>> Hey, welcome back everybody, Jeff Frick here with The Cube. We're at Data Privacy Day 2018, I still can't believe it's 2018, in downtown San Francisco, at LinkedIn's headquarters, the new headquarters, it's a beautiful building just down the road from the sales force building, from the new Moscone that's being done, there's a lot of exciting things going on in San Francisco, but that's not what we're here to talk about. We're here to talk about data privacy, and we're excited to have a return visit from last year's Cube alumni, she's Eva Velasquez, president and CEO, Identity Theft Resource Center. Great to see you again. >> Thank you for having me back. >> Absolutely, so it's been a year, what's been going on in the last year in your world? >> Well, you know, identity theft hasn't gone away >> Shoot. >> And data-- >> I thought you told me it was last time. >> I know, I wish, and in fact, unfortunately we just released our data breach information, and there was a tremendous growth. It was a little over 1000, previous year, and over 1500 data breaches... in 2017. >> We're almost immune, they're like every day. And it used to be like big news. Now it's like, not only was Yahoo breached at some level, which we heard about a while ago, but then we hear they were actually breached like 100%. >> There is some fatigue, but I can tell you that it's not as pervasive as you might think. Our call center had such a tremendous spike in calls during the Equifax breach. It was the largest number of calls we'd had in a month, since we'd been measuring our call volume. So people were still very, very concerned. But a lot of us who are in this space are feeling, I think we may be feeling the fatigue more than your average consumer out there. Because for a lot of folks, this is really the first exposure to it. We're still having a lot of first exposures to a lot of these issues. >> So the Equifax one is interesting, because most people don't have a direct relationship with Equifax, I don't think. I'm not a direct paying customer, I did not choose to do business with them. But as one of the two or three main reporting agencies, right, they've got data on everybody for their customers who are the banks, financial institutions. So how does that relationship get managed? >> Oh my gosh, there's so much meat there. There's so much meat there. Okay, so, while it feels like you don't have a direct relationship with the credit reporting agencies, you actually do, you get a benefit from the services that they're providing to you. And every time you get a loan, I mean this is a great conversation for Data Privacy Day. Because when you get a loan, get a credit card, and you sign those terms and conditions, guess what? >> They're in there? >> You are giving that retailer, that lender, the authority to send that information over to the credit reporting agencies. And let's not forget that the intention of forming the credit reporting agencies was for better lending practices, so that your creditworthiness was not determined by things like your gender, your race, your religion, and those types of really, I won't say arbitrary, but just not pertinent factors. Now your creditworthiness is determined by your past history of, do you pay your bills? What is your income, do you have the ability to pay? So it started with a good, very good purpose in mind, and we definitely bought into that as a society. And I don't want to sound like I'm defending the credit reporting agencies and all of their behavior out there, because I do think there are some changes that need to be made, but we do get a benefit from the credit reporting agencies, like instant credit, much faster turnaround when we need those financial tools. I mean, that's just the reality of it. >> Right, right. So, who is the person that's then... been breached, I'm trying to think of the right word of the relationship between those who've had their data hacked from the person who was hacked. If it's this kind of indirect third party relationship through an authorization through the credit card company. >> No, the, Equifax is absolutely responsible. >> So who would be the litigant, just maybe that's the word that's coming to me in terms of feeling the pain, is it me as the holder of the Bank of America Mastercard? Is it Bank of America as the issuer of the Mastercard? Or is it Mastercard, in terms of retribution back to Equifax? >> Well you know, I can't really comment on who actually would have the strongest legal liability, but what I can say is, this is the same thing I say when I talk to banks about identity theft victims. There's some discussion about, well, no, it's the bank that's the victim in existing account identity theft, because they're the ones that are absorbing the financial losses. Not the person whose data it belongs to. Yet the person who owns that data, it's their identity credentials that have been compromised. They are dealing with issues as well, above and beyond just the financial compromise. They have to deal with cleaning up other messes and other records, and there's time spent on the phone, so it's not mutually exclusive. They're both victims of this situation. And with data breaches, often the breached entity, again, I hate to sound like an apologist, but I am keeping this real. A breached entity, when they're hacked, they are a victim, a hacker has committed that crime and gone into their systems. Yes, they have a responsibility to make those security systems as robust