online gaming site

Small online‐only merchant

Social networking site

University

Alternative payment provider

Government agency

Another financial institution

Large online‐only merchant

Gas station

Healthcare provider

Primary financial institution

Credit card issuer

Large retail merchant

Percentage of data breach victims

Q8b: Please indicate the type of organization where your information was compromised or stolen.

May 2014, n = 150Base: Fraud victims whose information was

compromised in a data breach.© 2014 Javelin Strategy & Research


16

Although almost half of fraud vic ms don’t know where the informa on used in

the most recent fraud incident was compromised (49%), this is especially true for

vic ms of events that were unrelated to a data breach such as a stolen device or

wallet (88%), (see Appendix, Figures 20 and 21, respec vely). Unfortunately, those

vic ms who are unaware of how their data was compromised were not in a

posi on to react un l they were no fied of the fraud — they could not take

immediate steps, a er the loss of their PII, to protect their iden ty nor could they

prevent the con nued the of their PII from the compromised source.

Data breach vic ms, on the other hand, are more aware of their informa on

compromise and related misuse, which might be due to breach no fica ons sent

by the concerned organiza ons (see Appendix, Figure 21). Presumably, this

contributes to data breach vic ms being less likely to suffer mul ple fraud

incidents compared with non‐data breach vic ms (41% are data breach vic ms

experience mul ple fraud incidents vs. 50% of non‐data breach vic ms), (see

Figure 7), because knowing where the breach occurred and what informa on was

compromised helps consumers take steps to help prevent future fraud.

Consumers Whose Informa on Was Compromised in a Data Breach Are Less Likely to Suffer From Mul ple Fraud Incidents

Figure 7: Number of Iden ty Fraud Occurrences for Data Breach Vic ms and Non‐Data Breach Vic ms

59%25%

9%

7%

50%

26%

20%

4%

1 time

2 times

3 times

Data Breach Victims Non‐Data Breach Victims

Q10. How many times have you been a victim of identity fraud?

May 2014, n = 50, 150Base: Fraud victims who are also data breach victims,

fraud victims who are not data breach victims.© 2014 Javelin Strategy & Research


17

HOW CONSUMERS REACT TO FRAUD It might be intui ve to think that once defrauded, vic ms would go overboard

with preven ve measures to avoid future informa on compromise. However,

nearly 1 in 3 vic ms took no ac on a er fraud occurred (see Figure 8). Of the

many op ons available to vic ms to help protect their iden ty, ac vely

monitoring financial accounts seems to be some of the most popular steps taken

toward preven on as vic ms are most likely to sign up for ac vity alerts from their

banks (24%) and begin using online banking (18%) (see Figure 8).

1 in 3 Vic ms Refrains From Taking Any Ac on A er Vic miza on

Figure 8: Ac ons Taken by Vic ms as a Result of Experiencing Iden ty Fraud

32%

10%

11%

12%

13%

14%

16%

18%

23%

24%

0% 5% 10% 15% 20% 25% 30% 35%

You have taken no actions as a result of the fraud

You now use two‐factor authentication for logging in to your financialaccounts/social networking websites

You put a security freeze on your credit report

You spend less money online

You avoid online registration requiring personal information.

You avoid certain merchants

You installed antivirus, anti‐spyware or a firewall on your computer

You use online banking.

You put fraud alerts on your credit reports

You receive email or mobile alerts about your credit card or checkingaccount


May 2014, n = 200Base: All fraud victims.


Q19. As a result of being a fraud victim, are any of the following statements true of you? Top ten options shown


18

Especially clear is consumers’ low level of awareness of where to obtain assistance

a er they’ve been vic mized. Although banks and credit card companies are the

clear favorites among fraud vic ms, just over 2 in 5 vic ms contacted these

organiza ons (44% and 43%, respec vely) for advice, help, or more informa on.

