Letting Customers Chase Your Thieves Gets Something More Valuable Than A Nabbed Thief: A Loyal and Happy Customer

Attorney Mark D. Rasch is the former head of the U.S. Justice Department's computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

Do you need help tracking down the cyberthieves who periodically attack? Maybe you do, maybe you don't. But if you set up a mechanism to let your customers try and help, you might get something much more valuable than a captured thief: lots of happy and loyal customers. Sound strange? It is. But it's also true.

Consider this true story: About a week ago, my wife's E-mail provider notified her that she was a baaaaad girl. Apparently she had sent out a bunch of spam in violation of the Terms of Service. Of course, it wasn't her, and I notified the provider of this fact. Fine. End of story, right? I think not. What happened next, or more accurately what didn't happen next, is a cautionary tale about the nature of the relationships between IT vendors and customers (like merchants) and the relationships between merchants and their customers.

It also presents an opportunity for merchants, ISPs and others to enlist the help of their customers with respect to data breaches, vulnerabilities and other incidents and to not look at them as merely passive "victims." If you have a little faith in your customers, you can empower them to help you with inquiries and, effectively, crowdsource your data breach investigation.

Typical consumer notifications contain both bare-bones and boilerplate information about the nature and scope of the breach and response. You know: "Dear customer, We have discovered that on (insert date here) we suffered a breach which may (or may not) have compromised your (insert nature of information here). We have been cooperating with law enforcement and do not believe that your information is at risk, but we are providing the number of the three credit reporting agencies in case you feel like overreacting and panicking..." Or something like that.

In fact, on September 1, California Governor Jerry Brown signed SB24 into law which, like laws in several other states, mandates that data-breach notifications include information like the date of the breach, a general description of the breach incident (if that information is possible to determine at the time the notice is provided) and information about what has been done or what can be done to minimize harm resulting from the breach. Stuff you should be including in the breach notifications anyway.

But none of these things helps the consumer help you, except to the extent that they mitigate harm. They don't help you find and prosecute the bad guys. And as the recipient of several of these notices, I want to find the bad guys. So do many of your customers. So why not let them help you?So why not let them help you?

About a year ago, I was called by my credit-card company and asked if I had authorized a charge in some small town in North Carolina. I hadn't. But rather than simply saying "no" and getting a new card, I said, "hmm... I don't think so. Tell me more about the charges." The clerk was able to tell me the address of the merchant, the nature of the charges, the items purchased and even the register from which the charge was made.

We went back and looked at other charges, and found four charges within about an hour in various cities in North Carolina. Google Maps told me where these cities were, and I was able to plot out where the bad guy was going. One of the charges had occurred within 15 minutes.

Using Google street view, I pulled up a picture of the offending shop and looked up the address. I called each store and had them tell me whatever they could recall about the person making the unauthorized charge. A gas station had video, which I asked them to preserve. I then looked up the name and telephone number of the local sheriff's office and called them and asked them to look at the surveillance videos at the three stores.

I asked the credit-card company not to put a hold on my card but to put an alert on it, and to text me each time it was used (for about four hours—and then cancel the card).

As a result of this brilliant detective work, nothing at all happened. Nobody was caught, nobody was arrested, nothing. But I felt a lot better, and I was willing to try to find the "thief." I doubt that Bank of America would have done the same thing for what amounted to a few hundred dollars of charges.

A similar thing happened about 10 years ago, when I was called by Citibank about a mortgage I had apparently applied for in a city about 40 minutes away. When I told the bank it was unauthorized, they refused to provide me with any additional information about the application—citing the privacy of the thief—until I called them back, playing dumb, and "asked about this mortgage I applied for." I was able to get the address the thief used and the other personal information that person supplied (my social security number, but that person's other information), and even went to the post office in that person's city and put in a change of address form for myself (any mail addressed to me at that person's address would be rerouted back to me at my real address).

Immediately, I started getting credit-card and other applications that person had requested. Long story short, the information had come from an affinity card I had applied for, and the bad guy had stolen hundreds of social security numbers.For merchants or others who suffer breaches, the lesson is that your customers may be more interested in conducting an investigation than you are. They may have more information, resources or abilities than you do. If a breach is the result of a "skimmer" attached to a terminal or ATM machine, some customer may have seen something but will report it to you only if you provide the customer with enough information to enable him/her to help you.

The customer or you can use things like social networking and crowdsourcing to learn of patterns of activity surrounding the fraud that may not have been possible with discrete bits of information. This may, or may not, result in better investigations and possible prosecution and deterrence.

Even if there is no criminal prosecution as a result, this gives the merchant the ability to enlist the help and support of the data subject. It empowers that person, gives him/her a sense of control (and not mere powerlessness) and reinforces the position that you, like that person, are the victim of a crime, not a perpetrator. It reinforces the idea that you and your customers are working together and that you have their interests at heart.

If the data subject's assistance is particularly useful or diligent, you can reward his/her efforts with things such as discounts or coupons. Indeed, these things can be used as incentives for information—you know, like a digital wanted poster. In doing so, you will need to be careful as you tread the fine line between encouraging investigation and vigilantism.

In the E-mail hack case, I wanted to find out the IP address from which the spam was sent, whether my wife's user ID and password were used or whether there were multiple unsuccessful attempts to access the account. I also wanted to know whether spam was sent to people on her contact list, or others, and if there was a pattern. The provider was, shall we say, uncooperative and disinterested. And that is not what you want to be in the event of a breach—especially if the breach may have been your fault.

If you disagree with me, I'll see you in court, buddy. If you agree with me, however, I would love to hear from you.
--Sophia Shahnami contributed to this column.