as possible, but the person whose identity credentials those are, they are the victim. Any entity or institution, if it's payment card data that's compromised, and a financial services institution has to replace that data, guess what, they're a victim too. That's what makes this issue and this crime so terrible, is that it has these tentacles that reach down and touch more than one person for each incident. >> Right. And then there's a whole 'nother level, which we talked about before we got started that we want to dig into, and that's children. Recently, a little roar was raised with these IOT connected toys. And just a big, giant privacy hole, into your kid's bedroom. With eyes and ears and everything else. So wonder if you've got some specific thoughts on how that landscape is evolving. >> Well, we have to think about the data that we're creating. That does comprise our identity. And when we start talking about these toys and other... internet connected, IOT devices that we're putting in our children's bedroom, it actually does make the advocacy part of me, it makes the hair on the back of my neck stand up. Because the more data that we create, the more that it's vulnerable, the more that it's used to comprise our identity, and we have a big enough problem with child identity theft just now, right now as it stands, without adding the rest of these challenges. Child and synthetic identity theft are a huge problem, and that's where a specific Social Security number is submitted and has a credit profile built around it, when it can either be completely made up, or it belongs to a child. And so you have a four year old whose Social Security number is now having a credit profile built around it. Obviously they're not, so the thieves are not submitting this belongs to a four year old, it would not be issued credit. So they're saying it's a, you know, 23 year old-- >> But they're grabbing the number. >> They're grabbing the number, they're using the name, they build this credit profile, and the biggest problem is we really haven't modernized how we're authenticating this information and this data. I think it's interesting and fitting that we're talking about this on Data Privacy Day, because the solution here is actually to share data. It's to share it more. And that's an important part of this whole conversation. We need to be smart about how we share our data. So yes, please, have a thoughtful conversation with yourself and with your family about what are the types of data that you want to share and keep, and what do you want to keep private, but then culturally we need to look at smart ways to open up some data sharing, particularly for these legitimate uses, for fraud detection and prevention. >> Okay, so you said way too much there, 'cause there's like 87 followup questions in my head. (Eva laughs) So we'll step back a couple, so is that synthetic identity, then? Is that what you meant when you said a synthetic identity problem, where it's the Social Security number of a four year old that's then used to construct this, I mean, it's the four year old's Social Security number, but a person that doesn't really exist? >> Yes, all child identity theft is synthetic identity theft, but not all synthetic identity theft is child identity theft. Sometimes it can just be that the number's been made up. It doesn't actually belong to anyone. Now, eventually maybe it will. We are hearing from more and more parents, I'm not going to say this is happening all the time, but I'm starting to hear it a little bit more often, where the Social Security number is being issued to their child, they go to file their taxes, so this child is less than a year old, and they are finding out that that number has a credit history associated with it. That was associated years ago. >> So somebody just generated the number. >> Just made it up. >> So are we ready to be done with Social Security numbers? I mean, for God's sake, I've read numerous things, like the nine-digit number that's printed on a little piece of paper is not protectable, period. And I've even had a case where they say, bring your little paper card that they gave you at the hospital, and I won't tell you what year that was, a long time ago. I'm like, I mean come on, it's 2018. Should that still be the anchor-- >> You super read my mind. >> Data point that it is? >> It was like I was putting that question in your head. >> Oh, it just kills me. >> I've actually been talking quite a bit about that, and it's not that we need to get, quote unquote, get rid of Social Security numbers. Okay, Social Security numbers were developed as an identifier, because we have, you can have John Smith with the same date of birth, and how do we know which one of those 50,000 John Smiths is the one we're looking for? So that unique identifier, it has value. And we should keep that. It's not a good authenticator, it is not a secret. It's not something that I should pretend only I know-- >> Right, I write it on my check when I send my tax return in. Write your number on the check! Oh, that's brilliant. >> Right, right. So it's not, we shouldn't pretend that this is, I'm going to, you, business that doesn't know me, and wants to make sure I am me, in this first initial relationship or interaction that we're having, that's not a good authenticator. That's where we need to come up with a better system. And it probably has to do with layers, and more layers, and it means that it won't be as frictionless for