Interes ngly, contac ng the bank or a credit card company is more popular

among vic ms whose PII was breached at a retailer than vic ms whose PII was

breached at a FI (50% vs. 41%, respec vely). Among vic ms who contacted these

two agencies, sa sfac on remains high (59% and 70%, respec vely). Conversely,

the propor on of fraud vic ms who contacted law enforcement, a credit

monitoring service, or a federal agency is way lower — at 13%, 12%, and 10%,

respec vely‐‐and vic ms are more likely to contact these agencies when their

breach occurred at organiza ons other than FIs or retailers (see Figure 9).

Vic ms Contact FIs and Credit Card Companies for Pos raud Assistance

Figure 9: Agencies Contacted A er Fraud by All Fraud Vic ms and Vic ms Whose PII Was Breached, by Type of Organiza on Where Breach Occurred

2%

16%

25%

25%

25%

11%

30%

39%

44%

4%

3%

8%

13%

10%

11%

17%

46%

50%

4%

9%

12%

13%

13%

12%

17%

41%

41%

3%

6%

10%

12%

13%

14%

17%

43%

44%

0% 10% 20% 30% 40% 50% 60%

Another organization

Local or state government agency such as the State Department ofMotor Vehicles, State Attorney General's Office, etc.

A federal agency such as the Federal Trade Commission, IRS, orSocial Security Administration

A credit monitoring or identity protection service provider such as:Identity Guard, LifeLock, etc.

Local or state law enforcement agency

I did not reach out to any organizations after discovering I was avictim of identity fraud

A credit bureau such as: Experian, Equifax, TransUnion, or Innovis

Your credit card company

Your bank or credit union


All fraud victims

Breached at a financialinstitution

Breached at a retailer

Breached at anotherorganization

May 2014, n = varies 69 to 200Base: All fraud victims, fraud victims by type of

organization where information breached.© 2014 Javelin Strategy & Research

Q16. After discovering you were a victim of identity fraud, did you reach out to any of the following organizations for assistance, advice, or additional information?


19

Consumer trust is of paramount value to businesses, and being compromised in a

data breach definitely puts these businesses at risk of losing customers. Fourteen

percent of vic ms said they avoid certain merchants (see Figure 8), while nearly 6

in 10 vic ms said their trust in retailers has significantly decreased a er their

informa on was compromised (see Figure 10). Evidence can be found in the 2013

Target breach, which shook the core of the company as its stock price plummeted

and key execu ves resigned in an effort to show responsibility and maintain

consumer trust.17

When Breached Informa on Is Used to Commit Fraud, Vic ms Are Most Likely to Lose Trust in Retailers

Figure 10: How Fraud Affected Data Breach Vic ms’ Level of Trust, by the Industry Where Breach Occurred


48%

28%

59%

0% 10% 20% 30% 40% 50% 60% 70%

Other type of organization

FI or financial service provider

Retailer


Q21. How has your most recent fraud incident impacted your level of trust with the organization where your information was compromised? “Somewhat decreased” and “significantly decreased” shown.




20

In addi on to losing the most trust in the wake of a data breach, retailers also

fared poorly compared with FIs or other organiza ons when it came to fraud

vic ms’ expecta ons that the organiza on would be able to protect their data in

the future (10% vs. 24% vs. 26%, respec vely) (see Figure 11). In the wake of

recent high‐profile breaches, it’s clear that retailers have a long and hard ba le

ahead of them to regain consumer trust and confidence.

Vic ms Are Also Least Confident That Retailers Can Protect Their Infor‐ma on in the Future

Figure 11: Data Breach Fraud Vic ms’ Level of Confidence That the Industry in Which Breach Occurred Could Protect Them From Future Fraud

26%

24%

10%

0% 5% 10% 15% 20% 25% 30%


FI or financial service provider

Retailer


Extremelyconfident

Q26. How confident are you that this organization can protect you from fraud in the future?




