Institutions need to do more against identity data thefts and breaches

Select an option below to continue reading this premium story.

Already a Honolulu Star-Advertiser subscriber? Log in now to continue reading.

Get unlimited access

From as low as $12.95 /mo.

Subscribe Now

The most recent data breach from a Hawaii public institution — the East-West Center — highlights a common fallacy that data breaches cannot be avoided. It also underscores the need for breaching institutions to take responsibility for their actions.

Since 2005, the Privacy Rights Clearing House and DataLossDB.org estimate that in the United States, more than 525 million records containing sensitive personal information have been compromised due to breaches.

The cost to business and consumers is astronomical. Since 2005, the Digital Forensics Association estimates that the total cost for these breaches comes to more than $156 billion.

It is true that data breaches may occur. But they are less likely to occur when institutions that have access to our private information implement common-sense procedures to protect that information.

According to the Verizon 2010 Data Breach Notification report, 98 percent of all data breaches were through server exploits and hacking. Most alarming is that 96 percent were avoidable through simple steps and internal controls. Outdated information technology management and tools are most often pointed to as the cause of the problem.

Don't miss out on what's happening!

Stay in touch with top news, as it happens, conveniently in your email inbox. It's FREE!

By clicking to sign up, you agree to Star-Advertiser's and Google's Terms of Service and Privacy Policy. This form is protected by reCAPTCHA.

And what about the victims?

Victims of data breaches are far more likely to become the victims of identity theft and fraud than other consumers, according to Javelin Strategy & Research. About 4 percent of consumers are victims of fraud, but if you are a victim of a data breach, that risk rises fourfold to 17 percent.

The potential for identity theft extends far beyond the immediate exposure. As the East-West Center correctly noted in its letter to its breach victims, a "victim’s personal information is sometimes held for use or shared among a group of thieves at different times." In other words, it may happen years later.

Unfortunately, the East-West Center placed responsibility back on the victims themselves by urging that they periodically check their credit reports and other financial statements.

Such spot checks can only detect fraud that occurs that day. Other self-help procedures offered by the center are also inadequate.

What the East-West Center should do is offer their victims credit monitoring and fraud restoration services. These continual monitoring services are the only means to ensure that data breach victims do not become identity theft victims, according to the Javelin Institute.

The victims in this case happen to be prominent business and governmental leaders. Hopefully, they will ensure that their own institutions upgrade their information technology systems and if a data breach occurs, victims will be given appropriate protective services.