Identity theft protection benefits and the business case for employers

Employees are turning to their employers for identity theft protection benefits with the rise in identity theft news. Continue reading to learn more.


With identity theft in the news constantly, many employees are turning to their employers to ask for an identity protection benefit.

Let us focus on productivity and wellness. Identity theft can wreak havoc on an employee’s personal and work life. According to SANS Institute, it takes an average of six months and up to 200 hours of personal time to resolve issues related to the theft. This includes hours calling banks, credit card companies, filing police reports, notifying the Social Security Administration, and alerting credit bureaus. Most of these calls and follow up activity must be made during business hours. According to ITRC’s latest study, 22% of respondents took time off of work when dealing with issues of identity theft.

Identity theft also impacts wellness and mental health. According to the ITRC study, 75% of respondents reported that they were severely distressed by the misuse of their information, and many sought professional help to manage their identity theft experience — either by going to a doctor for their physical symptoms or seeking mental health counseling.

These findings make it clear that identity theft directly impacts productivity and wellness. That is why comprehensive and compassionate restoration services should be a key element of any ID Protection plan offered by the employer.

Restoration services are the fixers in a comprehensive identity protection plan. For victims of identity theft, the restoration specialist will do the required work to restore the victim’s identity. Specialists make the calls during business hours, complete the necessary paperwork, and manage the process. They free up the employee to focus on their job, and alleviate the stress of dealing with the challenges of identity restoration.

There are a range of features to look for when evaluating restoration services across plans. Some plans only offer advice and information kits to guide members on what steps they need to take. Those services typically do not do the work for the member.

For plans that provide a full restoration process, consider if the plan provides victims with a dedicated restoration specialist as a single point of contact. Since the restoration process can take months or years, it’s best if a victim has a consistent person to speak with who knows the case and can provide periodic updates. Restoration services should be available 24/7 so victims can initiate the process immediately to lessen the damage. Plans should also provide multilingual specialists to best serve all members and handle all types of identity theft.

Although monitoring may alert individuals that are a victim of identity theft, the even greater value is in fixing the situation. Be sure to fully evaluate the restoration features of an identity protection plan as part of the selection process.

SOURCE: Hazan, J (31 August 2018) "Identity theft protection benefits and the business case for employers" (Web Blog Post). Retrieved from https://www.benefitnews.com/opinion/identity-theft-protection-benefits-and-the-business-case-for-employers


Regulatory clarity makes ID protection a more attractive employee benefit

Original post benefitsnews.com

Identity theft is the fastest growing crime and consumer complaint in America, and benefit industry experts say concerned employees are seeking protection as an employer perk more than ever. New regulatory certainty about how identity theft protection benefits are taxed could increase the popularity of the benefit as an employer offering.

More than 13 million Americans fall victim to identity theft every year, which means every three seconds someone's identity is stolen. Increased concern about the crime has individuals clamoring for identity theft protection benefits. How that benefit would be taxed, however, had been a topic of some debate in the benefit industry, with some employers eager to offer the benefit but concerned about the impact on employee income taxes.

In its Dec. 30 announcement, the IRS said it will allow preferential tax treatment for employer-provided identity theft benefits, despite the absence of a data breach. Generally, all benefits provided to an employee by an employer must be treated as income, unless the Code provides an exclusion. Previous guidance from the IRS created an exclusion for identity protection services, but only after a breach and only for individuals whose personal information might have been compromised.

The IRS’s latest announcement notes that several commenters requested guidance regarding the tax treatment of identity protection services provided before a data breach. According to the commenters, these services are being provided with increasing frequency in order to allow early detection of data breaches and minimize the impact of breaches when they occur. In response, the IRS has concluded that its previous guidance should be extended.

“The IRS will not assert that an individual must include in gross income the value of identity protection services provided by the individual’s employer or by another organization to which the individual provided personal information (for example, name, social security number, or banking or credit account numbers). Additionally, the IRS will not assert that an employer providing identity protection services to its employees must include the value of the identity protection services in the employees’ gross income and wages. The IRS also will not assert that these amounts must be reported on an information return (such as Form W-2 or Form 1099-MISC) filed with respect to such individuals,” the guidance states.

Any further guidance on the taxability of these benefits will be applied prospectively, it adds.