21

VICTIMS’ EXPECTATIONS Consumer awareness of breaches is on the rise, as all consumers, and fraud

vic ms specifically, were more likely to be no fied of a data breach in 2013,

compared with 2012 (32% vs. 12% and 68% vs. 51%, respec vely).18 Given such

awareness of imminent or poten al threat to their iden es, consumers believe

that taking appropriate steps to safeguard their data will help protect their

iden ty. According to fraud vic ms, electronic monitoring of financial accounts

(46%) and their credit card company’s fraud detec on system (44%) prove to be

the two most effec ve ac vi es in preven ng ID the , placing almost the same

level of responsibility on themselves and their credit card company (see Figure

12).

Interes ngly, fraud vic ms believe signing up for an iden ty protec on service is

the least effec ve method — only 23% of vic ms picked this ac vity — to prevent

ID the , with vic ms in Minneapolis the least convinced of this op on (12% of

Electronic Monitoring Considered Most Effec ve at Fraud Preven on

Figure 12: Perceived Effec veness of Fraud Preven on Ac vi es Among All Fraud Vic ms and by Metropolitan Area


12%

16%

30%

36%

30%

34%

36%

36%

44%

30%

26%

44%

42%

38%

44%

44%

48%

44%

30%

26%

42%

42%

46%

42%

50%

46%

52%

18%

26%

28%

26%

32%

34%

26%

44%

42%

23%

24%

36%

37%

37%

39%

39%

44%

46%

0% 10% 20% 30% 40% 50% 60%

Using an identity protection service

Turning paper statements off to avoid mail theft

Reviewing your credit report regularly

Monitoring financial accounts and bills through review of paperstatements

Using fraud alerts on your credit report and bank accounts

Shredding paper statements

Your primary bank's fraud detection systems

Your credit card company's fraud detection system

Monitoring accounts through the Internet, mobile devices, orother electronic means


All fraud victims Chicago Los Angeles Miami MinneapolisMay 2014, n = varies 50 to 200Base: All fraud victims, fraud victims by metropolitan area.


Q24a. In your opinion, how effective are the following activities in helping consumers like you protect their identity? Very to extremely effective shown.


22

fraud vic ms). Yet despite this percep on, providing or subsidizing these services

has become a remedy that government officials are pressing breached

organiza ons to offer. In many cases vic ms might be er understand the value of

these services through experience, as commonly prescribed credit monitoring is of

li le value in preven ng fraud related to breached credit and debit cards.19

Fraud vic ms do not seem to discriminate between businesses and FIs when

assigning blame for a data breach. While 52% of vic ms consider businesses to be

responsible for data breaches, 48% blame FIs (see Figure 13). This is true even

among vic ms whose PII was breached at a FI (51% believe FIs should be held

accountable and 46% believe retailers should be held accountable) and those

whose PII was breached at a retailer (45% believe FIs should be held accountable

and 51% believe retailers should be held accountable). Regardless, government

agencies get the least of the blame, with only 24% of vic ms holding them

accountable for a breach (see Figure 13).

Vic ms Believe All Organiza ons Should Be Held Accountable and Some Would Vote with Their Wallets

Figure 13: Industries That Should Be Held Accountable and Business Avoidance Postbreach, by Fraud Vic ms Whose Informa on Was Breached at FIs, Retailers, and

Other Organiza ons


25%

30%

44%

65%

65%

11%

19%

23%

45%

51%

17%

19%

28%

51%

46%

13%

19%

24%

48%

52%

0% 20% 40% 60% 80%

I avoid doing business with similar organizations to the one/thosewhere my personal information was breached

I avoid doing further business with the organization(s) where mypersonal information was breached

The government should be held accountable in the wake of adata breach / ID Fraud

Financial institutions should be held accountable in the wake of adata breach

Businesses and organizations should be held accountable in thewake of a data breach


All fraud victims

FinancialinstitutionRetailer

May 2014, n varies 57 to 200Base: Fraud victims whose misused information was


Q27. Please read each of the following statements carefully, and indicate your level of agreement on a scale of 1 to 10, where 1 = strongly disagree and 10= strongly agree. 9‐10 shown.


