Identity theft refers to stealing your personal identification information such as your social security number and other details. Data breach (also known as data loss, data leak, or data spill) on the other hand refers to stealing other people's (your clients, customers, employees, students, tenants) personal information that they shared with you.
The biggest difference is that a data breach is much more sinister than identity theft in terms of damages inflicted on the victim. Now indeed, damages due to identity theft are no laughing matter. Beyond fake credit cards, forged checks, or auto loans, they have grown to include house stealing (yes, the title for your house ends up in the thieves' name even while you are living in it), medical insurance fraud, and other sophisticated misuses of identity that endanger national security. The saving grace however is that once you prove that your identity was stolen, your own monetary loss may be limited to certain legal and recovery service fees. The actual loss of the fake loan, for instance, would be borne by the bank that issued the loan.
For a data breach, the damages are often far more damning. Sixty percent of small businesses close down after a data breach, according to this report by the US Securities and Exchange Commission. If your business has the financial strength to survive a data breach, it will still take a significant hit due to loss of business reputation and goodwill. Clients do not always understand whose fault it is. And even when they think it is not your negligence, they may just play it safe by staying away from your systems. The financial costs of recovery are also significant, as we describe further down below.
In most states, the law requires the breach to be reported. The breach report becomes public record and is posted online by the state on their website. This means that it can show up to any clients searching for you or your business name online. The state website can often have a higher search results rank due to higher traffic than your own website, making it difficult to hide the breach.
To prevent identity theft, always secure personal information, including your social security number (SSN), credit card numbers, bank and brokerage accounts, retirement accounts, date of birth (do not make this public on social networks), voter registration card, alien registration card, and previous credit reports. The Center for Identity Management and Information Protection provides several tips to prevent identity theft.
To prevent a data breach, you need to protect all your customers' information that you receive. Store paperwork in secure locations. Encrypt your computers' hard drives. Use encrypted email.
Many businesses mistakenly believe that as long they use secure methods to send sensitive information to customers, they are protected, even if they receive sensitive information in un-encrypted emails from the customer. If the customer sends insecurely, its not your fault. Wrong. The reality is that such information also exposes you to a data breach. That un encrypted email could end up in the email app on your phone, and then remain stored without encryption on your mobile device.
To stay safe, always offer your customers a secure method to send you sensitive information. Many banks provide their own document portal for customers to upload documents. A much easier and lower cost alternative is to offer secure document uploads using Encyro.
Given that data breaches are highly lucrative for attackers, and most small business do not have sufficient protection in place, majority of the data breach attacks (71%, as reported in Forbes) target small businesses.
Prevention really is the best strategy here since a breach can be fatal for business.
The recovery steps for identity theft an data breach are very different.
In case of identity theft, recovery after the theft focuses on closing out the breached accounts and replacing them with new ones. You will need to inform not only the credit reporting agencies (Experian, Equifax, TransUnion) and law enforcement bodies but each financial institution that needs to close your affected accounts. You will receive new credit cards and would need to update any automatic payments setup using those cards. In some cases, a new SSN may be needed.
Also, check if you have identity theft insurance since it is included in some homeowners or auto insurance policies. Or credit monitoring. Even if you did not purchase it, some vendor that suffered a data breach may have purchased it for you. If you have either of those two, contact them to find out what services they offer for recovery after the theft.
These non-profits provide additional resources for identity theft victims:
The Center for Identity Management and Information Protection has useful information for identity theft victims on this page, including steps to take as soon as you detect it.
The Identity Theft Resource Center provides specific guidance for identity theft related to financial/credit loss, stolen tax refunds, unexpected medical bills, and fake criminal charges at this page.
The Federal Trace Commission offers customized identity theft recovery plans here.
Recovery after a data breach is much more complicated. If the business does survive the breach, the following steps would be required:
Legal compliance. In most states, you are required by law to report the data breach to every individual or entity whose information may have been stolen, or reasonably believed to have been acquired by an unauthorized person. Substitutes for reporting many only allowed if the cost of reporting exceeds a large amount, such as $250,000 in Texas.
- The requirement does not apply if the information was encrypted. So it makes sense to use an encrypted email and document service such as Encyro along with encryption for your documents stored outside of Encyro.
Fines. In some states, businesses can be fined for data negligence. In Texas, for instance, the fine can be up to $250,000. Again, if the data is encrypted, it is usually not considered as breached.
Review. If a breach is even suspected, depending on your business type, you may be required to be reviewed by a team of forensics security examiners, costing up to $20,000. You may have to spend significant time and effort to co-operate with law enforcement agencies in investigating the breach as well as fixing your own systems to avoid future breaches.
Credit monitoring for your customers. The least a business is expected to do is offer credit monitoring services to each affected client for a period of 2 years or more. This is a cost you will bear for every client affected.
General business liability does not cover damages due to a data breach. If you do have cyber-liability insurance, it will only cover the costs associated with recovery actions such as the cost of notifying your clients about the breach, funding for PR measures, and offering credit-monitoring services. They cannot restore your business reputation and nor do they cover the financial loss incurred due to lost business.
Target's cyber-risk insurance, for instance, covered less than 36% of their total estimated expense of $252 million due to data breach.
Summary of Differences
The table below summarizes the differences between identity theft and data breach.
|ID Theft||Data Breach|
Secure personal records
Monitor credit report
Encrypt digital data (storage, email)
Forged checks or denied disputed charges
Time lost in reporting
Inconveniences due to inactive cards
|Businesses close down in 60% of breach cases
Loss of reputation and customer loyalty
|Recovery||Report to credit reporting agencies, financial institutions
Get re-issued credit cards
|PR to recover lost reputation
Report breach to each client per state regulations
Pay regulatory fines
Mandatory reviews and investigations
Purchase credit monitoring for all customers
You only need to worry about data breaches if you handle customer or client data. If you do, the risk is huge but encryption can help mitigate a large portion of that risk.