“This guidance is welcome news for employers that want to offer identity protection services to employees as part of their data security strategy. They may now offer these services without increasing their (or their employees’) federal tax liability.  However, employers should be mindful of state and/or local tax laws as they may differ from federal tax law,” according to Tzvia Feiertag, a senior associate in the Labor & Employment Law Department of the global law firm Proskauer.

The preferential tax treatment does not apply to cash received in lieu of identity protection services or to proceeds received under an existing identity theft insurance policy, the guidance says.


The Most Dangerous Identity Theft Threat

Originally posted by Adam Levin on August 6, 2015 on huffingtonpost.com.

Last weekend, TheUpshot published the most dangerous identity theft threat: the non-expert's tendency to underestimate the magnitude of problem. The piece in question argued that the consequences of most identity theft have been exaggerated (by identity theft experts like me), and that, "only a tiny number of people exposed by leaks end up paying any costs."

The main source for TheUpshot's argument seems to be the 2015 Identity Fraud Report (covering data from 2014) published by Javelin Strategy and Research, which found a dramatic increase in account takeovers (i.e., when a fraudster is able to get through the authentication process on an existing credit account and make charges) but an overall decrease in the amount of money lost to identity-related fraud.

To think that the 2015 Javelin report minimizes the threat of mega data breaches to consumers is to misread it. To suggest that the threat is overstated is both simplistic and harmful to consumers. The article focuses too much on account takeover resulting from big-name hacks like Target (a very common form of identity theft). Meanwhile, it gives nowhere near enough attention to the very real and long-lasting effects of more serious forms of identity theft - the kind that's committed using Social Security numbers - and the equally big-name hacks like Anthem, Premera, and the Office of Personnel Management that exposed millions of records containing that data.

The Buck Doesn't Stop With the Bank

TheUpshot dismisses the consumer cost of most data breaches (beyond lost time and annoyance) because "several laws protect consumers from bearing almost any financial losses related to hackers." TheUpshot continues, "...banks and merchants, like Target, must bear the cost. But even their losses have been dropping in recent years, as data security experts have learned new strategies to prevent intrusions from turning into theft."

First of all, banks do not bear all the costs if they can help it. They pass it along to the company that caused the problem in the form of fines and penalties, and in some cases the company is only alleged to be the cause of the problem. It is very hard for small businesses to fight card companies on these charges. So when it happens, it can be a near extinction-level event, or force price changes. And, of course, that cost often manifests itself at the consumer level.

Additionally, according to at least one recent report, the cost of a data breach to businesses has not been going down, as stated by TheUpshot. On May 27, IBM and the Ponemon Institute jointly reported the cost per breached record had increased by 12% over the preceding year, from $145 to $154, and that the average total cost of a data breach to an enterprise rose a not inconsiderable 23% to $3.79 million.

And it bears repeating: While it's all very populist and fair-weather foppery to say that companies like Target and Home Depot can foot the bill of a breach, the same cannot be said of smaller businesses--after all, breaches are not confined to big companies.

5% Is a Huge Number

TheUpshot's big reveal: "The more troubling identity theft, in which new accounts are opened in an unsuspecting person's name, make up only 5 percent of the total figure given by Javelin."

To the uninitiated eye, 5% sounds like a small number. But it's missing context.

"Although we have no data to support what percentage of breaches turn into identity theft cases," according to Brent Montgomery, Fraud Operations Manager at my company IDT911, "5% is a lot."

In 2014 there were 12.7 million identity fraud victims, according to Javelin. Just 5% of that total is 635,000 consumers--hardly a negligible number.

Montgomery then highlighted the essence of the problem here: "There are so many breaches on a daily basis that information can be pieced together from one breach to another giving a criminal all they need to complete the puzzle."

TheUpshot fails to account for the long tail of identity theft--the fact that scams are pieced together using data harvested from countless individual and corporate compromises oftentimes sold and resold on the data black market. A scam that happens today may use data that was compromised three years ago--especially when Social Security numbers are involved since their only expiration date is when the holder of those nine digits expires.

Another problem with using the Javelin report is that the data is extrapolated from a relatively small sample of the population, whereas the Federal Trade Commission's Consumer Sentinel Network Data Book for January-December 2014 is driven by hundreds of thousands of pieces of consumer-reported data. That matters here because on page 13 of the Sentinel report, you will find a higher incidence of new account creation (12.5%) than fraud on existing accounts (4.9%).

