Tag Archives: federal trade commission

The Key to Survival in Wild West of Cyber

Today, the question is not will my organization experience a cyber attack, but when, and how. In our digital and connected business world, companies seeking cost efficiency, speed and better customer experience are rapidly connecting more processes, infrastructure and information to the internet. At the same time, the complexity and frequency of cyber attacks continue to rise. You only need to look at the list of recent high-profile attacks to see that companies across industries, from Wall Street banks to healthcare to entertainment, and government entities are being assailed.

This brave new cyber world exposes organizations to a different category of risks and associated liability issues, including the need to cover themselves for loss or exposure of commercially valuable intellectual property or consumer data; misappropriation of trade secrets; privacy violations; losses via third-parties; costs associated with breach notification, forensics, credit monitoring, outside incident response providers, technical remediation, PCI assessments; business interruption costs and system failure; legal proceedings and defending against regulatory actions – to name a few. On top of this, while companies suffering under the weight of a breach understandably feel like victims, it is not always seen that way by the authorities, the marketplace or the media. While dealing with the fallout of an incident, companies often face the additional challenge of defending their actions, protecting their brands and getting claims settled and paid. In this context, long before an event occurs, proper cyber risk mitigation is a best practice for all organizations.

Just like in the Wild West, organizations dealing with cyber risk are operating in a fast, continuously shifting threat landscape, governed by its own set of evolving laws and rules. Even knowing the bandits are out there, organizations continue to be caught off guard by new criminal tactics and attack vectors. Hackers continue to hone their techniques, whether that means obtaining access through the Internet of Things, masterminding more sophisticated social engineering methods or attacking information sources and manipulating data. What is more, the delay between a cyber criminal penetrating a network and being discovered can be considerable: it might take a hacker only eight days to attack a network, but it typically takes six or more months to detect the incident. Financial firms take an average of 98 days to detect a data breach, and retailers can take as much as 197 days, according to the Ponemon Institute and IBM Cost of Data Breach Study. That’s a wealth of time for attackers to inflict significant damage, and it doesn’t look good to regulators, customers and other stakeholders.

See also: Actuaries Beware: Cyber Is Treacherous  

Against this backdrop, cyber insurance is an essential component of a company’s risk management strategy. Even while companies tend to view the likelihood of a loss as higher for information assets than for property, plant and equipment (PP&E) assets, they are more adept at protecting physical assets, with approximately 51% of PP&E assets covered by insurance to only 12% of information assets covered on average, according to the Ponemon Institute’s 2015 Global Cyber Impact Report. One reason for this is that insureds and cyber insurance providers alike struggle with accurately assessing and quantifying cyber risk; despite paying significant premiums, companies remain under-insured. According to the CEO of Lloyd’s of London, cyber-related losses for businesses worldwide were valued at $400 billion in 2015, yet ABI Research estimated that global gross written premiums for cyber insurance that year only totaled around $2 billion.

The lack of data on which to quantify cyber risk means insurers feel they are often writing policies on the back of incomplete information. Unlike in other risk areas such as flood insurance – where historical data means that companies can quantify risk almost to the dollar – developing a strategy to assess and insure against cyber risk is altogether different. And for the insured, selecting a policy is taxing: all policies are not available to all companies, all policies are not equal, and, on top of this, companies are required to demonstrate the existence of sound cyber risk management policies and programs to be eligible for a policy and to claim benefits. These challenges posed by the burgeoning cyber insurance market, and the fact that companies cannot expect to transfer all their cyber risk, mean that they must take a broader, more holistic approach to assessing and reducing exposure.

It is easy for organizations to lose perspective on how to best to manage cyber risk, particularly as it affects multiple stakeholders in an organization, from the CISO to the risk manager, the board, IT, the C-suite and even HR. Everyone will have their own ideas about which programs should be mandated and which technology is the latest “holy grail” in cybersecurity. However, this siloed approach is not effective. Cyber attackers are simply too well-motivated, -resourced and diverse. But it’s not time to throw in the towel. Knowing they will be attacked does not leave companies powerless; in fact, this certainty can empower a far better approach to cyber security. The key to managing risk – and avoiding chaos and significant loss in the wake of an attack – is achieving cyber resilience. Adopting a cyber resilient mindset serves the interests of all stakeholders trying to defend an organization and provides assurance to insurers that companies are prepared in the event of an attack.

