What is the difference between a data breach and identity theft? In the media, many people toss around these terms willy-nilly. They are connected, of course, but understanding the difference is important for understanding your IT liabilities.
- Data breach = unintentional disclosure of private information. Private information (PI) is generally defined as any combination of names, addresses, logins, passwords, financial information, credit card info, PINs, and related data. Data breaches are when this PI is exposed. A breach can be caused by malware, hacks, lost or stolen devices, and accidents (like attaching the wrong document to an email).
- Identity theft = the use of stolen data. Identity theft is the next step after a data breach. Criminals use stolen data to make purchases or steal directly from bank accounts.
In other words, breaches mean that someone had access to your data. Identity theft, on the other hand, is the use of that data to commit theft.
Just in Time for Tax Season: Accidental Data Breach at the IRS
Sometimes big data breaches come from silly mistakes. Take, for example, the recent NBC News story of an IRS employee who exposed 20,000 IRS workers' private data.
The employee downloaded files to his thumb drive, which is against protocol. But the real kicker was that he took the thumb drive home and plugged it into his personal computer. To the average computer user, this might not seem like a heinous crime. Hey, the guy brought his work home with him! That's a good thing, right? Nope. It's a major data security blunder.
In effect, the IRS employee took secured data and moved it to an unsecure network. Even though the IRS has no evidence that anyone downloaded or used the data, it still has to alert each of the 20,000 employees affected by the breach.
In this example, there was a breach, but no identity theft. And the breach was caused by a simple human error.
Data Breach: an IT Firm Example
Say one of your employees downloads client data onto a thumb drive (or mobile device) and uses it on an unsecure network. This is technically a data breach. Depending on your client's industry, this can also be a breach of their professional obligations and confidentiality requirements. These simple mistakes can lead to a lawsuit filed against your firm. Fortunately, Errors and Omissions Insurance can cover these and other employee errors that lead to ID theft and data breaches.
Who Stole My Data? Multiple Criminals Are Involved in Each Data Breach
The IRS example was simple case of a breach with no identity theft. Now let's look at what happens when stolen data actually leads to stolen money.
Data breaches are a bit more complicated than people think. In fact, stolen data usually passes through the hands of various criminals before someone tries to use it to make a purchase. Here's a step-by-step breakdown of what might happen in an identity theft case:
- Data is exposed. Hackers get access to your data. Maybe they use a phishing email to install malware on your network. Maybe they use an exploit that’s common with the old versions of software you forgot to upgrade.
- Data is sold. After data is stolen, criminals try to sell it on the black market. There is a secret "Deep Web" or "Dark Web" not accessible to standard Internet users. On this black market, criminals buy and sell stolen data, a few dollars for each record. (For more on the underground market for stolen data, see "What IT Businesses Need to Know about the Future of Identity Theft.")
- Data is used for identity theft. The criminals who buy your stolen data will attempt to use it to make purchases. Often, criminals will encode fake credit cards with stolen data and see if they can get away with using them to make small purchases that a credit card company might not notice. Other criminals use personal information to apply for credit cards, loans, and other financial services under someone else's name.
However, thieves often can't sell every stolen record on the black market. Furthermore, the criminals who buy stolen records are sometimes unable to use the information successfully to steal money. For this reason, not every record lost in a data breach leads to an actual identity theft. A data breach might involve 10,000 stolen records, but only 100 cases of identity theft.
How Do Credit Card Companies Prevent Identity Theft?
After the Target data breach, the major credit card companies were on high alert, checking their clients' activity for any sign of fraudulent purchases. This is standard protocol after a data breach.
While some people think that banks will replace credit cards after a breach, that's actually not true of big data breaches (like the ones at Target and Neiman Marcus). Replacing each card costs a credit card company $10 to $20. If millions of people have been affected by a data breach, banks aren't willing to shell out that kind of cash.
(For an analysis of your responsibilities after a data breach, see our Data Breach Response Guide.)
How Understanding Data Breaches Can Protect You from Lawsuits
Understanding the difference between a data breach and identity theft and communicating this to your clients is a smart business practice.
Most people hear "data breach" and they think some spikey-haired punk in Moscow is trying to buy a plane ticket to Bermuda. That kind of data breach happens. But many breaches are accidents. And many breaches won't lead to identity theft.
Make sure your clients understand the following:
- Timing is key. Knowing about a data breach early gives you time to monitor credit and prevent identity theft. Then you can minimize the number of ID theft cases and minimize the damages. Delays in a response only make the breach more expensive.
- Employee errors are a major cause of data breaches. Attaching the wrong document, taking a file home, opening an email laced with malware – these are all mistakes that any employee can make. Unfortunately, they can lead to data breaches. (For more about how common employee missteps can lead to major lawsuits, see "The Million-Dollar Client Conversation.")
By understanding the subtleties of a breach and communicating them to a client, you might be able to nip some data breaches in the bud or teach a client’s employees to avoid common mistakes that could lead to a lawsuit.
To learn more about covering your data breach liabilities, see our other blog posts on IT Errors and Omissions Insurance.