The Target data security breach during the 2013 holiday season was a tremor that shook businesses and consumers into heightened awareness of cyber theft. The more recent Anthem breach has been a major aftershock.
“The interesting thing about the Anthem breach is that the bad guys are looking for new places to find data, such as medical information,” says Claire Terrell, vice president, marketing, for Legal Shield in Dallas.
The Anthem and Sony attacks demonstrate that cyber thieves are broadening their targets, says Nick Rockwell, director, benefit solutions, for LifeLock in Tempe, Arizona.
“Medical ID theft is a topic of great concern,” he says. “Obviously, a credit card breach is a bad thing, but you can have it stopped. But if your Social Security number and medical ID are stolen, it can follow you around for a long time.”
Americans lost $10 billion more in identity theft in 2012 than all other property crimes tracked by the National Crime Victimization Survey by the Bureau of Justice Statistics. Identity theft cost $24.7 billion, compared with $14 billion for household, motor vehicle and property theft combined.
Many security experts believe that health care companies such as Anthem trail other industries in protecting personal information. Hackers were able to access Social Security numbers, addresses, email, employment and income data from as many as 80 million records.
Officials at Anthem say they don’t know who was responsible for the attack, although thieves may have infiltrated company networks using a sophisticated malicious software program that gave them access to the log-in credential of an Anthem employee. The hackers seem to have been interested only in financial information, not the medical data shared with doctors and hospitals.
After the security theft hit the news, the phones started ringing at the offices of security providers and the brokers who market their services.
“Any time there is a major breach, such as Target, Sony or Anthem, we see a spike in membership demand,” Rockwell says. “Brokers and employers want to learn more. The unique thing about the Anthem situation is that because it was health care instead of credit card information, employers and brokers found themselves in the middle.”
The same thing happened at Identity Fraud Inc. in Walnut Creek, California.
“There definitely has been a correlation with higher demand since Target and Anthem,” says Tom Widman, president and CEO.
These high-profile breaches, as well as the well-publicized hacking of Sony Corp., mean cyber security no longer is a back-burner issue for many businesses.
“Demand for ID theft services continues to grow as people realize it could happen to them,” Terrell says. “You may feel that you will not be targeted, but as you can see from the news, it’s not a matter of `if’ but `when’.”
An increasing number of businesses are countering cyber threats by offering ID theft protection as a paid perk or voluntary benefit. About 25 percent of large employers offered this benefit in 2013, according to Towers Watson. The primary reasons are to reduce employee stress and maintain productivity.
An unprotected employee could spend hours of work time trying to resolve related issues. One study found that identity theft victims are more likely to experience financial hardship, emotional distress and even relationship problems.
One hurdle is that employees may believe they are protected even though they are not.
“A lot of consumers don't know if they are protected and where their vulnerabilities are," Rockwell says. "They may think their bank is protecting them, but what if they use another bank? What about credit cards?"
Just as with health insurance, the objective is to cover vulnerable areas.
“Data theft is hard to stop,” Widman says. “An employee may lose a laptop with customer data in a restaurant or airport. Someone can hack your system or you can click on the wrong link and be compromised. If there is a gap in coverage, it’s important to fill that gap.
“The same thing is true for the business itself. Roughly 27 percent of small businesses think they have protection against data breach under their general liability policy but don’t.”
ID protection services fall into three main categories, he says:
Instant response on demand
The number of businesses providing ID theft protection has mushroomed in recent years, and the choices can seem overwhelming. Where is the best place for a business to find reliable advice?
“You can do online research, check out individual companies or go through your benefits broker,” Terrell says. “Generally, your broker or insurance professional is a good place to start. Our brokers are a huge resource for their clients. They can help businesses offer protection as a perk at no cost to employees or as a voluntary benefit.”
Companies such as LifeLock work hard to bring brokers up to speed, not only on their services but also on how to help clients compare and contrast options.
“Education is one of the most critical components," Rockwell says. "Brokers and businesses are familiar with handling insurance products, where there are agreed-on principles by law for premiums, deductibles, inclusions and exclusions. For example, brokers can show them what three carriers looked like and put the cost on the bottom line."
However, that common language is not well established for ID protection.
“We educate brokers that ID protection is a service, not insurance," he says. "There is no agreed-up lexicon, and no easy box to check when comparing services. The critical question is not `what you do?’ but `how you do it?'"
One of a broker’s most important tasks is to show clients how to assess and compare their options.
“Brokers should educate their clients about how to evaluate services and why it is different than insurance,” Rockwell says. “You often are comparing apples and oranges. It really comes back to the concept of ‘how’ instead of ‘what’."
Terrell recommends that businesses ask brokers these questions before selecting a service:
Is it easy to use?
Does it include full restoration or just a recovery plan?
How involved do my employees have to get in a theft situation?
Do I have choices on how to implement the plan?
Can I find it as a partial fringe benefit?
ID protection service regularly ranks high on surveys of desired voluntary benefits. Providing this service is a high-profile way to show employees that the company cares about their peace of mind. Unlike health insurance, where employees enroll annually and hope it is never needed, ID protection remains visible throughout the year.
“Think of your financial life as if it were your home,” Rockwell says. “You can purchase homeowner’s insurance, lock the doors and still be robbed. It would be wise to include an alarm system as well.”