In this CVR podcast series, we talk with those doing research and serving victims and learn about the work they've done together.

Tell Us About it, Episode 27: Using Research to Counter Identity Theft and Cybercrime

A convo with Eva VelasquezJun 09Time: 28:49

On this episode of “Tell Us About It,” you will get to hear from Eva Velasquez, the president and CEO of the Identity Theft Resource Center. Listen to Eva explain how the ITRC collects and uses data and research to better protect our wellbeing when it comes to internet scams, fraud, cybercrime, and privacy issues. You will also learn about how the ITRC partners with researchers across the country in an effort to collect as much data on cybercrimes and fraud as possible.

Transcript:

Susan [00:00:02] Welcome to “Tell Us About It: Victim Research Convos,” a podcast from the Center for Victim Research, with support from the Office for Victims of Crime. On each episode of “Tell Us About It,” we talk to researchers and practitioners about their work, the tools being built for use in the field, and how we can work together to build an evidence base for victim services. Today, we’re talking with Eva Velasquez, executive director of the Identity Theft Resource Center.

Susan [00:00:28] Eva, it’s so good to be able to talk with you today.

Eva [00:00:31] I’m so glad to be here. Thank you, Susan.

Susan [00:00:34] Please tell us a little bit about the Identity Theft Resource Center.

Eva [00:00:38] Well, we were founded in 1999, so we are celebrating our 20-year anniversary this year, and our mission is to empower and guide consumers, victims, businesses, and government to minimize risk and mitigate the impact of identity crimes. And I know that’s a little bit of a mouthful, so to just kind of unpack that, essentially, we’re involved in all of the issues that feed into identity crimes and that includes data breaches, scams and fraud, cybercrime, and even privacy issues. So we provide services kind of across the spectrum from risk minimization techniques, best practices, education, and then even into remediation and recovery services, and they’re all completely free to the public.

Susan [00:01:23] In a broad sense, what role do research and data play in the Identity Theft Resource Center’s work?

Eva [00:01:30] Well, the bottom line is that we use it to inform our victim services. When we know what victims are experiencing, we can better assist them through the process, particularly when we’re talking about the emotional upheaval. It’s one thing to deploy universal processes and give people a remediation plan — you know, we go step by step by step — and these are the things that you do. But when we do the research into our behavioral research, and how does this affect you, and what is the trauma like. That allows us to create a fuller service and a better experience for the victims, because we’re not only meeting their needs as far as here’s your list of things that you need to do. We’re able to hold their hand and connect with them in a way that just makes them feel whole and makes them feel supported, and also not dismissed. It’s very easy for us to dismiss the trauma that occurs when you’re talking about financial crime victims in general and with us specifically, it’s identity and cyber crime victims. We have this tendency to think, well, it’s not a violent crime, and if your physical body isn’t harmed, then it can’t be that bad. It really can’t be that awful. We know from our experience on the phone with people talking to them every day that it is that bad. But our research is able to support that instead of just speaking anecdotally to the public, to the people solving this problem, decision makers and even funders, the research supports are real life experience in a very meaningful way.

Susan [00:03:14] Can you give us an example, something specific about how research then directly influenced your response to victims?

Eva [00:03:23] I can think of two off the top of my head that I think have been the most meaningful. And again, I go back to our behavioral research. One of the things we recently did was we surveyed two distinct populations, millennials and seniors. And we surveyed them about their online behaviors. And what that allows us to do is really create much more tailored risk minimization plans because we know how they’re engaging in the outside world. And it becomes more meaningful to that particular population. So it also helps, to dispel the notion that there’s really a one-size-fits-all plan when it comes to identity, cybercrime, scams, and fraud. The research allows us to strongly disabuse people of that notion because we can demonstrate that millennials tell us this is how they behave online. This is the type of data or information they’re willing to give out and what they’re willing to receive in return, and how cautious they are, what platforms they use. And then we talk to seniors and it’s a very different lay of the land. They’re using different platforms. They’re using them in a different way. They may not even be aware of all the different privacy settings and what are legitimate, you know, interactions online. And so by looking at that data, we can then tailor those plans to them and say, hey, we know that 78 percent of you guys are using Facebook. So I’m going to talk about how to stay safe on Facebook. I’m not going to go out to a senior population and talk to them about how to stay safe on TikTok. Although now things have changed and TikTok is kind of enjoying a resurgence among many different demographic groups. The other, I think, really good example — and it kind of goes into the analysis piece, which I think sometimes we forget. It’s great to collect the data and do the research, but really thinking of new and unique ways to analyze the data that you already have is super important in this space. And we have been in the data breach space for, I think, 15 years now. And far and away, when victims get a data breach notification and contact us, they will ask us — they have all of the information in front of them in a letter or an email, and they will ask us, “But what does this mean to me?” And our advisers would go through the process of asking, “Okay, does the letter say what data was compromised specifically?” Because that is the key. It’s not what company. It’s not how the data was compromised if it was a hack or self-compromise. The key is what data or identity credentials were compromised this particular time, and that’s how you build a meaningful remediation plan. And we have been doing this on a one-on-one basis through our call center and our live chat. And we realized people need to know what this means. And we were able to find a partner who helped us to build a much more robust data breach database. We went from collecting seven different types of PII, and for those that don’t know what PII is, it’s personally identifying information. So it’s things like your Social Security number, your driver’s license number, your date of birth, your credit card number, your bank account number, all of those different things. So we went from collecting seven different types of PII and kind of broader categories, and now we collect 52. We get extremely granular. And our partner was able to build an algorithm that provides a risk score and automatically takes the top three harms and the top three remediation steps from our knowledge base and gives that to the individual. So in a sense, we’ve automated some of our one-on-one services for the folks that just — they maybe aren’t having the strong emotional reaction, so they just need the information and they love that service. So it was leveraging the data that we already had doing a better job at collecting it, but then finding a really unique way to analyze it and create something meaningful for the public. And getting a great partner, our partner on this is Breach Clarity. They are one of our supporters, they sit on our board, and they provide this service free to the public using our data.