consumers, but I'm really challenging, this is one of our big challenges for 2018, we want to flip that security versus convenience conundrum on its ear and say, no, I really want to challenge consumers to say... I'm happier that I had to jump through those hoops. I feel safer, I think you're respecting my data and my privacy, and my identity more because you made it a little bit harder. And right now it's, no, I don't want to do that because it's a little too, nine seconds! I can't believe it took me nine seconds to get that done. >> Well, yeah, and we have all this technology, we've got fingerprint readers that we're carrying around in our pocket, I mean there's, we've got geolocation, you know, is this person in the place that they generally, and having 'em, there's so many things-- >> It's even more granular >> Beyond a printed piece of >> Than that-- >> paper, right? >> It's the angle at which you look at your phone when you look at it. It's the tension with which you enter your passcode, not just the passcode itself. There are all kinds of very non-invasive biometrics, for lack of a better word. We tend to think of them as just, like our face and our fingerprint, but there are a lot of other biometrics that are non-invasive and not personal. They're not private, they don't feel secret, but we can use them to authenticate ourselves. And that's the big discussion we need to be having. If I want to be smart about my privacy. >> Right. And it's interesting, on the sharing, 'cause we hear that a lot at security conferences, where one of the best defenses is that teams at competing companies, security teams, share data on breach attempts, right? Because probably the same person who tried it against you is trying it against that person, is trying it against that person. And really an effort to try to open up the dialogue at that level, as more of just an us against them versus we're competing against each other in the marketplace 'cause we both sell widgets. So are you seeing that? Is that something that people buy into, where there's a mutual benefit of sharing information to a certain level, so that we can be more armed? >> Oh, for sure, especially when you talk to the folks in the risk and fraud and identity theft mitigation and remediation space. They definitely want more data sharing. And... I'm simply saying that that's an absolutely legitimate use for sharing data. We also need to have conversations with the people who own that data, and who it belongs to, but I think you can make that argument, people get it when I say, do you really feel like the angle at which you hold your phone, is that personal? Couldn't that be helpful, that combined with 10 other data points about you, to help authenticate you? Do you feel like your personal business and life is being invaded by that piece of information? Or compare that to things like your health records. And medical conditions-- >> Mom's maiden name. >> That you're being treated for, well, wow, for sure that feels super, super personal, and I think we need to do that nuance. We need to talk about what data falls into which of these buckets, and on the bucket that isn't super personal, and feeling invasive and that I feel like I need to protect, how can I leverage that to make myself safer? >> Great. Lots of opportunity. >> I think it's there. >> Alright. Eva, thanks for taking a few minutes to stop by. It's such a multi-layered and kind of complex problem that we still feel pretty much early days at trying to solve. >> It's complicated, but we'll get there. More of this kind of dialogue gets us just that much closer. >> Alright, well thanks for taking a few minutes of your day, great to see you again. >> Thanks. >> Alright, she's Eva, I'm Jeff, you're watching The Cube from Data Privacy Days, San Francisco. (techno music)

(soft click) >> Hey, welcome back everybody, Jeff Frick here with theCUBE. We're at downtown San Francisco, at Twitter's World Headquarters. It's a beautiful building. Find a reason to get up here and check it out. But they have Data Privacy Day here today. It's an all day seminar session, series of conversations about data privacy. And even though Scott McNealy said, "Data privacy is dead, get over it." Everyone here would beg to differ. So we're excited to have our next guest Eva Velasquez. Shes' the President and CEO of ITRC, welcome. >> Thank you, thank you for having me and for covering this important topic. >> Absolutely, so what is ITRC? >> We are the Identity Theft Resource Center. And the name, exactly what it is. We're a resource for the public when they have identity theft or fraud, privacy data breach issues, and need help. >> So this begs an interesting question. How do people usually find out that their identity has been compromised? And what is usually the first step they do take? And maybe what's the first step they should take? >> Well, it's interesting because there isn't one universal pathway that people discover it. It's usually a roadblock. So, they're trying to move forward in their lives in some manner. Maybe trying to rent an apartment, get a new job, buy a car or a house. And during that process they find out that there's something amiss. Either in a background check or a credit report. And at that point it creates a sense of urgency because they must resolve this issue. And prove to whoever they're trying to deal with that actually wasn't me, somebody used my identity. And that's how they find out, generally speaking. >> So, you