Cybersecurity: Too Often Overlooked is the Impact to the Individual

March 18, 2015
No Comment

By Matt Southmayd

Recently, there have been questions raised as to why corporations have been slow to be more vigilant about Cybersecurity. In the scheme of a large organization, it is often deprioritized because the minimal impact to the bottom line is a risk that is deemed acceptable to the business. For example, Target’s high profile breach cost the company $264 million dollars which may seem like a significant financial loss. When put in context, the company recovered $90 million from insurance, wrote off $105 million in tax deductions, and the final sum was only equal to about .1 percent of Target’s revenue.

While the impact to the corporation is small, the impact to the individual is often much more substantial, and is largely overlooked. This week, my parents informed me that they had been victims of identity theft due to another recent high profile breach that exposed their personal information, including social security numbers. Their accountant filed their 2014 tax return in late February  and this week found out that it had been rejected by the IRS. It turns out that two tax returns had been filed using their social security numbers and the refunds have been claimed. As a result, the burden has now shifted to my parents to prove to the IRS that they were victims of fraud and that their filing was the rightful one. Sadly, they have been told that it could take as much as 6 months to adjudicate the matter.

Fortunately, my parents can handle the financial burden while the issue is resolved, but what if that were not the case?  Many people are dependent on the money that they get back from the government and a six month delay could be devastating.

There are several questions that came to mind about the IRS incident:
  1. Why are there no better controls in place from the IRS to insure the legitimacy of filings?
  2. How many billions of dollars are going to be fraudulently claimed and received from our government?
  3. Why are the victims being put through so much when they have done nothing wrong?
To mitigate the results of the incident, there are some fundamental steps that I recommended that my parents take:
  1. Fraud Management: Put a Fraud alert on their social security numbers with the credit bureaus and place a freeze on their credit report.
  2. Financial Audit: Conduct a detailed review of their credit bureaus and recent financial statement to insure that no other fraudulent activities have occurred.
  3. Proactive Communication: Inform their creditors to insure that they have documentation of an identity theft.
This story has lessons for businesses too. As you implement your cybersecurity improvement program, consider the following:
  1. Executive Responsibility: It is the executive team that is responsible for cybersecurity and protection of your customer data, not just the CISO.  Executives could be held accountable for the damages resulting to individuals.
  2. Due Diligence: There are questions the CEO can be asking that can immediately improve the cyber posture of the company. See our post Prepare for The Cyber Threat: What Executives Need To Know To Manage Risk 
  3. Brand Damage: Understand the damage to your brand and the long term impact that can have on your reputation when customers suffer from a breach of your organization.

Like so many others, my parents were innocents in this conflict. Enterprises that hold data need to understand the harm that can be caused when there are breaches. These are not just statistics, they are real people who do not deserve the life disruption that comes with a breach and resulting identity theft.