23

While fraud vic ms hold all organiza ons involved accountable for informa on

compromise, they feel differently based on whether the informa on was lost due

to a data breach or an event unrelated to a data breach. Data breach vic ms are

not only more likely to consider the breached organiza on responsible for

protec ng their accounts compared with non‐data breach vic ms (49% vs. 40%),

but they are also more likely to hold their FIs responsible for account protec on

(40% vs. 28%) (see Figure 14).

Data Breach Vic ms Are More Likely to Believe That Breached Organiza ons as Well as Their Banks Are Responsible for Protec ng Accounts

Figure 14: Organiza ons That Should Be Held Responsible for Protec ng Accounts During Recent Fraud, According to Non‐data breach Vic ms and Data Breach Vic ms

36%

28%

42%

40%

36%

40%

45%

49%

0% 10% 20% 30% 40% 50% 60%

You

Your bank

Your payment card company

The organization/website from which your information wasstolen or compromised


Data breach victims

Non‐data breachvictims

Q29. Which of the following would you say were responsible for protecting your account in your most recent fraud incident?




24

When it comes to restoring their iden es and lost funds, data breach vic ms

maintain that breached organiza ons are responsible (53% of breach vic ms vs.

38% of nonbreach vic ms), while non‐data breach vic ms say payment card

companies are responsible (49% of breach vic ms vs. 60% of nonbreach vic ms)

(see Figure 15).

Data Breach Vic ms Would Like to See Breached Organiza on Restore Lost Funds; Non‐data breach Vic ms Say Card Companies Should Instead

Figure 15: Organiza ons That Should Be Held Responsible for Restoring Iden ty A er Recent Fraud, According to Non‐data breach Vic ms and Data Breach Vic ms

36%

46%

60%

38%

25%

47%

49%

53%

0% 20% 40% 60% 80%

You

Your bank

Your payment Card Company

The organization/Website from where your information wasstolen or compromised


Data breach victims

Non‐data breach victims

Q29b. Which of the following would you say were responsible for restoring your identity and lost funds in your most recent fraud incident?




25

Consumer pa ence seems to be a thing of the past as an overwhelming number of

fraud vic ms believe they should be able to take legal ac on against companies

where their informa on was breached (64%), (see Figure 16). Furthermore, this

sen ment is consistent regardless of where the informa on was breached — 64%

of FI breach vic ms, 66% of retailer breach vic ms, and 70% of another

organiza on breach vic ms believe this is important.

Regardless of Where Informa on Was Breached, Vic ms Believe Consumers Should Be Able to Take Legal Ac on

Figure 16: Agreement With Statement, by Type of Organiza on Where Informa on Was Breached

70%

64%

66%

60% 62% 64% 66% 68% 70% 72%

Breached at another type oforganization

Breached at a financial institution

Breached at a retailer

Percent of fraud victimsQ30: Please indicate the degree to which you agree or disagree with the following statements on a scale of 1 to 5 where 1 = strongly disagree and 4 – strongly agree. Consumers should be able to take legal action against companies where their information is breached.

Options 4 and 5 shown.




26

Data breaches can a ract a constant stream of class‐ac on lawsuits from

consumers and businesses. For example, the Target breach has spawned 90

lawsuits.20 Moreover, as consumer awareness increases, the difference in the level

of consumer protec on and ac on by organiza ons can be seen when contras ng

the Target breach with the earlier, prolific breach of TJX.21 In 2008, TJX provided

credit monitoring services only to vic ms who faced a higher risk of ID the . In

2013, Target provided this service to all customers, whether they were vic ms or

not, due to consumer backlash and government pressure.22

Fraud Vic ms Favor Legal Ac on Against Breached Organiza on

Figure 17: Fraud Vic ms’ A tudes Regarding Data Breaches

20 h p://www.businessweek.com/ar cles/2014‐03‐13/target‐missed‐alarms‐in‐epic‐hack‐of‐credit‐card‐data, accessed June 13, 2014.


