Most of your citizens are now very aware of the data breach that was perpetrated by cybercriminals against a database at your S.C. Department of Revenue that was discovered last month (October, 2012). The cyber attack appears to have led to the acquisition by criminals of private information including social security numbers, debit and credit card numbers, and even bank account information on some 3.6 million of your citizens (CarolinaLive.com, Tax returns of 3.6 million SC residents are hacked, October 26, 2012).
As noted by NBC correspondent Michael Isikoff in a Today Show segment recently (November 10, 2012) Cyber Thief Puts South Carolina Taxpayers at Risk, this data breach has already led to the sale of personal financial information in criminal online black markets. Further, there are some hacking victims that have come forward to help get the word out that the cyber criminals are actually using the stolen information to drain bank accounts.
In the case of Tina and Wade Mather, who own a catering business, they had around $4,000 removed from the business checking account by criminals (First SC hacking victims come forward, Wistv.com, November 19, 2012). It amazingly didn’t take the criminal long to begin monetizing their stolen goods. "It was very surprising when we get up one morning [around November 2nd) and found thousands of dollars missing from our account and that's when the reality really set in, like, oh my goodness, this is not going to be good," said Mr. Mather.
So the facts of what has occurred, and its implications are becoming well understood. The purpose of this letter, however, is to shine a brighter light on what South Carolina chose to do in order to help their citizens through this difficult challenge, and to suggest that some of your choices could have been better ones. I’m specifically talking about your decision to rely on Experian, the huge credit bureau, to provide the front line of communications with your citizens, and to ultimately provide them with an identity protection solution.
While I understand that providing your citizens with a credit monitoring product is a reasonable protective measure under the circumstances, it seems less logical to me that Experian is best suited to be the “first call” for your citizens.
As noted by your Senator Bryant (Local legislators chair committee looking into SCDOR breach, The Journal, November 14, 2012) in a recent interview, “Bryant also challenged Governor Haley’s decision to contract with Experian without seeking bids for the services. ‘This is going to end up meaning huge amount of business for that company. Why aren’t they paying us for the first year.’ ” And it is this point that I think requires further exploration.
Experian is a credit bureau. Part of their business model is selling credit monitoring services to consumers. This is a huge business for Experian. We all have probably seen their Free Credit Report and Free Credit Score .com TV commercials that promote their credit monitoring products. By contracting with Experian to provide the credit monitoring offering, their call center agents then also will often be the very first people that your citizens will talk with concerning the breach. I really think that you could do better
To be clear, Experian’s call center agents are primarily motivated to enroll your citizen’s in credit monitoring. They aren’t specifically motivated or qualified to help your citizens in understanding their risks associated with your particular breach nor how they can better address them. Experian’s business model here is simple. They are often the least expensive option for notification, taking incoming calls, and providing credit monitoring. This is because their long-term economic value in servicing breaches is derived from “retaining” these customers after the first year of free service. Their breach business in this case is a lot like a “loss leader” or marketing investment for acquiring new consumer customers.
As a contrast to this, our firm takes a different approach. So while I acknowledge that I also have an agenda in writing this, mine is to help organizations such as your DOR to understand that there is a better way to treat their victims of data breaches; an approach that will better protect your reputation and better protect your citizens.
To that end, we typically setup a special website, with information that is especially useful to the data breach victims, and we staff our call center with specially trained agents who are focused on helping victims understand what happened, what their risks are, and what they can do to protect themselves. That is because our business model is to serve our client, the organization that has the data breach, and to serve their “customers”, who in this case would be your citizens. In cases where we advise our client to provide credit monitoring and/or identity and fraud restoration services to the affected victims, we do this without the demonstrated intent to “sell” the victims on purchasing these services after the one year period of time that your organization has paid for it on their behalf. That isn’t part of our business model. It is the key to Experian’s business model.
While you might perceive our approach might be somewhat more expensive than the path you're pursuing with Experian, I would suggest that won't be the case at the end of the day. You should look at the "all in" costs for your data breach, which would include not just the security forensics and breach response costs (notification, credit monitoring, identity restoration, legal), but also include follow-on legal defense costs, and regulatory fines and penalties. It has been our substantial experience that the more that you focus NOW on taking care to address the real and perceived risks and concerns of your affected citizens, utilizing a "high touch" approach, the less likely that you will be defending class action litigation and/or being fined by regulators or other state AGs. In other words, avoiding a "penny wise but pound foolish" approach.
So had I had the opportunity to advise you prior to your decision to rely on Experian to care for your citizens, I would have recommended that you carefully choose a “data breach partner” who would help you in doing what Mr. Etter (DOR Director James Etter) has indicated was your intent. “From the first moment we learned of this, our top priority has been to protect the taxpayers and the citizens of South Carolina, and every action we've taken has been consistent with that priority.” While our firm isn’t the only one that aligns with that sentiment, and objective, our perspective, based on observing experiences such as yours in South Carolina, is that it is exceedingly difficult for a credit bureau to adopt this approach philosophically. It just doesn’t seem to be in their DNA to focus all of their efforts on understanding and serving the real and perceived fears of victims of a data breach.
So while this letter might seem like Monday morning quarterbacking on my part Governor Haley, I hope that this might provide food for thought for other organizations that may find themselves on the receiving side of a cyber attack. The choice of partner in such instances, the partner that will play a significant role in speaking with, influencing, advising and taking care of the individuals affected by your data breach, is a crucial one that can make all the difference between a positive outcome and one that is not so much.