Just a reminder: The European Union's Global Data Protection Regulation (GDPR) takes effect on May 25. The new regulation enacts strict rules requiring organizations to protect consumer data, and it applies to any organization worldwide that gathers data on EU consumers. The aim is to protect the privacy of consumers and to combat identity theft and fraud.
Now here's another reminder: Identity fraud is getting worse. In the U.S., 16.7 million consumers were victims of identity fraud in 2017, up 8 percent from 2016, according to Javelin Strategy & Research's
2018 Identity Fraud Study. That's one out of every 15 U.S. consumers. Javelin surveyed 5,000 U.S. adults for the study.
What's the bottom line for internal auditors and their organizations? It's time to get serious about protecting consumer data.
"2017 was a runaway year for fraudsters, and with the amount of valid information they have on consumers, their attacks are just getting more complex," says Al Pascual, senior vice president and research director at San Francisco-based Javelin.
The Javelin report makes a distinction between identity theft and identity fraud. Identity theft is unauthorized access to personal information, such as through a data breach. Identity fraud happens when that personal information is used for financial gain.
A New Target
The nature of identity theft and fraud shifted in 2017, the report notes. For the first time, more Social Security numbers were stolen than credit card numbers. Last year's massive Equifax hack was the most glaring example. Those Social Security numbers make it easy for criminals to open accounts in a victim's name or to take over their existing accounts.
Javelin says account takeover was one of two drivers of identity fraud last year, along with existing noncard fraud. Account takeover tripled, with $5.1 billion in losses, a 120 percent increase over 2016. This type of fraud is particularly costly for consumers, who spend on average $290 and 16 hours to resolve incidents.
Small wonder then that consumers "shift the perceived responsibility for preventing fraud from themselves to other entities, such as their financial institution or the companies storing their data," as Javelin's press release notes. Respondents rate security breaches at companies as the top identity-related threat, with 63 percent saying they are "very" or "extremely" concerned about such incidents. Nearly two-thirds of victims say breach notifications don't protect them and are just a way for organizations to avoid legal trouble.
Another trend is identity fraud has moved online in response to the introduction of EMV chip cards in the U.S. Credit and bank cards with these chips make it harder for fraudsters to use stolen cards in person, but they still can be used online, where many people shop. Indeed, card-not-present fraud is 81 percent more likely than point-of-sale fraud, Javelin reports.
These frauds are becoming more sophisticated, too, according to Javelin. For example, fraudsters opened intermediary accounts in the names of 1.5 million victims of existing card frauds. Such accounts include email payment services such as PayPal or accounts with online merchants.
Javelin's recommendations for preventing identity fraud focus more on what consumers can do to protect themselves, including:
- Using two-factor authentication.
- Securing devices.
- Putting a security freeze on credit reports to prevent accounts from being opened.
- Signing up for account alerts.
- Setting controls to prevent unauthorized online transactions.
Such vigilance can help, but consumers expect financial institutions, retailers, and others they do business with to protect their information. Now they have a powerful ally in the GDPR, which puts responsibility squarely on businesses.
The GDPR requires organizations to provide a reasonable level of protection for personal data and mandates that they notify data protection authorities within 72 hours when consumer records have been breached. Compare that with some recent U.S. breaches in which several weeks passed between when the incident was discovered and the time when the organization disclosed it.
GDPR regulators can punish organizations that don't comply harshly. Fines can run up to 4 percent of an organization's annual turnover up to €20 million ($24.6 million). If protecting customers' personal data isn't a priority in itself, the potential financial penalties should raise the stakes for organizations.