So, what does it mean to be cyber resilient? Resilience is the ability to withstand or recover quickly from difficult, often unanticipated conditions. In the world of cyber, resilience strategies enable companies to rapidly detect, respond to and recover from cyber attacks. The goal is to detect incidents before they become serious, respond to them vigorously and recover from them effectively. You will be attacked, but if you are resilient you are less likely to have to wear a scarlet letter when the incident occurs.

Achieving resilience

The most urgent question companies must answer is: What are the critical assets that we are trying to protect? Some organizations will find it easy to agree on a list of assets, such as customer data or Social Security numbers. Others, perhaps more complex organizations, might find it hard to come to agreement. Alignment on defining critical assets is essential and, above all, economically prudent. Cybersecurity talent is scarce and budget is finite, so prioritizing assets helps allocate money where it matters most. Knowing what needs protection, and where it is, enables organizations to focus controls on that area, directs threat detection activity and tells first responders where to look when an attack is suspected. This has the potential to shorten the gap between attack and detection, minimizing the risk of having a predator in the network for seven, eight or more months. Identifying critical assets is also a necessary first step in choosing and benefiting from cyber insurance products. It’s true you don’t need a $100 safe to protect a $1 bill, but you do need an adequate policy to protect everything that you safeguard. Of course, while focusing on protecting critical assets is essential, companies should continue to defend the full organization, maintaining a strong overall security posture.

Once critical assets are clearly defined, cyber threats and vulnerabilities can be assessed and prioritized from three distinct perspectives: the threat to mission-critical technology, the balance sheet and corporate reputation. With vulnerabilities determined, companies can sharpen defenses and deploy programs to uncover, test and remediate them. Tactics regularly used include sophisticated penetration testing and social engineering techniques, to employing ethical hackers or red teams. In the world of resilience, however, the work does not stop at identifying vulnerabilities and shoring up defenses. Resilient organizations are ready for the “during” and “after” phases of an attack, as well as the “before.” They enhance monitoring activities, develop response plans and study and practice threat detection and response processes so that they can quickly bounce back and resume normal business operations.

See also: New Approach to Cyber Insurance  

When news of an attack occurs, it is not scheduled on the day’s calendar of events. It comes as a hit. Companies will typically learn of a breach in one of three ways: The company identifies the breach itself, finding a malicious actor has been in the network for weeks, or even months; a company receives a call from law enforcement often with limited information as part of a larger compromise that has occurred; or, the worst scenario, a third party breaks the news, for example a customer, business partner or the media. Cyber-resilient organizations can adapt to any of these scenarios, take control and respond with confidence. To be prepared, companies need response plans to manage this “during” phase of an attack. Importantly, these plans need to come alive – which means that they are continually enhanced, practiced and ingrained into the workplace culture.

This response preparation and practice equates to confidence, and the degree of practice will be clear in the wake of an attack. Some organizations call this conducting table-top exercises, or simulated cyber attack exercises. This preparation involves all key stakeholders, both internally and externally, and with a well-oiled plan, when a breach call comes, each player follows the blueprint. Public relations is not relegated to a “no comment” statement; financial teams are geared up to manage insurance; lawyers are deployed; and law enforcement is called – among other actions. Ideally, companies have already contracted with a cyber insurance carrier and cyber resilience firm, and have cultivated personal relationships with primary (and even secondary) representatives.

