In August, the Federal Bureau of Investigation arrested an individual alleging he participated in the creation of malware that impacted multiple U.S. government and commercial organizations.1 Specifically, the malware is alleged to be connected to the Anthem breach which exposed the health care insurance information of 80 million Americans and an attack on the U.S. Office of Personnel Management involving over 20 million individuals.

​On a related note, a group of legislators introduced the Cyber VICTIM bill - The Valuing Individual Cybersecurity Through Interagency Measures Act - which would create a new role for a federal official to serve as an interagency cyber victim coordinator.

​Together, these actions underscore the risk posed to the identity information of government employees. In the commercial sector, hiring authorities recognize this risk as well, and that is one reason why identity theft protection benefits are becoming a standard offering.

White Paper: Protect your Employees from the New Dangerous Realities of Identity Theft.

​According to Employee Benefit Adviser, for example, “Identity theft is the fastest growing crime and consumer complaint in America, and benefit industry experts say concerned employees are seeking protection as an employer perk more than ever.2

​Forward-looking organizations implementing this benefit recognize that identity thieves are now operating by an entirely new set of rules, and that solutions from the past decade do not offer adequate protection for the coming decade’s problems. A new approach is required, one which addresses identity theft in all its dangerous forms.

​Match the Identity Protection to the Risk

Identity protection is an attractive benefit, but to truly address the risks to employees or members, organizations need to carefully examine the options available. As the nature of identity theft has changed, the protection available has not, leaving individuals more vulnerable to identity theft than ever. Al Pascual, director of fraud and security at Javelin, noted, “The biggest problem with the mass issuance of identity protection services is the mismatch of risk and coverage. For example, we have seen countless breach victims being offered solutions that rely heavily on credit monitoring, even though it may not have been appropriate or effective based on the type of data compromised.3

​With respect to healthcare data, the Health Care Industry Cybersecurity Task Force4 recognized this issue as well, by stating that “The general standard across many industries is to provide one-year of identity theft protection following a compromise of personnel or financial information. The identity protection is only a help for credit-based identity theft, it does not provide the patient with adequate protections based on the sensitivity, value, and permanence of their health care data, which is priceless.”

The solution, of course, is to align the nature of the monitoring to the type of data that is at risk or was stolen: credit monitoring for financial data, cyber monitoring for online data, healthcare transaction monitoring for medical information, and so on. With the appropriate monitoring in place, an individual can be alerted to any suspicious activity and take proper action to protect themselves.

As state, local and federal agencies research identity protection as an employee benefit, executives should consider the commercial best practice of aligning the identity protection to the risk posed to employees. And, as new monitoring services become available, such as medical identity alerts that increase patient safety, organizations should partner with an organization offering a flexible suite of identity protection capabilities that can adapt and accelerate the delivery of innovative solutions as they become available.

References:

1 - http://www.eweek.com/security/fbi-arrests-chinese-hacker-with-possible-links-to-opm-breach

2 - https://www.employeebenefitadviser.com/news/regulatory-clarity-makes-id-protection-a-more-attractive-employee-benefit

3 - https://www.javelinstrategy.com/press-release/post-breach-complimentary-identity-protection-services-do-they-really-benefit

4 - https://www.phe.gov/Preparedness/planning/CyberTF/Documents/report2017.pdf