Helping public companies and their suppliers deliver better and more cost-effective programs since 1994

Data Security… Maybe The Hottest Topic Around These Days:What Should You Be Asking About… And Doing?

IT’S HIGH-TIME YOU RE-CHECKED THE DATA-SECURITY AT YOUR VENDORS, the Optimizer warned, in our second-quarter 2005 issue, following a truly startling cluster of major data-breaches at companies like BofA, Choice Point, Citicorp and Wachovia…and where we offered a long checklist of points to check on.

Most of our warnings appear to have fallen on deaf ear s: By August of this year, the number of publicly-disclosed data-breaches, year-to-date, had already surpassed the numbers for all of 2007 - with 449 as of August 22, vs. 446 for all of ’07, according to the Identity Theft Resource Center. And this, as a recent WSJ story pointed out, probably understates the real number to a big degree: Some business are excluded from reporting rules in the 44 states that have them; some need to disclose data breaches only when they have a ‘good reason’ to expect the stolen data might be used to commit a fraud. And many data breaches go unreported, the article speculated, because the penalties for non-reporting are often miniscule, relative to the costs of investigating and remediating a data breach.

And in a move that has really set the issuer community - and the supplier community in general a’buzzing…after announcing in May that 4.5 million investors were affected by a data breach, The Bank of New York Mellon later reported that over 12 million shareholder records were involved, when “ In late February, one of ten boxes of back-up data storage tapes was discovered missing from a third-party archiving vendor responsible for transporting the tapes…[which] included shareholderand plan participant account information, such as name, mailing address, Social Security number, and transaction activity.” BNY Mellon took a $22 million charge in the second quarter to provide credit monitoring and fraud insurance for the affected shareholders, and will spend at least another $10 million, we’d estimate, to notify the affected parties and to deal with the blowback.

In a rather ironic ‘twist’, the State of Connecticut’s Attorney General put out a big and threatening-sounding press release about the BNY-Mellon incident (“I am appalled and outraged”…it began)… and published it on the very same webpage that reported that ITS fraud-protection plan had accidentally lapsed, but now was A-OK. The plan was designed, the web-page noted, to protect State residents after a Department of Revenue laptop with taxpayer info was stolen. (A HUGE data-security no-no, we’d note, as our earlier article also did, to allow such stuff on laptops).

So readers…if you STILL think this kind of thing could not happen to you, here’s another heads-up we gleaned at a recent Wells F argo Shareowner Services Client- Conference: Tere has been a HUGE increase in ACH fraud at transfer agents and other shareholder service providers… with losses being experienced due to identity theft now averaging $200,000 a quarter at the Wells unit alone… So multiply this by at least ten times to estimate losses by the industry as a whole.

Some cur rent “hot scams” to be aler t to if you are public company, a provider in that space, or a shareholder your - self:

The biggest scams these days seem to revolve around DSPPs – where fraudsters establish accounts and buy stock over T-A websites, charge the funds to an ACH account that belongs to someone else, sell the shares and disappear before the missing money is discovered by the ACH account’s real owner.

Other scamsters steal account info – maybe from the mail, or from the trash – or maybe via hacking into or stealing info from the agent, or from one of the agent’s agents – then change the address on-line, then make an online sale – or cash the dividend check - and abscond.

Speaking of agents – and of agent’s agents – please don’t forget our frequent warnings about employees (sometimes your own) who steal abandoned property directly, or by masquerading as the “lost holder”, using info carelessly imparted to, or carelessly monitored by, or even stolen by “bad vendors” or their “bad employees”…or by their bad vendors.

Pfishing scams are another fast growing phenomenon… Especially wor risome, we’d say, when shareholder info falls into the wrong hands…and where the victims might find their way back to YOU, as the entity that had a higher-duty to protect such info. Recently, the Financial Industry Regulatory Authority (FINRA) warned about scamsters who are contacting buyers of stocks that have experienced big losses, offering to help them get money back…after paying an ‘administrative fee”. We ourselves recently experienced a raft of notices asking us to log-in to protect the “safety and integrity” of our online accounts (which we didn’t have with any of them, btw) from e-mailers purporting to be from Abbey National Bank, HSBC and Lloyds Bank – all of them trying to pfish-up our Social Security numbers, account numbers and/or PINS – and all of them arising, we think, from a visit we made to a probably illegitimate “Lloyds Bank” site, where someone “snuck us a cookie”…and sold our e-mail address as “likely shareowners with online accounts” to scamsters.

Frauds vs. family member s are still favorite family pastimes too, the WFB expert told us – where one or two heirs may keep cashing a decedent’s check, maybe by having the same name as Dad, Mom or Uncle Sol to begin with, or maybe just forging the endorsement.

And theft of corporate and corporate-agent checks is still going strong, we were somewhat surpr ised to learn, and the thieves are mighty sharp. It took only 3 months the WFB expert said, before the signature of the Shareowner Services unit’s new CEO began to show up on counterfeit WFB checks! (Here, of course, the money is usually lost by the bank that cashed the check…as long as your own cash management and monitoring procedures are up to speed, that is.)


For starters, whether you are a corporate issuer OR a supplier to issuer s, read or re-read the ten tips in our 2005 article… with care. Call us at 732-928-6133 or email cthagberg@aol.com and we’ll fax or email you a copy. (If Mellon had read and acted on tip-nine, we’re sorry to note - which we also expanded on in great detail in any of the RFPs we’ve drafted for clients since then – they would have saved themselves some mega-millions…with miniscule expense to boot).

If you are an issuer, remember that all shareholder records belong to YOU…and that ultimately, YOU are accountable. If there is a breach, it may not be enough to say, “We hired a vendor to handle that.”

Get the FACTS on FACTA…and look for supplier s with FACTA, or FACTA-Like compliance structures and procedures in place: Six federal agencies have adopted anti-identity- theft requirements covering financial institutions, creditors, credit and debit card issuers and users of consumer credit reports. The rules call for implementation of identity-theft prevention programs, including a list of “red flags” that will setoff an investigation and require not just “reporting’ but various kinds of “information-sharing” within and among such institutions. While your agent may not be officially covered by FACTA, they SHOULD have ‘red-flags’- when many accounts with similar profiles open in a short period, for eg. – and specific follow-up actions when specific red flags fly – like holding up stock sales and/or disbursements for a period following an address change, for eg.

It really IS high-time, this time, to re-inventory and to recheck any and all outsourcing ar rangements that may be in place – again, whether you are a public company or a sup-plier - as our ear lier ar ticle warned. “Trust”…of course…but also VERIFY what your vendors are saying and doing.

Check your insurance policies and those of all your suppliers… and their supplier s, we advise…

But also remember that even if the financial risks are well insured, the reputational damage can often be the biggest loss to your organization.

Lock down those “cookie jars” - or, better yet, make sure that neither YOU, nor any of your vendors, are collecting cookies in the first place…or if you must have ‘em, make sure the cookies can’t be swiped

Do not delude your selves into thinking that just because no frauds have occur red yet, following a data-breach, that all’s clear. Today’s scamsters are smart enough to allow a fairly long cooling-off period, before “hot merchandise” is sold into the marketplace.

Watch your own personal accounts with added vigilance (something we ourselves have preached more than practiced ‘til now, we must confess). In case you missed it, activist investor Guy Wyser-Pratte had almost $300,000 skimmed from his private banking account at JPMorganChase – by an online imposter who bought and sold computer equipment online, from Dell, before Guy noticed. JPMC says that, pursuant to their agreement, they’ll cover only the first $50k.