Companies should also take steps to have incident response and forensic investigators, as well as outside counsel, on retainer, even if they have additional internal expertise to handle these aspects of an investigation. During a breach, companies need to move quickly. Entering contract negotiations and procurement processes mid-crisis will not only waste precious time but also leave companies on the back foot in price negotiations with providers. When considering who to retain, it is key to look at the firm’s experience: the number of cases a firm has been engaged on; the diversity of skillsets; the technical tools used; the references of the subject matter experts; and vertical experience. Be careful if selecting a firm that requires its own technology be used on the investigation, as this can limit the scope of its capabilities and potentially lead to conflicting motivations. Also be aware that asserting privilege over the information shared with any firm is a slippery slope, especially through in-house counsel: the strongest way to assert privilege in an investigation is through outside counsel.

Recovering from a cyber attack

Now that the attack is contained, it’s time to recover. Enter stage right, cyber insurance. The cost of a breach can be significant, not only in intangible ways but in concrete costs, particularly if companies face risk and liability via a regulatory or legal investigation. For example, the Federal Trade Commission (FTC) can launch lawsuits against organizations if it suspects them of failing to properly safeguard customer information. Such cases have the potential to span several years and can result in companies’ drowning in millions of pages of documents in response to requests and questioning, often involving executives at the very highest level. The cost of related investigations can reach millions of dollars in legal and vendor fees, not to mention the associated damage to brand and reputation.

To protect from such costs, it is critical that companies quantify the intangible damages that will occur in the event of a breach and enhance board-level understanding of the financial value of these risks to deploy capital to strengthen resilience and purchase insurance policies. When looking to transfer risk, companies must seek industry-leading terms and conditions with global carriers, often across multiple lines of business. Unlike policy options for physical assets, which are relatively standardized, the insurance industry is still ascertaining what cyber coverage looks like and, while more sophisticated teams are being assembled to effectively assess risk, evaluate preparedness and write policies, the policies still vary greatly. At its base, companies want a policy that covers “first party” types of losses, including forensics, notification costs, credit monitoring and breach coach fees. Companies will also want products to cover the third-party traditional liability costs, in case they are found liable for the incident and must pay a judgment or enter into a settlement. Insurance can also cover costs to defend against any regulatory action. Once a policy is purchased, a resilient organization has processes in place to ensure that potential losses are properly tracked in the event of a breach, which will help maximize coverage and cost recuperation. A strong personal relationship with the carrier representative is invaluable at this juncture, as is the ability to quickly and fully disclose the depth of cyber preparedness planning. This will confirm that the organization has an advocate for claim submission and approval.

In terms of the risk of a public lawsuit and legal proceeding, negligence is by far the most common reason an organization is found to be liable of cyber wrongdoing. Fortunately, class action lawsuits are not common. Bryan Cave, in its Data Breach Litigation Report, reported that in 2016 about 5% of all breach cases filed led to class action litigation, a number that has remained consistent over the past four years. One case recently decided in favor of the plaintiffs was Tampa General Hospital, where it was argued that a series of insider breaches put plaintiffs at risk for identity theft, and was the result of the hospital’s inadequately safeguarding patient data. Tampa General, in an October 2016 preliminary settlement approval, agreed to pay plaintiffs $10,000 plus as much as $7,500 toward attorney and litigation costs. Larger data breach class action settlements have reached the tens of millions, for example, in which claimants are eligible for cash payment if credit or debit card data or personal information was stolen as a result of the breach. Although it is still rare to see these allegations result in settlements, this pendulum could swing. When it swings, a sound cyber insurance product will bring protection in the form of covering part, or all, of the defense costs and resulting settlement payments.

See also: Most Firms Still Lack a Cyber Strategy

Cybersecurity is firmly entrenched as one of the most consequential issues affecting organizations across industries – no one is immune. However, acceptance that an attack is likely can be the impetus for companies to work toward becoming resilient. By putting in place better policies, people, response processes and technology, companies can position themselves in a place of power when a breach does occur. Resilient companies also put themselves in better positions when negotiating cyber security insurance rates, when claiming damages following an attack and when facing regulators, lawsuits and, importantly, embittered and disappointed consumers. Ultimately, adopting a cyber-resilient mindset serves the interests of all stakeholders and allows companies to focus on doing what they do best – running their businesses.

cyber

Cyber Threats and the Impact to M&A

As investment bankers and their lawyers pore over the details of a potential corporate merger, a new and troubling issue has emerged that could affect the terms of the deal, or even derail it. Cyber risk is now a top agenda item, not only for deal makers but for shareholders, regulators and insurance companies.