There Are Very Serious Identity Theft Threats

While instances of new account fraud and some signs of existing account takeover can show up on your credit reports (you can get them for free once a year on AnnualCreditReport.com), other types of identity theft are less detectable - until they really cause damage. Of greater concern is what does happen to consumers whose information falls into the wrong hands--specifically their most sensitive information. Mentioned nowhere in the article is tax fraud, a crime that is most definitely on the rise and cannot be resolved easily or quickly (think: 6-12 months). Equally absent in this Panglossian take on what really is an identity theft epidemic: medical identity theft, which is extremely difficult to detect, equally difficult to resolve and can have potentially life-threatening consequences.

The bottom line is that while it's easy to dismiss identity theft experts as being the equivalent of "the soap company that advertises how many different types of bacteria are on a subway pole without mentioning how unlikely it is that any of those bacteria would make you sick," it is irresponsible to downplay the various serious risks now facing millions of Americans whose most sensitive personal information has been exposed in the breaches of Anthem, Premera, Sony Pictures and the Office of Personnel Management, to name a few. The threat for them is very real, and long-term--perhaps a lifetime.


Identity-theft protection benefits boost business, satisfaction

Originally posted January 20, 2015 by Melissa A. Winn on www.ebn.benefitnews.com.

With employee news feeds brimming with headlines about recent computer hacks and data leaks, employers are showing a growing interest in offering identity theft protection services as a benefit to their worried workforce. Benefit industry experts say the relatively inexpensive voluntary benefit is not only highly-appreciated by employees, but it can also act as a differentiator in a benefit adviser’s sales portfolio.

Employer concern about employee identity theft has been on the uptick recently, says Nick Park, voluntary benefits specialist at Corporate Synergies. “It has definitely been a topic of conversation more in the last year,” he says.

Identity theft fraud claims a new victim every two seconds, according to the 2014 Identity Fraud Report issued by financial research firm Javelin Strategy and Research. The Bureau of Justice Statistics, the government research agency for the Justice Department, found that 16.6 million American adults experienced identity theft in 2012 alone.

“In a group of 10 people there’s always at least one or two people who have a personal experience with an identity theft situation in some form or fashion,” says Kelly Fristoe, president and CEO of Financial Partners in Wichita Falls.

Fristoe sells the identity theft product LifeLock, which can be sold to individuals or offered to groups as a value added voluntary or employer paid product.

“[T]here are agents I know that do sell a ton of it,” he says. “Theirs and my experience is that it is a high-value product.”

While some employers choose to add identity theft protection services as a new benefit offering in their voluntary benefit package during annual open enrollment, Park says employers have also approached his firm for information on the benefit throughout the year, particularly if somebody in the organization suffers from an identity theft.

“They don’t want that to happen to any other employee in their organization,” he says.

Employees rely on their employer for “a host of financial needs: planning for retirement, protecting against the costs of health care, or even accidents and illness; not to mention, their paycheck. Identity theft can represent a threat to all aspects of financial security and is right in line with benefits [employer clients] can offer their employees,” according to identity theft protection services provider LifeLock.

Employee satisfaction

“It is a ‘nice to have’ benefit,” says Park. “I don’t know if it would be considered a necessity at this point, but employees like it.”

The monthly premiums are usually pretty affordable, he says and the benefit “typically has very little dissatisfaction once you have placed it in the employee population,” says Park. “It’s not something I hear negative feedback on ever.”

For benefit advisers, identity theft protection can be a good differentiating benefit offering, and “is a simple tool to give your clients satisfaction.”

With some insurance products there is a risk, he says, but not so much with identity theft protection.

“Sometimes, when you introduce a product to an employee population it may be complex or confusing and people don’t understand it, they don’t understand the coverage type. [Identity theft protection] is something everybody understands,” says Park.


Top 3 voluntary products poised for takeoff in 2014

Originally posted January 06, 2014 by Caitlin Bronson on http://www.ibamag.com

As small businesses and individuals consider their healthcare strategies within the context of the Affordable Care Act, several industry research bodies suggest voluntary benefits and services will emerge as a boom market for producer sales in the next five years.

