Digital hygiene

About a decade ago, Alyson Newton was able to detect a fraudulent transaction under her name due to an identity theft protection service provided by her bank.  

“I was definitely concerned, but also felt fortunate that I had the tools and the skills to navigate the complexity of the matter,” says Newton, vice president and executive and professional specialty practice leader at Marsh & McLennan Agency LLC in Richmond.

There isn’t a foolproof way for consumers to protect themselves against identity theft and data breaches, but there are precautions they can take. Efforts to safeguard personal information are increasingly important as data breaches become more common.

Twitter, Facebook and Uber are just a few of the companies that have recently announced data breaches impacting millions of customers.  Identity theft was the third-biggest complaint reported by Virginians to the Federal Trade Commission, accounting for 7,656 reports in 2017.

In the age of the internet and smart devices, how can consumers protect their personal information, and what should they do if they are victims of a cybersecurity breach? Virginia Business spoke to experts around the state to find out.

Proactive approach
Newton recommends signing up for an identity theft protection service, which starts at about $10 per month, depending on the vendor and the type of service offered.

These services can provide credit monitoring, which tracks activity on the customer’s credit report, such as when a new loan or credit card is issued under consumers’ names or their credit limits change. 

The services also may offer identity monitoring, which alerts customers when their personal information is being used in ways that don’t show up on credit reports. These activities include change of address requests or payday loan applications.

Customers also may be notified if their information appears on certain parts of the Dark Web, a part of the internet that is only accessible by special software and is often used by thieves to trade stolen information. 

In addition to paying for an identity theft protection service, Newton keeps her credit frozen and recommends others do the same if they’re not applying for a mortgage or another type of loan.

“I did have to lift [the freeze] once because my husband and I moved into a new home about seven years so, so I literally lifted it with a [passcode] so that our new mortgage loan could go through, and then I clamped it back down,” she says. 

A number of organizations, such as LifeLock or Experian, provide identity theft protection services. Nonetheless, few Virginia-based firms conduct investigations to help consumers to determine how their personal information has been stolen online. 

“Most consumers aren’t going to have the cash sitting around to have an investigation done into their stuff,” says Joseph De­Plato, co-founder and chief technology officer with BlueStone Analytics in Charlottesville, which provides such a service for businesses. 

Insurance to help individuals deal with cybersecurity breaches is available. For example, AIG, Chubb and Pure offer cyber insurance in addition to homeowner’s insurance for consumers whose homes are worth $1 million or more. The supplemental coverage, helps recoup a customer’s financial loss from a cybersecurity breach, up to $250,000 to $1 million on average. The additional insurance also can include coverage for dealing with cyber bullying or cyber extortion.

“On a business level it’s been out there for a few years,” says Julie Rison, a broker and vice president, private client division, at Marsh & McLennan Agency in Richmond.

“On the personal level it’s gotten to be more of a need. It wouldn’t surprise me if other carriers followed suit soon.”

Valuable information
According to DePlato, no information is off the table for cyber criminals. They’re after anything that identifies consumers, including email addresses, passwords, usernames, job titles and phone numbers. “Everything’s valuable,” he says.

A username and password, for example, can be used to send “phishing” emails to a person’s contacts. These emails lure recipients to websites and prompt them to share personal information so that their money or identity can be stolen.

Cyber criminals also can use names, dates of birth and Social Security numbers to establish credit in others’ names. Experts agree that the majority of cyber breaches are financially motivated.

“Credit cards are easiest to monetize. They get a couple bucks to maybe more,” using names, ZIP codes and security codes off the back of the cards, says Jim Jones, associate professor in the digital forensics and cyber analysis program at George Mason University in Fairfax. “That’s easiest to do.  They’ll compromise a large number [of credit cards] and sell them in bulk.”

Since credit-card information is commonly stolen, DePlato uses cash when he shops in brick-and-mortar stores. When shopping online, he uses Privacy.com, a free service that creates virtual cards that can be used for online shopping. The service functions like a gift card, pulling funds from his checking account.  Users can specify that the cards can be used only once, or set a monthly spending limit on each card. The cards become invalid after the spending limit is reached or the use allowance is exhausted.

Consumers also should be careful to use a private internet connection in surfing the web or shopping online so that passwords or other important information can’t be viewed by cyber criminals. A private internet connection can be found by checking for the green padlock icon next to an address bar beginning with “https://.” 

If your credit or debit card information is stolen, experts recommend alerting your bank and asking for a new card. This move will prevent criminals from being able to use the card again. As a precaution, cybersecurity professionals say you should constantly keep an eye on your credit report and bank transactions.

Users also should be careful in creating online passwords and change them often. In choosing a password, longer is always better. The FTC recommends passwords should include at least 12 characters and be complex. For example, consumers should use a mix of uppercase and lowercase letters, numbers and symbols in their passwords.  Consumers also can use a reputable password manager that randomly generates passwords for different accounts.

Cybersecurity professionals also say it’s smart to enable “multifactor authentication” when logging onto sites. This process, for example, can require you to use an additional code sent to your cell phone in addition to your password.

In addition, social media users should realize the information they share on those platforms can be compromised, regardless of privacy settings.

“The default assumption has to be anything you share is public,” says Eric Jardine, an assistant professor at Virginia Tech focused on cybersecurity and cybercrimes.

“What do you want to share on those sites?”

New data law
Many internet users are used to sharing information on social media and other platforms for the sake of convenience. Nonetheless, recent events such as the Facebook-Cambridge Analytica scandal are sparking conversations about how personal data are used. Facebook says Cambridge Analytica, which has filed for bankruptcy, gathered personal data from 87 million Facebook users without their consent, including 7,100 users in Virginia along with 1.7 million of their Facebook friends. 

A new law that went into effect in late May seeks to protect Europeans from abuse of their data. According to The New York Times, the General Data Protection Regulation requires companies to be transparent about how they handle users’ data and ask for permission before sharing that information. The law sets a fine of up to 4 percent of revenue for companies that don’t comply. It applies to any company, including those based in the United States, that deal with European Union residents.

No similar consumer data privacy protection law exists in the U.S., but Jonathan V. Gallo, an attorney at the law firm Vandeventer Black in Norfolk, believes that could change.

“Right now, what we have is a patchwork,” he says. “We have state laws and then we have some federal laws that overlap … depending on the type of information and the type of entity that has that information. There’s not one omnibus broad-brush law.”

Even if such a law is enacted, Americans will have to remain vigilant about how they handle data online.