While assumption of risk is nothing new when acquiring a company, assuming cyber risk raises a whole new set of concerns that must be addressed early in the M&A process. Specific industries, such as healthcare, financial services and retail might require detailed attention to data risk as it applies to HIPAA (Health Insurance Portability and Accountability Act) standards, financial regulation and PCI (payment card industry) compliance. A thorough analysis of the target company’s network systems needs to be part of the due diligence process and may require the services of a network assessment vendor. Insufficient cyber security and the need for significant remediation of these networks could lead to unforeseen expense and may be a consideration in final negotiations of the target price.

Understanding the evolving face of hackers should also be a consideration. Hackers have traditionally been motivated solely by financial gain. However, as evidenced by recent cyber attacks against Sony, Ashley Madison and the Office of Personnel Management, hackers may be driven by political agendas or moral outrage or may be part of state-sponsored cyber espionage. If the acquired company comes with intellectual property or produces controversial products or services, it could be at higher risk of attack.

Regulatory Issues Affecting M&A

Increased regulatory risk for the acquiring company should also be of concern. Regulators in the U.S. and around the world have had a laser focus on privacy matters and have made their authority known in two recent court decisions.

  • On Aug. 24, 2015, a decision was made that will have profound impact on how the CIO, compliance officers, cyber security officials and others view what is an acceptable level of cyber security. In Federal Trade Commission v. Wyndham Worldwide Corp. et al. No. 14-3514, slip op. at 47 (3rd Cir. Aug. 24, 2015), the FTC alleged Wyndham failed to secure customers’ sensitive data in three separate incidents. As a result, 619,000 customer records were exposed, leading to $10.6 million in fraudulent charges. The Third Circuit Appeals Court affirmed the FTC’s authority to regulate cyber security standards under the “unfair practices” of the Federal Trade Commission Act. Therefore, key stakeholders in the acquiring and target companies need to come to terms regarding acceptable levels of cyber security before the deal is closed.
  • On Oct. 5, 2015, the European Union’s Court of Justice declared the U.S. and E.U. Safe Harbor framework invalid. The ruling abolishes an agreement that once allowed U.S. companies to move E.U. residents’ digital data from the E.U. to the U.S., and it will affect approximately 4,000 companies. For some companies, the ruling could drastically alter their business models. Therefore, an acquisition of any of these companies will require careful consideration as to how the company collects and uses the online information of the residents in the 28 countries that make up the E.U. An acquiring company could face regulatory scrutiny and costly litigation for noncompliance of their newly acquired entity.

Transferring Your Cyber Risk

One method to provide protection for the acquiring company would be to enter into a cyber security indemnity agreement with the targeted company. The agreement can exist for a period after closing, but there should be an expectation that—after a specified length of time long enough to remediate and integrate the target company’s IT networks—the agreement will expire. The liability protections should be as broad as possible and should include all directors and officers, who are often named in derivative lawsuits in the aftermath of a data breach. The agreement should address the many different actions that might be required after an unauthorized network intrusion of the target company. Costs related to defense attorneys, IT forensics firms, credit monitoring vendors, call centers, public relations companies and settlements should be anticipated. The firms to be hired, the rates they will charge and the terms of reimbursement to the acquiring company should be outlined in the agreement.

