With Clarity Against ID Theft: New Assessment Tool Aims to Limit Post-Breach Damage

Breach Clarity, a startup headed up by onetime Javelin Strategy + Research co-founder Jim Van Dyke, could help cybersecurity journalists, bloggers, and PR professionals write more clearly about data breaches.

With Clarity Against ID Theft: New Assessment Tool Aims to Limit Post-Breach Damage

By Robert McGarvey

Breaches are commonplace. There are four significant ones per day, says Van Dyke.

They often affect financial information, such as bank account or credit card data, protected health records, personally identifiable information (PII), or intellectual property.

In 2020, the total number of records exposed in reported breaches exceeded 37 billion, a 141% increase over 2019. This number doesn't even include yet 2020 data breaches reported in Q1 2021.

But what does that mean for individual consumers and their personal data in each case? "The biggest challenge breach victims face," says Eva Velasquez, CEO of the nonprofit Identity Theft Resource Center (ITRC), "is understanding the risks associated with a particular breach, and what steps they should take next."

Data breach press releases from lawyers, for lawyers

Ask any cybersecurity journalist what they do not like about data breach press releases of, say, financial services firms or health care providers, and the answer is: everything.

Such news releases disclose as little as possible and offer few details. Opacity is the hallmark of the genre.

These announcements are mostly made by lawyers, for an audience of other lawyers or state and federal regulators.

Often, they add more to the post-breach confusion than they help minimize the damage.

As a result, most IT security reporters and general news media go through the motions and contribute to the general data breach alarm fatigue. Consumers are left confused, frightened, and wonder how exactly they are impacted, and what they can do about it.

How severe is the data breach? Ask this web app.

Enter Breach Clarity, which puts transparency over opacity because its founders think that makes more business sense.

Screenshot: Free basic Breach Clarity score

Screenshot: Free data breach severity score - Breach Clarity Basic

The startup's new web service aims to prevent post-breach paralysis by providing consumers with three actionable insights:

  • The tool scores a data breach on its severity, from 1 to 10;
  • it explains to individuals how they can protect themselves if caught up in a specific data heist;
  • it offers a score of the user's risk of becoming a fraud victim, with scores ranging from 1 to 100.

The data breach severity scores and custom-tailored corrective steps are calculated based on Breach Clarity's patent-pending algorithms. Action items are specific to a particular breach and to the person who's asking, explains  Co-founder and CEO Jim Van Dyke.

A data breach, for instance, that involves completed W-2 forms, banking information, and HR files exposes affected employees to IRS tax refund fraud.

Where does Breach Clarity get its breach report data?

Van Dyke says that Breach Clarity's consumer research found a surprisingly robust appetite for such tools among Gen Z and Millennials. The researchers also found high interest among Baby Boomers.

Will Breach Clarity, which was acquired by Sontiq in March 2021, be able to give them the answers they are looking for?

Its approach's success depends to a high degree on the quantity and quality of available data breach reports.

A 2017 study indeed found 60% of U.S. data breaches went unreported. But there has been improvement in the four years since.

Privacy experts attribute this trend to the introduction of stricter consumer privacy laws and regulations at state level and of GDPR, the General Data Protection Regulation in the European Union, which also affects numerous US-based companies.

The new regulations are credited with increased self-reporting, especially in regulated sectors such as healthcare and the financial services industry.

Breach Clarity gets its data breach details from the ITRC, whose database is considered a gold standard in the field. Van Dyke sits on the ITRC board.

The nonprofit's nationwide database contains detailed information on the latest publicly reported data compromises that impact consumers and businesses.

Eva Velasquez says ITRC is proud to be a part of a "no-cost solution that brings much needed clarity to the victims of data breaches."

First target markets: credit unions and banks

How will Breach Clarity make money? For now, Jim Van Dyke, whose Javelin claimed many mega banks as clients, is marketing Breach Clarity as a value add for credit unions to offer to their members.

He already claims one customer - BCU (formerly Baxter Credit Union), the nation's 56th largest with around $4 billion in assets.

Jim Van Dyke, Breach Clarity Co-founder and CEO (PR photo

Jim Van Dyke (Photo: Breach Clarity)

BCU is offering Breach Clarity's premium-level service as a free tool to its members. Nonetheless, Van Dyke forecasts a 5x ROI through a reduction in fraud losses.

That's because financial institutions absorb the bulk of the losses due to data breaches, says Van Dyke. Informed members/customers, goes his calculation, will be better able to take steps early to minimize fraud.

He also expects fewer calls to helplines. After heavily reported breaches, financial institutions are swamped with SOS calls. Fewer calls mean lower costs, which is why Breach Clarity expects growing interest from large regional and national banks next.

More cybersecurity content clarity as a possible side benefit?

Post-breach communication needs to improve on many levels, and Breach Clarity may have a role to play here.

News journalists and B2C content writers can draw on the service to give their readers more specific advice than the basic "check your credit report" guidance.

Organizations that suffer a publicly reported breach can point their members or customers to the Breach Clarity.

Most importantly, they need to be more transparent and clear about what happened, including possible consequences, starting with the first public announcement of the data breach, and follow these:

Three basic rules for post-data breach press releases

  • Ditch the opacity. Be transparent about what data was stolen, over what timeframe, and admit what you don't know yet.
  • Spell out the steps your organization has taken to mitigate the data breach. That doesn't mean giving cyber crooks a road map. Disclose to the public any information that will help restore confidence.
  • Let cybersecurity crisis communication professionals polish your press releases. Yes, in-house counsel or your law firm will want to have the final say. For clarity and specificity, also involve a skilled PR writer with cybersecurity background.

This post has been updated to reflect the acquisition of Breach Clarity by Sontiq (3/9/2021 announcement).

Cybersecurity Writers guest contributor Robert McGarvey (Twitter: @rjmcgarvey) is a veteran technology reporter who has often covered cybersecurity and data breaches especially in financial services and hospitality. Listen to his half-hour podcast with Jim Van Dyke here.