Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Not "If" but "When"
1. Not “If” but “When”
WHAT BUSINESSES SHOULD KNOW ABOUT
THE IMPACT OF IDENTITY THEFT ON
CONSUMERS
Paula Pierce
P. Pierce Law, P.C.
www.ppiercelaw.com
512-850-4808
#IDTheft
2. About the speaker:
Paula Pierce has been assisting identity theft victims since 2005
when President GeorgeW. Bush authorized the U.S. Department of
Justice to fund four organizations to identify strategies for helping
identity theft victims.
4. A Brief History of Recent Equifax Breaches
• 2016 – Security researcher xOrz reports XSS vulnerability on Equifax’s
main website – exposing customer user names, passwords & data.
9/8/17 – it wasn’t fixed.
• 5/2016 – Information of 430,000 people stolen because of “lax”
security. Court orders Equifax to stop using SSNs/DOBs as PINs to
access PII.
• 1/2017 – PII of undisclosed number of Lifelock customers leaked by
Equifax.
5. . . . . . . .
• 5/2017 – Equifax reports hack of tax information of an undisclosed
number of individuals from its payroll service. Caused by the failing to
install the same security patch involved in the current breach.
• 9/2017 – Equifax reports compromise of 143,000,000 individuals’ files
including SSNs, DOBs, addresses & DL#s + theft of credit card #s of
209,000 people
• 10/2017 – Equifax adds another 2M victims to the count – 145,500,000
consumers affected. (Doesn’t include the 700k+ Canadians & Britons
whose information was also hacked.)
6. What Happened?
Failed Security 101: Equifax was running
outdated systems and routinely failed to install
software security patches.
7. Post Event Failures
• Breach discovered in July and not reported until September.
• Violation of Texas breach notification law:Tex. Bus. &
Comm. Code § 521.053(b).
• Notify persons whose information was compromised “as quickly as
possible.”
• Exception: If law enforcement asks company to delay notification.
• If individual notice is too expensive, can set up a website for
notification.
• 48 states & DC have similar breach notification laws.
8. . . . . . . .
• Initial consumer site didn’t work.
• Second try – offered 1 year of monitoring – if consumer
waived right to participate in class action suits and agreed
to arbitration.
• Third try – removed class action and arbitration provisions –
requires consumers to enter some of the stolen information
and doesn’t provide anything relevant in return.
• Tells everyone their information “may” have been
impacted.
9. Not if, but when . . .
• BJS – 17.6 millionAmericans had identities
stolen in 2014
• Up from 9 million in 2010
• FTC –Texans are disproportionately affected
12. How do I know if I’m a victim?
• Check your credit reports
• Pay attention to mail from bill collectors
• If you start receiving calls from bill collectors or companies you don’t
do business with
• Check credit card & bank statements every month
• If your bank account is suddenly overdrawn
• If you receive a letter saying a warrant is out for your arrest for a
crime you did not commit
• Fail a criminal background check
• Your license is flagged when you go to renew it
13. Who are victims?
• All ages; although, statistically age 25-35 are at greatest
risk due to data breach.
• All races, all incomes.
• States along drug & human trafficking routes are
disproportionately affected.
• Elderly disproportionately affected by phishing scams.
• Family violence victims also disproportionately affected.
14. Why do they yell at my customer
service reps?
• IDT is intimate – it’s one thing to steal your money entirely another to
steal who you are.
• Recovery is stressful. No one is helpful or cooperative.
• It’s the crime that keeps on keeping on. It’s never over.
• Victims of extensive IDT have symptoms of PTSD: sleep disturbance,
eating disorders, clinical depression.
• Marriages break up, relationships suffer, jobs lost
18. Stop the Damage
• Change account numbers
• If check fraud, ask your bank to put you in the CANS
(Closed Account Notification System)
• Set a fraud alert by calling one of the credit bureaus
• Get a credit freeze if you are not going to use your
credit any time soon
18
19. Report the Crime
1. Go to www.ftc.gov/idtheft and make a report online,
print it, sign in front of a notary, make lots of copies –
this is now an IDT affidavit
2. Report to your local police – where you live NOT
where the impostor is using your identity
3. Report to other places, e.g., SSA, US Postal
Inspector, IC3, Secret Service, NOT FBI
19
21. If it’s not in writing, it doesn’t count!
• Do everything in writing! And always attach:
• Proof you made a police report
• Copy of your government issued ID
• Copy of the ID theft affidavit (FTC report signed in
front of a notary)
21
22. Who to write & what to say
• Who to write?
• Credit bureaus
• Businesses that gave credit to impostor
• Collectors who contact you
• What to say:
• Accounts were made by an impostor, demand they be closed
and that your identity be taken off of them
• Tell businesses to send you copies of account documents
• Tell credit bureaus to block impostor accounts from your credit
report
23. Friendly Tips
• Send correspondence with tracking – fax with confirmation
or CMRRR.
• Keep copies of everything you send and receive in a file,
scanned, in a box – just keep them!
• Keep a record of every phone call – time, date, who you
talked to, and description of the conversation.
• Take care of yourself. ID theft is an intimate crime. Don’t be
surprised if you experience emotional stress and fatigue.
24. Medical ID Theft/HIPAA Breach
• DON’T MENTION IDTHEFT UNTILYOU HAVEYOUR MEDICAL
RECORDS!
• Order your medical records:
• From your own primary care doctor – this is your baseline
• From places where the impostor was treated
• Compare them
• Write places where impostor was treated and ask that impostor’s
records be de-identified and marked as John/Jane Doe
25. Criminal ID Theft
• Go to Sheriff’s Department (Airport just south of Koenig)
• Ask for a stolen ID file
• They’ll fingerprint you and make you sign a stolen identity
affidavit
• In the mail you’ll receive a stolen identity letter and PIN
• If you are stopped, tell the officer you have a stolen identity
file and give the officer your PIN
26. If nothing works – be glad you live in
Texas
• Chapter 521 ofTexas Business and Commerce Code
• Application to be declared a victim of identity theft
• File application, send notice to creditors by certified
mail
• Attend a hearing, tell your story
• If court finds enough evidence, you get a court order
confirming you are a victim.
28. Responsibilities of a Business to Victims
•Protect customer info
•Know the law: FCRA, FDCPA, 521, HIPAA
•Have a breach notification plan
•Investigate
•Correct information sent to credit bureaus
•Cease all collection efforts against victim
29. Responsibility of a business after data
breach
• Check your CGL policy for cybersecurity or breach
coverage.
• Get legal help!
• Notify all customers who were affected.
• You are not required to provide credit monitoring. Most
businesses do it as a courtesy.
• Notify credit bureaus if required by law.
30. Online Businesses
• Tell users what information you collect and how
you’ll use it.
• Have protections so that no personal information is
collected from children.
• Tell users how you’ll protect their information.
• Get a lawyer to review your privacy policies because
these laws change rapidly.
From Justice Department’s national drug threat assessment
Note that TX is at intersection of 2 major routes
Traditional IDT hotspots: Texas, Florida, Arizona