didn't ask their credit scores. Something in a way that they had no idea, this is how they. What usually triggers it? >> Right, right, or a background check. You know, appearing in a database. It's just, when we think about how pervasive our identity is out there in the world now. And how it's being used by a wide swath of different companies. To do these kind of background checks and see who we are. That's where that damage comes in. >> Talking about security and security breaches at a lot of shows, you know. It's many hundred of days usually before companies know that they've been breached. Or a particular breach, I think now we just assume they're breached all the time. And hopefully they'd minimize damage. But an identity theft, what do you find is kind of the average duration between the time something was compromised before somebody actually figures it out? Is there kind of an industry mean? >> It's really wildly inconsistent from what we see. Because sometimes if there is an issue. Let's say that a wallet is stolen and they're on high alert, they can often discover it within a week or 10 days. Because they are looking for those things. But sometimes if it's a data breach that they were unaware of or have no idea how their information was compromised. And especially in the case of child identity theft, it can go on for years and years before they find out that something's amiss. >> Child identity theft? >> Mhmm. >> And what's going with? I've never heard of child identity theft. They usually don't have credit cards. What's kind of the story on child identity cut theft? Which is their PayPal account or their Snapchat account (laughs). >> Well, you're right, children don't have a credit file or a credit history. But they do have a social security number. And that is being issued within the first year of their life because their parents need to use it on their tax returns and other government documents. Well, because the Social Security Administration and the credit reporting agencies, they don't interface. So, if a thief gets ahold of that social security number. That first record that's created is what the credit bureaus will use. So they don't even need a legitimate name or date of birth. Obviously, the legitimate date of birth isn't going to go through those filters because it is for someone who's under 18. So, kid goes all through life, maybe all through school. And as they get out and start doing things like applying for student loans. Which is one of the really common ways we see it in our call center. Then they come to find out, I have this whole credit history. And guess what? It's a terrible credit history. And they have to clean that up before they can even begin to launch into adulthood. >> (chuckles) Okay, so, when people find out. What should they do? What's the right thing to do? I just get rejected on a credit application. Some weird thing gets flagged. What should people do first? >> There's a couple things and the first one is don't panic. Because we do have resources out there to help folks. One of them is the Identity Theft Resource Center. All of our services are completely free to the public. We're a charity, non-profit, funded by grants, donations, and sponsorships. They should also look into what they might have in their back pocket already. There are a lot of insurance policy writers for things like your home owners insurance, sometimes even your renters insurance. So, you might already have a benefit that you pay for in another way. There are a lot of plans within employee benefit packages. So, if you work for a company that has a reasonable robust package, you might have that help there as well. And then the other thing is if you really feel like you're overwhelmed and you don't have the time. You can always look into hiring a service provider and that's legitimate thing to do as long as you know who you're doing business with. And realize you're going to be paying for that convenience. But there are plenty of free resources out there. And then the last one is the Federal Trade Commission. They have some wonderful remediation plans online. That you can just plug in right there. >> And which is a great segway, 'cause you're doing a panel later today, you mentioned, with the FTC. Around data privacy and identity theft. You know, what role does the federal government have? And what is cleaning up my identity theft? What actually happens? >> Well, the federal government is one of the many stakeholders in this process. And we really believe that everybody has to be involved. So, that includes our government, that includes industry, and the individual consumers or victims themselves. So, on the government end, things like frameworks for how we need to treat data, have resources available to folks, build an understanding in a culture in our country that really understands the convenience versus security conundrum. Of course industry needs to protect and safeguard that data. And be good stewards of it, when people give it to them. And then individual consumers really need to pay attention and understand what choice they're making. It's their choice to make but it should be an educated one. >> Right, right. And it just, the whole social security card thing, is just, I find fascinating. It's always referenced as kind of the anchor data point of your identity. At the same time, you know, it's a paper card that comes after your born. And people ask for the paper card. I mean, I got a chip on my ATM