Chicagoans have one of the strongest data-breach notification fraud laws in the nation, but they are among the biggest victims of having their data used for fraudulent online purchases.
That’s one of the findings of a study released Wednesday by a consumer-advocacy group that called on Congress to pass a comprehensive data-security law so everyone would get immediate notification of the widest-possible violations. The proposal calls for the new law to set a national data-breach notification standard.
The National Consumers League, the private, non-profit advocacy group based in Washington, D.C., held a news conference Wednesday at the 1871 technology hub in the Merchandise Mart to unveil its campaign, which includes a Twitter promotion — #DataInsecurity — to raise awareness and push for action on consumer data security.
The league’s study, done in partnership with Javelin Strategy & Research, based in Pleasanton, Calif., focused on data breaches and identity theft in four cities: Chicago and Los Angeles, due to their respective state’s strong anti-fraud laws; Miami, because Florida has the nation’s highest per-capita rate of identity-theft and fraud complaints to the Federal Trade Commission; and Minneapolis, because it is the headquarters city of Target Corp., victim of a data breach that let hackers access payment data on 40 million customers’ debit and credit cards.
The study findings showed:
◆ Chicagoans whose information is stolen are more likely than victims in Los Angeles and Miami to get a double whammy: The thieves use the stolen information to make online purchases in 43 percent of the instances, compared with 50 percent in Minneapolis; 35 percent in Los Angeles and 31 percent in Miami.
“Chicagoans who receive a data-breach notification should pay particular attention to purchases made online (in their name),” said John Breyault, vice president of public policy for the National Consumers League, a private, non-profit advocacy group focusing on marketplace and workplace issues.
◆ They should check in-person misuse of their information, too, since 28 percent of the Chicago fraud victims had their information used to make fraudulent purchases in person, often by “runners” who may use counterfeit cards to purchase merchandise for resale or pre-paid debit cards to get cash out of ATMs, Breyault said.
◆ In Chicago, 72 percent of fraud victims are also victims of data breaches, such as the much-publicized hacking at Target Corp. stores. That compares with 82 percent in Los Angeles; 80 percent in Miami and 66 percent in Minneapolis.
Illinois Attorney General Lisa Madigan’s office, along with the Connecticut Attorney General George Jepsen, are currently investigating data breaches at Target, Neiman Marcus and Michaels stores to make sure consumers were notified properly of any data theft and that the companies had “reasonable” data-security practices.
Madigan advocates a federal agency to investigate data breaches that would work much like the National Transportation Safety Board does in airplane accidents: Determine what happened, why it happened and what security measures need to be implemented so it doesn’t happen again.
The findings should be shared with small and large companies, said Madigan, who talked about her office’s experiences fighting data fraud at the news conference.
Al Pascual, a fraud and security analyst with the Javelin Strategy, said no national action is envisioned as long as banks and retailers continue fighting over who recovers the losses, takes customer complaints, replaces compromised cards and posts signs telling the public how they safeguard data.
As for consumers, Madigan recommended that they use cash for small purchases, such as for a cup of coffee, closely review bank and credit-card statements, set up transaction alerts for purchases made with one’s credit and debit cards, and consider putting a security freeze on their credit report to prevent fraudulent accounts from being opened without their knowledge.
The Attorney General operates an identity-theft hotline at 866-999-5630.
In 2013, Madigan’s office saw a 1,600 percent increase in data breach complaints compared to the year before — the latest data available. Madigan’s office received more than 20,500 complaints in 2013. Identity theft complaints recorded the largest increase – from 2,544 complaints in 2012 to 3,009 complaints for 2013. Within this category of complaints, Madigan’s office reported a significant increase in complaints specifically about data breaches — from 33 complaints in 2012 to 576 filed in 2013, representing a 1,600 percent increase.
The Illinois Legislature passed a law requiring that people be notified of online security breaches in 2006, three years later than in California and one year later than Florida and Minnesota.
The National Consumers League points to California’s law as a national template because it includes email addresses as “personally identifiable information,” whereas Illinois’ law does not; and California’s law covers encrypted information, while Illinois’ does not.
The percentages are high and getting higher nationwide because fraudsters are increasingly using the information they get from massive data hacks to use in stealing the victims’ identities, Breyault said.
Another worrisome trend is that nearly one-third of identity-theft victims in the four cities failed to take action to prevent further fraud, up from one in nine in 2010, the study showed.
A two-year-old company working out of the 1871 tech hub, Rippleshot, uses a “big data” approach to quickly detect data-breach attempts for banks and in merchants’ credit-card sales systems.
The quicker that a breach can be spotted, the less money retailers will have to spend to reissue credit cards, preserve their reputation and minimize other expenses, said CEO and co-founder Canh Tran.