NU Online News Service, April 20, 3:14 p.m. EDT
The security breach of Epsilon’s customer data base stirred up a hornet’s nest of attention earlier this month with calls for a federal investigation by Sen. Richard Blumenthal (D-Conn.), but an insurance broker says this could be just the beginning of a long road of liability exposure.
On April 1, the Dallas-based e-mail marketing firm revealed that there had been an unauthorized entry into the company’s e-mail system.
The company said in a statement on April 6 that information stolen was limited to “e-mail addresses and/or customer names only.” No other data was compromised, the company said.
The affected clients “represent approximately 2 percent of Epsilon’s total client base.”
The company has not released an exact figure of how many individuals could be impacted by the breach, but Kevin Kalinich, national managing director of Aon Risk Solutions’ financial services group, indicates that the number could be in the thousands. The concern, he explains, is that a little piece of data in the hands of unscrupulous data professionals could expose individuals to online scams or theft.
To compound the issue, it could be six months to a year or more before the thieves, if they were in fact thieves, would begin using the exposed data, he says.
The typical online scam involves a random e-mail informing an individual they won a lottery or requesting help with a money transfer, explains Kalinich. Usually there is a request for the individual to send money to help the process along. Of course, all they are doing is scamming people out of their money.
However, explains Kalinich, with a limited amount of information thieves can target specific people making the scam e-mails look authentic.
In some cases, a very sophisticated thief can use the information to guess at passwords and gain unauthorized access to a person’s online accounts, and the victim would never know until it is too late.
This has produced worries among a number of very well-known corporations that are concerned with their potential liability, says Kalinich, and it has produced a flurry of activity as those corporations seek to understand their exposure and what insurance coverage they have.
One of the steps these companies have taken is notifying customers of the breach. Not many states require such notification, notes Kalinich, but it is a necessary move if they want to provide themselves a liability defense if the thieves target their customers affected by the breach.
On its website, Epsilon has posted an advisory to visitors: “Epsilon recognizes the importance of privacy and security, and we remind consumers of precautions to help safeguard your information. Be cautious when clicking an e-mail link or attachment from an unknown sender. Do not provide personal information via e-mail. Use anti-virus and anti-spyware software, and update the software regularly.”
The number of companies involved in this breach could be around 50, and the number of customers may be in the hundreds of thousands, says Kalinich.
If there is a ray of hope for everyone affected it is that no one has yet to prove that the breach was in fact the work of someone trying to obtain personal information. There’s a possibility that the breach could have been a prank and not a theft, he says.
Nevertheless, concern regarding potential liability remains, says Kalinich. One example he pointed to is litigation involving three banks that were sued by three customers because the banks did not return the customers’ money to the account after thieves gained access electronically.
In that case, the banks’ customers were scammed, but the banks argued they should not be held responsible because the breach was the fault of the customers.
Kalinich says the banks in Michigan and Texas have had decisions in their favor, but the decisions are under appeal.
The number of litigants in that case is small, he notes, but the potential with the Epsilon case could be huge if thieves are successful in scamming a lot of customers.
If nothing else, this is a learning experience for the provider, corporations and insurers, says Kalinich.
“Every time there is an incident it is an education for everyone to improve their awareness and abilities to protect,” he explains.
Corporations will probably reconsider their use of third-party marketers, and both companies and brokers will re-examine their information-technology insurance coverage to make sure it covers an incident like this.
“That can be a productive dialogue,” he notes.
“This is a dynamic issue,” observes Kalinich. “This is still just the tip of the iceberg and it could be six months before we know anything more. The good guys will figure out what to do and adjust, but the bad guys will figure out new ways to get around their security. The more we know, the better the protection will be. This is not a static issue.”