According to the Towers Watson 2013 Voluntary Benefits and Services Survey, the importance of voluntary products in a company’s rewards strategy will grow 27% in that timeframe, while nearly 90% of producers surveyed by Eastbridge Consulting Group said they expect sales of voluntary benefit plans to increase.

While the most common voluntary products like vision, dental and disability will continue to see stable sales, however, Towers Watson said the following three are the ones to watch in 2014.

If you’re not already offering these plans, now may be the time to make a concentrated push for clients looking to expand their rewards strategy in a cost-effective way.

Critical Illness
Small businesses with fewer than 50 employees are not required to offer employee medical coverage under the Affordable Care Act, but many are looking to provide some sort of benefit plan to attract and retain quality workers.

As such, Towers Watson expects affordable medical benefits like critical illness or accident insurance to increase in sales in the upcoming  two years. In a survey of small business employers, Towers Watson found 8% plan to introduce a critical illness plan in 2014 and another 13% are considering such a plan in 2015.

Accident plans are already popular, but another 9% of survey respondents said they are considering adding one by 2015.

This tallies with the experience of Tye Elliott, vice president for core broker sales with Aflac.

“Critical illness and accident plans have been thought of as secondary, but that’s not the case anymore,” Elliot said. “Small businesses want to invest in their employees, but they want to do it practically. At a very small out-of-pocket cost, [critical illness benefits] are amazing in terms of the loyalty that builds among your clients.”

Financial Counseling

Nearly 20% of small businesses told Towers Watson they were considering adding financial counseling benefits within the next two years, particularly during this fall’s 2014 enrollment season.

Towers Watson expects employers will want to increase workers’ retirement and personal finance knowledge as the burden of financial planning falls increasingly to individuals, who pay as little as $5 to $20 a month for such benefits.

Financial counseling can even be paid solely by employees through payroll deferral, meaning no cost for employers and increased ease and peace of mind for workers.

Identity Theft Protection

With widely publicized cyber breaches like the ones that afflicted Target and Snapchat this holiday season, identity theft protection is going to be a hot item in 2014.

In fact, a recent poll from LifeLock indicated nearly 60% of producers have fielded requests from commercial clients on identity protection benefits.

Like other voluntary packages, identity theft protection is available at a generally low cost to employers. Average coverage ranges from $7 to $20 a month, with most policies offering coverage of up to $1mn.

Greg Meyer of N.C.-based Worksite Benefit Advisors said the real market for producers is in small- to medium-sized businesses, as larger employers are often targeted directly by vendors. An effective pitch from an educated agent could do wonders.

“Brokers really need to show employers the impact that ID theft plays on lost productivity caused by ID theft of an employee,” Meyer said. “If you have an employee whose identity is stolen on the road, this not only impacts that company’s corporate credit card account, it impacts productivity because the road warrior will be off the road coping with the stress and drama that goes along with trying to recover and recoup his or her credit.”

According to Towers Watson, 20% of small businesses are considering adopting identity theft protection policies by 2015.


Data Breach? React to the Attack

By Matthew A. Cebrian and Brittany W. Yang
Source: Law Technology News- www.Law.com

In today's digital economy it is relatively impossible for an enterprise to conduct business without collecting, holding, or storing personally identifiable information -- names and addresses, Social Security numbers, credit card numbers, or other account numbers -- of customers, employees, business partners, students, or patients. Moreover, given recent cyberattacks against Sony, LinkedIn Corp., eHarmony Inc., Last.fm, and Wyndham Hotels, it seems that such attacks are on the rise. While there is relatively little an attorney can do to thwart the malicious keystrokes of a hacker, she can take steps to ensure her clients are prepared to react to an attack. There are a number of state and federal regulations that mandate that certain steps be taken both before and after a data breach, and failing to comply with these requirements could result in substantial liability, as well as a public relations nightmare. A recent lawsuit filed in the U.S. District Court for the Northern District of California raises questions as to whether mere compliance with California's privacy laws will act to insulate businesses from liability in the event of a breach.

Effective on July 1, 2004, the California Online Privacy Protection Act of 2003 (California Business and Profession Code §22575 et seq.) requires each owner of a commercial website or online service to conspicuously post its privacy policy on its website if it collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its website or online service. As to online services, the policy must be made available by reasonably accessible means for consumers of the online service.