card. It just seems so archaic, the amount of times it's asked in kind of common everyday, kind of customer service engagements with your bank or whatever. Just seems almost humorous in the fact that this is supposed to be such an anchor point of security. Why? You know, when is the Social Security Administration or that record, either going to come up to speed or do you see is there a different identity thing? With biometrics or a credit card? Or your fingerprint or your retina scan? I mean, I have clear, your Portican, look at my... Is that ever going to change or is it just always? It's such a legacy that's so embedded in who we are that it's just not going to change? It just seems so bizarre to me. >> Well, it's a classic case of we invented a tool for one purpose. And then industry decided to repurpose it. So the social security number was simply to entitle you to social security benefits. That was the only thing it was created for. Then, as we started building the credit and credit file industry, we needed an initial authenticator. And hey, look at this great thing. This is a number, it's issued to one individual. We know that there's some litmus test that they have to pass in order to get one. There's a great tool, let's use it. But nobody started talking about that. And now that we're looking at things like other type, government benefits being offered. And now, you know, credit is issued based on this number. It really kind of got away from everybody. And think about it, it used to be your military ID. And you would have your social security number painted on your rucksack, there for the world to see. It's still on our Medicare cards. It used to be on our checks. Lot of that has changed. >> That's right it was on our checks. >> It was, it was. So, we have started shifting into this. At least the thought process of, "If we're going to use something as an initial authenticator, we probably should not be displaying it, ready for anyone to see." And the big conversation, you know, you were talking about biometrics and other ways to authenticate people. That's one of the big conversations we're having right now is, "What is the solution?" Is it a repurposing of the social security number? Is it more sharing within government agencies and industry of that data, so we can authenticate people through that? Is it a combination of things? And that's what we're trying to wrestle with and work out. But it is moving forward, I'll be it, very very slowly. >> Yeah, they two factor authentication seems to have really taken off recently. >> Thankfully. >> You get the text and here's your secret code and you know, at least it's another step that's relatively simple to execute. >> Something you are, something you have, something you know. >> There you go. >> That's kind of the standard we're really trying to push. >> So, on the identity theft bad guys, how is their behavior changed since you've been in this business? Has it changed dramatically? Is the patterns of theft pretty similar? You know, how's that world evolving? 'Cause generally these things are little bit of an arm race, you know. And often times the bad guys are one step ahead of the good guys. 'Cause the good guys are reacting to the last thing that the bad guys do. How do you see that world kind of changing? >> Well, I've been in the fraud space for over 20 years. Which I hate to admit but it's the truth. >> Jeff: Ooh, well, tell me about it. >> And we do look at it sort of like a treadmill and I think that's just the nature of the beast. When you think about the fact that the thieves are they're, you know, they're doing penetration testing. And we, as the good guys, trying to prevent it. Have to be right a hundred percent of the time. The thieves only have to be right once, they know it. They also spend an extraordinary amount of time being creative about how they're going to monetize our information. The last big wave on new types of identity theft, was tax identity theft. And the federal government never really thought that that would be a thing. So when we went to online filing, there really weren't any fraud analytics. There wasn't any verification of it. So, that first filing was the one that was processed. Well, fast forward to now, we've started to address that it's still a huge problem and the number one type of identity theft. But if you had asked me ten years ago, if that would be something, I don't think I would have said yes. It seems, you know, so, you know. How do you create money out of something like that? And so, to me, what is moving forward is that I think we just have to be really vigilant for when we leave that door unlocked, the thieves are going to push it open and burst through. And we just have to make sure we notice when it's cracked. So that we can push it closed. Because that's really I think the only way we're going to be able to address this. Is just to be able to detect and react much more quickly than we do now. >> Right, right, 'cause going to come through, right? >> Exactly they are. >> There's no wall thick enough, right? Right and like you said they only have to be right once. >> Nothings impenetrable. >> Right, crazy. Alright Eva, we're going to leave it there and let you go off to your session. Have fun at your session and thanks for spending a few minutes with us. >> Thank you. >> Alright, she's Eva Velasquez, President and CEO of the ITRC. I'm Jeff Frick, you're watching theCUBE. Catch you next time. (upbeat electronic music)