Many businesses have also turned to cyber insurance as a means to transfer cyber risk. In fact, the cyber insurance industry has grown to $2 billion in written premiums, with some expecting it to double by 2020. Cyber policies typically cover a named insured and any subsidiaries at the time of policy inception. Parties in a merger should be aware that M&A activity will likely have an impact on existing cyber insurance policies and often require engagement with insurance companies. When an insured makes an acquisition during the policy term, the insurance carrier often requires notification of the transaction pursuant to policy terms specifically outlined in the policy. Because cyber insurance policies are written on manuscript forms, there is no one standard notification requirement, and compliance terms will vary from insurance company to insurance company. If the target company has revenue or assets over a certain threshold, the named insured may be required to:

  • ƒProvide written notice to the insurance carrier before closing;
  • Include detailed information of the newly acquired entity;
  • Obtain the insurer’s written consent for coverage under the policy;
  • Agree to pay additional premium;
  • Be subject to additional policy terms.

Cyber risk can have a huge impact on any M&A activity. Legal liability and the means to transfer it should be a top priority during the transaction. There likely will be a big impact on existing insurance coverage. All parties need to focus on their rights and responsibilities and must engage the right experts to maximize protections in the process.

New Worry on ID Theft: Tax Fraud

Statistics on identity theft show that tax-related fraud causes billions of dollars of financial harm, but tax fraud assistance may or may not be included in identity theft protection products. For comprehensive coverage, an identity theft protection service must include tax fraud assistance.

What is tax fraud?

Instances of tax fraud could involve…

  • Phone scams where thieves pretend to be the IRS calling for money or information
  • Phishing scams where fraudsters send fake IRS emails or set up unsolicited websites to get money or information
  • Criminals using false information or a taxpayer’s stolen information to file fraudulent tax returns, thereby getting the victim’s refund
  • Dishonest tax preparers who defraud their clients with false deductions, inflated expenses or the like

How common is tax fraud?

Every tax season – and all the months in between – the U.S. Treasury Inspector General for Tax Administration (TIGTA) deals with dishonest tax-related schemes. The TIGTA has received well over 90,000 complaints about IRS phone scams and found that victims have lost approximately $5 million.

In 2013, the Federal Trade Commission (FTC) received 1,455,146 identity theft complaints – a third of which stemmed from tax-related fraud. In 2014, the FTC’s 1.5 million fraud-related complaints revealed that consumers have paid a total of $1.7 billion because of fraud, and a third of those complaints were also tax-related.

Fake tax returns cause problems, as well: $4 billion of tax refunds went to fraudsters after they sent in fake tax returns to the IRS.

How do identity theft protection plans address tax fraud?

Unfortunately, not many products provide services specifically geared toward preventing tax fraud. Common features, like credit monitoring, are less likely to catch these kinds of crimes because tax information is not connected to the main credit activity being monitored.

Another reason for lack of tax fraud assistance could be strict limitations on a third party’s ability to communicate with the IRS. The IRS requires that anyone communicating with it on a victim’s behalf must have IRS-approved credentials (e.g. enrolled agent, certified tax preparer or certified public accountant).

The upkeep of a tax fraud assistance division can get expensive, as well. A significant amount of time and money are needed for finding approved specialists, giving them the time to work through each case and maintaining the correct credentials. Some certifications involve continuing education, periodic renewal fees that can really add up and purchasing and maintaining a tax preparer bond in the thousands of dollars.

Despite limited capabilities to detect that a member is a victim of tax fraud or act on a victim’s behalf with the IRS, a specialist could still assist victims by guiding them on what to do next and giving them the necessary resources to carry out the steps themselves.

How can you avoid tax fraud?

First, whether it’s on your own or through an identity theft protection plan, tap into resources about how to avoid victimization. For example, learn how to pick a reliable tax preparer and how to handle tax documents with confidential information.

Second, make sure your protection plan includes Social Security number (SSN) monitoring because your SSN is a key piece of information that the IRS uses to confirm your tax return actually came from you. In some instances, if a taxpayer’s SSN is at risk, the IRS will issue a special PIN number that differentiates the taxpayer’s real tax return from the thief’s fake ones.

Third is tax fraud assistance, which provides access to professionals who will help victims report the crime and address the resulting issues. Victims of tax scams deal with the same burden of significant financial losses and rebuilding reputations that accompany any other kind of fraud. Support from people who are familiar with both the tax system and identity theft recovery will give victims direction and help them take action.