This act is applicable to any individual or entity (corporation) that owns a commercial Web page or an online service that collects and records confidential personal information from an individual living in California, visiting such Web pages. This act, however, is not applicable to ISPs or similar entities who record data upon request from a third party.

Under OPPA, confidential personal information, collected online, includes first and last names, a street address, an email address, a telephone number, a Social Security number, or various other data which allows the tracking of a user. Personally identifiable information can include date of birth, height, weight, etc., when this information is recorded and stored online by the operator in combination with one of the above identifiers. An individual user is one seeking to or acquiring goods or services, money or credit for himself, his family, or his household.

OPPA is enforced through California's unfair competition law (California Business and Profession Code §17200 et seq.), which provides for civil fines and injunctive relief and may, in certain instances, allow for the recovery of attorney fees. The upside for those who may face liability stemming from a violation of OPPA, or security breaches generally, is that to a large extent, plaintiffs have not succeeded, and courts usually have dismissed the cases because the suing individuals failed to state legally cognizable claims for damages. See e.g.,Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629 (7th Cir. 2007). Thus, while a plaintiff may be able to establish a violation of the statute, his ability to recover is somewhat limited by the lack of a cognizable loss.

On Feb. 22, the attorney general of California and a collection of companies in the mobile app business (namely Amazon Inc., Google Inc., Apple Inc., Hewlett-Packard Co., Microsoft Corp., and Research in Motion Ltd.) adopted a Joint Statement of Principles, in which the AG announced its opinion that OPPA requires mobile apps that collect personal data from California consumers to conspicuously post a privacy policy. With the Joint Statement, the signatories announced their efforts to develop principles that would foster innovation in privacy protection, promote transparency in privacy practices, and facilitate compliance with privacy laws in the mobile arena. However, the principles identified are not intended to be legally binding on the companies. They center on integrating the OPPA requirements on mobile apps that are not traditionally thought of as websites or "online services." OPPA's application to mobile apps could be a harbinger of liability for developers, but strategic counsel might take the position that voluntary compliance might help to minimize social outrage in the event of a security breach.

California was the first state to adopt a law requiring consumers to be notified in the event of a data security breach. The Data Protection Act, or SB 1386, was enacted in 2002, and became effective July 1, 2003. Not surprisingly, since 2003, at least 46 states have since adopted similar laws.

SB 1386 requires businesses to disclose breaches to affected persons "in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement ... or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system."

Section 1798.81.5(a) provides: "A business that owns or licenses personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification or disclosure."

Section 1798.82(a) of the act states a "person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person."

For purposes of this statute, "personal information" is defined as "an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number, (2) driver's license number or California identification card number, (3) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account, (4) medical information, or (5) health insurance information." Notably, §1798.84(b), provides for the right to bring a civil action for violating §1798.82.

The act does not define what constitutes "reasonable security measures," instead requiring that such measures be commensurate with the type of data being maintained by the business. While this might suggest the law requires businesses keep abreast of current encryption practices, the law itself only applies to unencrypted information. Assuming counsel advise their clients to include encryption as part of their risk management strategy, SB 1386 is a lot of bark without any bite. That said, a recent suit filed against LinkedIn suggests that even encryption software will not prevent liability in the event of a breach.

On June 15, a class action was filed against LinkedIn seeking in excess of $5 million following a security breach. According to the suit, on June 6, a list of approximately 6.5 million encrypted passwords retrieved from LinkedIn's database were publicly posted online by hackers. While the passwords were indeed encrypted, the lawsuit alleges the encryption technology used was outdated and not in accordance with conventional data protection methods. As part of LinkedIn's OPPA mandated privacy policy, LinkedIn represented to its users that it would implement "industry standard protocols and technology" to protect its users information. According to the lawsuit, LinkedIn's security measures ran afoul of this representation and thus exposed them to liability. The complaint includes causes of action for violations of California Business and Profession Code §17200, breach of contract, negligence, and others.

Given the amount of information that is collected by virtually any commercially viable company in today's economy, and the rise of the frequency of those attacks being mounted by hackers, it is imperative that businesses and their counsel take steps to stay abreast of the applicable privacy laws and formulate comprehensive risk managements policies to combat this growing threat.