A Q&A with Rick Kam, President and Co-founder at ID Experts
As part of an ongoing series of posts, I’m talking to experts in the field about the true costs associated with “crisis” data breach response services. Today we’re looking at credit monitoring, and I spoke with Rick Kam, President and Co-founder at ID Experts, which offers a spectrum of data breach response services including identity monitoring and recovery for healthcare, government, enterprise, education and financial service organizations.
At what point during a data breach does ID Experts get the call?
We’re like the fire department for data breach incidents. Usually we get engaged when the general counsel calls us—this is while the privacy officer and CIO begin to conduct some investigation about the nature of the situation. At the same time they might be reaching out to the risk manager to find out whether there’s insurance coverage so they know the financial impact involved.
What happens after the call?
Having your data stolen or becoming the victim of identity theft could potentially be a problem you have to deal with for the rest of your life. We want to make sure that those people whose data is stolen—whether they’re doctors or patients or anyone else—feel taken care of and can get their lives back in order. The next step in the process is to figure out who’s being affected by the breach and what information is out there. There are a lot of different monitoring options on the marketplace. While credit bureaus monitor credit activity, we can also use cyber-monitoring to track both financial and health data. A company like ours can look at the potential data that is missing, tailor our services and act like a one-stop shop to aggregate and deliver information about the missing data.
What problems or hurdles do you typically encounter?
The biggest challenge is the pressure people face. Everything’s hitting at once—there’s a lot of information and the privacy officer is overwhelmed with requests for information to make decision and provide clarity where there may be no clarity. Another interesting challenge is the complexity of the ecosystems in today’s organizations. We work with healthcare systems that have both hospital and university education sides so there are multiple management teams—getting them to agree and getting everyone on the same page can be tricky. Sometimes you’re talking about FBI and secret service in the mix as well, so it’s a communication challenge. One of the first things we have to do is get a consolidated view of what the management wants to accomplish so that we can say, “here are the different options that will help you facilitate those goals.”
What are the approximate costs for credit monitoring and ID restoration services?
Costs per record can range from US$5 to $20. That said, every breach, whether it affects five or five million people, is different and there are many factors that can impact the cost. The full spectrum of services is obviously going to cost more. Often people want to minimize the cost because a breach is an unplanned, unbudgeted expense but we try to educate them and make it clear that the financial impact can be much greater when you don’t do the right job. Having “delighted victims,” people who are satisfied by your response, is going to cost much less than uproar in the media or class action litigation. We like to say that we deliver positive outcomes because none of our clients in over 500 breaches have been fined by regulatory bodies nor have they had any class action litigation suits brought against them.
Thanks, Rick, for sharing your insight. At NetDiligence, we’ve seen that credit and identity monitoring are valuable services that allow businesses to offer potential data breach victims both a good will gesture and a proactive way to help mitigate potential harm/loss. Having said that, there’s a time and place for these services. One might argue that the first call should go to a privacy lawyer (what we call a Breach Coach® in eRisk Hub®) to help the client with the decision to offer additional services (or not), given the facts surrounding the case. For example, if the data breach event was caused by a malicious actor and resulted is a loss of social security numbers—the “Holy Grail” of data—and fraud is already occurring in the victim pool, this obviously would be grounds to offer victims an effective remedial monitoring service.