Taxes are already frustrating for many, so adding the problem of identity theft only aggravates the situation. The statistics prove that tax fraud is relevant and must be taken into account when building security against identity theft and fraudulent activity.

7 Stakeholders for Cyber Risk

Imagine you’re the CFO at a firm involved in sensitive M&A discussions with your bankers, and you receive an email asking for a small bit of non-public information on your company, the kind you’ve passed on before. You send the information – and later find you were the victim of a sophisticated cyber-attack.

Now imagine you’re in charge of operations at a manufacturing facility. Out of the blue, your employees report that they have lost control of key systems. It’s impossible to shut down a blast furnace correctly, endangering the safety of employees and others and threatening massive damage. You, too, have been the subject of a cyber-attack.

These events underscore the new reality in cyber risk management: It is no longer just an IT issue. Everyone – from individual employees to risk managers to your board of directors – now has a stake in managing cyber risk comprehensively, across the enterprise.

Following are seven key stakeholders to consider as you look at your cyber risk management strategy:

  1. Risk manager: Risk managers can ensure various stakeholders are connected in terms of assessing, managing and responding to cyber risk. Understanding the evolving cyber insurance market and overall risk finance options is also important.
  2. CFO: Concerns range from the potential costs of a cyber event and what the impact could be on the bottom line to the security of the office’s sensitive information.
  3. CEO/board of directors: Accountable for overall business and company performance, they have a fiduciary duty to assess and manage cyber risk. Regulators, including the Securities and Exchange Commission and Federal Trade Commission, have made clear they expect companies’ top leadership to be engaged on the issue.
  4. Legal/compliance: As regulations around cyber develop, legal and compliance roles become increasingly important in keeping other stakeholders informed and engaged. And, if a cyber incident occurs, lawsuits often follow within hours.
  5. Operations: Maintaining daily operations, business processes and workplace stability is critical during a cyber event.
  6. Human resources/employees: Simple errors – or deliberate actions – by employees can lead to costly cyber incidents. Training on best practices is critical, especially with the rise in sophisticated “spear phishing” attacks targeting specific employees.
  7. Customers/suppliers: Interactions with customers and vendors can open you up to an attack. You need to understand the protections they have in place so they don’t become the weak point in your cyber defenses.

Protecting your organization’s data and individuals’ privacy is becoming more difficult by the day. Successful cyber-defense strategies are comprehensive and multi-pronged. A critical component is understanding and defining the roles and responsibilities of all key stakeholders.

To participate in a webcast on how to assess cyber risk, click here.

No Vaccine for Social Media Theft

Whether you are new to college, single and dating or newly divorced (because you panicked and confessed when news of the Ashley Madison hack hit the media), I’ll bet there is at least one socially transmitted disease you haven’t started worrying about: identity theft.

If you use Facebook, you’re making easy work for identity thieves. The same goes for the whole cosmos of social media whether you favor Twitter, Instagram, Reddit, Pinterest, YouTube or LinkedIn or prefer to Tumblr your thoughts, preferences and predilections to anyone who cares to know what they are. The more you put out there in publicly viewable spaces, the more your personal identity mosaic is exposed. An identity thief’s day job is piecing together that mosaic into a passable, or usable, version of you: one that will get through the authentication process of financial, medical or governmental organizations.

The echo of another kind of disease here is intentional. Like the more widely known kind of STD, the socially transmitted diseases that fall under the rubric of identity-related crimes are contracted by unsafe personal information practices. Unlike the more familiar variety, where safety is taught in high school, tacked to college community boards and heralded by countless other media new and old, not as many people these days know how to stay as safe as possible from the threat of identity theft, especially online.