22 Ibid.

28%

44%

64%

67%

70%

84%

85%

0% 20% 40% 60% 80% 100%

The current federal data security requirements are sufficient forprotecting health care and financial data

Breached organizations should notify consumers of a data breachonly when there is potential for harm stemming from the breach

Consumers should be able to take legal action against companieswhere their information was breached

Breached organizations should be required to notify the media

The federal government should be responsible for ensuring thatbusinesses adhere to data security standards, regardless of the…

Breached organizations should notify consumers whenever adata breach occurs no matter what

Breached organizations should be required to notify creditreporting agencies if there is a possibility that the stolen…




Q30. Please indicate the degree to which you agree or disagree with the following statements on a scale of 1 to 5 where 1 = strongly disagree and 5 = strongly agree. 9‐10 shown.


27

Although vic ms don’t hold government responsible for a breach, they do,

however, expect federal government to ensure that businesses adhere to data

security standards (70%), (see Figure 17). Na onal data breach legisla on is

supported by the financial industry, which is calling for greater accountability from

industries that store or transmit sensi ve PII and financial account data. The

financial industry’s recommenda ons are geared toward retailers, and industry

groups — including the Independent Community Bankers of America and the

Na onal Associa on of Federal Credit Unions — are leading the lobbying effort to

amend pending na onal legisla on to reflect these recommenda ons.23

Businesses need to be aware of these ini a ves and how consumer

percep on of exis ng legisla on has created a climate in which proposed

na onal legisla on is likely to become law. Consumers are ji ery about

sharing their PII with organiza ons — only 28% of vic ms believe that

current federal data security requirements are sufficient for protec ng their

data (see Figure 17). This is especially true for Minneapolis, where only 16%

of vic ms believe they are adequate (see Figure 18).

Fewer Than 2 in 5 Fraud Vic ms in Any Metro Area Surveyed Consider Federal Legisla on Sufficient to Protect Consumer Data

Figure 18: Agreement With Statement, by Metropolitan Area

23 h p://www.nafcu.org/datasecurity/, accessed May 18, 2014.

16%

28%

30%

36%

0% 5% 10% 15% 20% 25% 30% 35% 40%

Minneapolis

Chicago

Miami

Los Angeles


Q30: Please indicate the degree to which you agree or disagree with the following statements on a scale of 1 to 5 where 1 = strongly disagree and 5 = strongly agree. The current federal data security requirements are sufficient for protecting health care and financial data. Options 4 and 5 shown.




28

The circumstances under which consumers must be no fied of a breach

varies, but these no fica ons offer an opportunity for organiza ons to

educate affected consumers on the circumstances of the breach, their effect

on the integrity of their iden es, efforts undertaken by the breached

organiza on to protect their iden es going forward, and how consumers

can ul mately protect themselves. Consumers clearly want to be in the know

in case of a breach. While a li le over 2 in 5 vic ms believe that consumers

should be no fied only when a breach has poten al for harm, an

overwhelming number of vic ms (84%) believe that breached organiza ons

should no fy consumers no ma er the circumstance (see Figure 17). In

addi on, fraud vic ms also believe that breached organiza ons should no fy

credit repor ng agencies (85%) and the media (67%) (see Figure 17).

Fraud Vic ms Overwhelmingly Prefer Speedy No fica on When It Comes to Data Breach

Figure 19: When No fica on Should Be Provided A er a Data Breach, by Fraud Vic ms

2%

1%

0%

1%

11%

86%

0% 20% 40% 60% 80% 100%

I have no opinion on how soon customers should be notified

Customers should be notified only once the source of the breach has beenthoroughly investigated

Customers should be notified within 12 months, no matter what

Customers should be notified within 90 days, no matter what

Customers should be notified within 30 days, no matter what

Customers should be notified immediately, no matter what




Q31. Considering that a business or organization is required to notify affected customers of a data breach, how soon after a breach is confirmed should customers be notified?