How to practice “safe social”:

  1. Don’t overshare. It’s okay to let the world know you’re on vacation so long as you have a great security system at home or you have a house sitter. Traditional trespassers use social media to know when houses are unguarded. It is far better to share the memory than report the experience as it’s unfolding.
  2. Be careful when posting pictures. While it’s fun to brag about a purchase—whether that be a diamond ring, a car or the smartest TV on the market, just be aware that anyone following you now knows where they can get your newest trophy or indulgence for free.
  3. Geotagging is for victims. There is no upside for you here. Companies like geotagging photos and other people-powered media assets because it gives them bankable information that could lead to future sales. Whether you are letting Twitter or Facebook or FourSquare narrowcast (or broadcast, depending on your privacy settings) your location, failure to disable location services on your device permits geotagging, which also gives thieves bankable info that could lead to future crimes.
  4. Know your privacy settings. Make sure you understand how your posts are being displayed or distributed by the social network you use. For instance, on Facebook you can set a post to “Public” or “Only Me,” with many choices in between.
  5. Lying is good. Facebook, especially, is a perfectly acceptable place to not be forthcoming about your age, hometown, place of employment or even the college you attended and what years you were there. Identity thieves comb social sites for information to complete dossiers of personally identifiable information that will allow them to correctly answer security questions and thus open new financial accounts or empty existing ones. If you don’t want to actively fabricate answers to these questions, just don’t fill out those parts of your profile.
  6. Beware of quizzes that require personally identifiable information. Make no mistake, your email address and name count.

There is no immunization

Unlike the other kind of STD, the socially transmitted disease of identity theft is not avoidable. There is no immunization, no safe way to avoid it—not even complete abstinence. There have been too many breaches with too much data for anyone but those living entirely off the grid to be completely safe. (And even still you can’t be sure.)

Your best bet, in my opinion, is a system detailed in my book (forthcoming in November). A key element to that approach is acceptance. Specifically, you need to come to terms with the fact that it’s no longer a question of “if” but “when” you will become a victim of at least one type, if not multiple types, of identity theft. Anyone who tells you that they can keep you from getting got is selling snake oil. In fact, they are running afoul of the Federal Trade Commission. There is no guarantee. There are, however, best practices.

THE THREE M’S

If you accept the basic premise that you are at risk for identity theft no matter what you do, here are some thoughts as to how you might stay as safe as possible. The good news may actually be that you are a seasoned and intelligent user of social media, because that means you already have several of the habits in place that you will need.

Minimize your exposure

The same strategies you can adopt to make yourself a harder-to-hit target on social media go for the rest of your life. Whether that means saying “no” when asked for your Social Security number, limiting the amount of sensitive personal information you provide to anyone who contacts you, making sure all your accounts (email, social networking, financial or retail) have different user names paired with unique, long and strong passwords, properly securing your computers and mobile devices or freezing your credit—there are a variety of things you can do to make your attackable surface smaller.

Monitor your accounts

If you use social media regularly, you are used to checking in on a regular basis—the Pew Research Center found that 70% of Facebook users check in daily, as did about half of Instagram users, and nearly 40% of Tweeps. The same behavior, applied to your financial life, may keep you from getting got … or help you undo or minimize the damage in case you do. Check your bank and credit card accounts daily. Other things you can do include signing up for free transactional monitoring alerts at your bank, credit union or credit card provider, or purchasing more sophisticated credit and noncredit monitoring programs.

Manage the damage

When the dark day comes that your daily practice of monitoring your credit or financial life yields a compromise, you need to get on it immediately by informing the institution of the account that is involved, as well as law enforcement and the fraud department of at least one credit reporting agency. Because many insurance companies, a number of financial services organizations and the human resources departments at a number of companies offer complimentary or low-cost identity theft assistance as a perk of your relationship with the institution, check to see if you are covered or, if not, how you can get covered. Resolution experts can greatly help you speed your way back to normalcy.

Identity theft is a permanent threat. The best way to stay safe is to change your behavior. The above tips are only some of the ways to do that. In the age of universal data vulnerability, practicing safe information hygiene is a must—lest you contract the one STD that may haunt you for the rest of your life.