29

When no fying consumers of a breach, speed is of the essence. This is not a

new cri cism — a er TJX disclosed the details of its breach in 2007, it was

heavily cri cized by analysts, the media, and consumers alike for holding

back informa on.24 Eighty‐six percent of fraud vic ms believe consumers

should be no fied immediately no ma er what (see Figure 19), providing the

breach organiza ons a significant opportunity to maintain the rela onship

postbreach by dispelling any misinforma on related to the event, reassuring

consumers that the organiza on is now secure, and detailing best prac ces

to prevent iden ty fraud. How and when consumers are no fied can

contribute to their percep on of an organiza on a er a breach, and

organiza ons that wish to maintain a posi ve rela onship with consumers

should ensure transparent and immediate no fica on.



30

METHODOLOGY In March 2014, the Na onal Consumers League retained Javelin Strategy &

Research to conduct a comprehensive research study on data breach and fraud

vic ms’ experiences, behaviors, and a tudes. The NCL conducted an online

survey of 200 fraud vic ms in the Chicago, Los Angeles, Miami, and Minneapolis

metropolitan areas. The results of this study are not na onally representa ve and

cannot be extrapolated to groups outside fraud vic ms in these four metropolitan

areas. The overall margin of sampling error is +/‐ 6.93 percentage points at the

95% confidence level. The margin of error is larger for subsets of respondents.


31

APPENDIX

Nearly Half of Consumers Do Not Know Where the Informa on Used to Defraud Them Was Compromised

Figure 20: Type of Organiza on Where Informa on Was Compromised, by Most Recent Fraud incident

Majority of Those Who Are Not Aware of the Loca on of Compromise Are Non‐data breach Vic ms

Figure 21: Informa on Compromised in Most Recent Fraud Incident, by Vic m Type

2%

6%

1%

1%

1%

2%

2%

2%

2%

2%

2%

3%

3%

4%

7%

15%

49%

0% 10% 20% 30% 40% 50% 60%


My information was compromised in an event other than a data breach

Small retail merchant

Large online‐only merchant

Online gaming site

Virtual wallet provider

Small online‐only merchant

Social networking site

Another financial institution

Restaurant or hotel

Gas station

Health care provider

Government agency or office

Primary financial institution

Credit card issuer

Large retail merchant

I do not know where my information was compromised

Percent of fraud victimsQ13. To the best of your knowledge, where was the information used in your most recent fraud incident compromised?



0%

61%

88%

35%

12%

4%

0% 20% 40% 60% 80% 100%

Non‐data breach victims

Data breach victims


My information wascompromised in adata breach

I do not know wheremy information wascompromised

My information wascompromised in anevent other than adata breach



Q13. To the best of your knowledge, where was the information used in your most recent fraud incident compromised?


32

Fraud Incidence is Increasingly Correlated with Card Breaches

Figure 22: Rate of Fraud Vic miza on by Type of Data Breached

28.2%

24.3%

37.1%

27.7%

38.6%35.1%

45.7%

16.1%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

Your credit card and/ordebit card number

Your credit card number Your debit card number Your Social Securitynumber

Percent of data breach victims

2012

2013

October 2012 ‐ 2013, n varies 75 ‐ 320 Base: Data breach victims in the past 12 months by type of information breached.


Q5: How long ago did you discover that your personal or financial information had been misused?In the past 12 months.


33

ABOUT JAVELIN Javelin Strategy & Research, a division of Greenwich Associates, provides strategic

insights into customer transac ons, increasing sustainable profits and crea ng

efficiencies for financial ins tu ons, government agencies, payments companies,

merchants, and other technology providers. Javelin’s independent insights result

from a uniquely rigorous three‐dimensional research process that assesses

customers, providers, and the transac ons ecosystem.

Authors: Al Pascual, Senior Analyst, Fraud & Security

Publica on Date: June 2014

Editor Oie Lian Yeh

ncl consumer data insecurity report: examining data breaches june 2014

Government & Nonprofit