Susan [00:08:07] Just to be clear on that example, when you say you collect these now 50-some areas of PII, is it that you are collecting that information from the contact or you’re collecting ‘was this bit of information put at risk through the breach?’

Eva [00:08:25] That is a great question, and I’m so glad you are having me clarify that because no, we do not collect actual PII. We would never put ourselves in that position and we would not do that to the people that were helping. We collect that type of PII. So we look at the publicly available data from the various attorney’s general offices and websites from HHSA. Sometimes it’s a media blast. Those are a valid source and it’s written into the laws that if it’s a large scale breach, they can use the media and their own website to report to the public that there was a breach. So we always verify that the breach actually occurred and then we capture the type of data. Was it Social Security numbers, driver’s license numbers, dates of birth, name, email address, passwords, or log-in credentials? And we check those boxes of the type. But no, we do not collect that level of victim data, nor do we plan to in the future. We believe in data for good, and this type of data doesn’t put anyone else at risk. You have to be really careful when you start housing that kind of sensitive data about individuals, that can be attributed to an individual. And that’s so that’s not our process.

Susan [00:09:48] So those are two great examples of how you are using data and research immediately to inform your response to victims. You also talked, though, about your work with policymakers and the general public. Can you give us an example of how you would use research in your advocacy or general awareness activities?

Eva [00:10:08] Well, when we talk to decision makers and in the folks that can really influence from a very high level, they don’t want to hear our anecdotal experiences. They want to have data-driven information provided to them. And so we really look for where the opportunities for best practices and where we can help victims the most. So one of the recent things that we worked on was the free credit reports. You know, for years, credit reports would, for some people, they’re free, depending on what state you live in or what age group or demographic you fall into. And then for other people, they’re not. You can’t do it for kids. And it was this very patchwork type of state regulation, and we felt very strongly that it needed to be free to the public, it should no longer be a service that that they have to pay for. And we used a lot of our aftermath data, which is the study that we do where we survey our victims in the previous year and really dig into what their experiences have been, not just how much money did you lose and how much time did you spend, but also a lot of the emotional and a lot of the downstream kind of long-term effects. But one of the other questions we ask is their income level. And we found that many of the people that we have helped in the previous years have an income of less than $25,000 a year. And that piece of information when we’re talking to decision makers makes a huge difference because there is still this notion that only high income earners, high wage earners, people with investments, people with a high net worth are really attractive victims, that the thieves don’t necessarily want your identity credentials or to steal your identity if you don’t have a lot of assets or a lot of money and nothing could be further from the truth. Those credentials of themselves matter, not the actual financial health or picture of the person that they belong to. And so by being able to go in and share the experiences that these people had, share that this, you know, a large percentage of them earned less than $25,000 per year and then share that, yes, asking them to pay $30, $10 at each bureau to freeze their credit, asking them to pay $10 to unfreeze it if they need to get a loan of $200 to fix a flat tire, that it’s unreasonable and it’s unconscionable. And so that was one of those places where, and it’s kind of esoteric, you would think, “Is that really the piece that’s going to make the difference?” But you never know. That’s why it’s really good to capture that those levels of information so that you can have it at your disposal and see where for these decision makers is the disconnect, why are they not understanding the problem that we’re trying to solve? And then you can use that data to solve it.

Susan [00:13:17] Yeah, that’s great. That really speaks to the value of having a lot of data about what you’re doing so they can be nimble in those responses. Earlier, you talked about an outside partner who did some research for you. How often do you partner with outside researchers versus analyze your own data in-house?

Eva [00:13:39] Well, it’s, we really use a combination of resources, and it depends on the topic. It depends on the level of granularity. And it also depends on the level of support that we’re getting from external sources. So sometimes there is just something that I personally really want to know. I guess, you know, I wonder this, how is this working? And we will just do a short survey or put something out there and it’s — and do something very quick, not something super involved with an IRB or anything like that, because it’s meeting our needs. It’s really just I have this this burning desire to understand how this one facet of what we’re doing works and we can easily do that in-house. When we are doing something that is grant funded or that does require access to an IRB and that level of research and checks and balances, we will partner with someone, and we have a number of partners that we use and have had great success with those partnerships. And then there’s something that kind of falls in between where we know it doesn’t need to be peer-reviewed and published in a scientific journal. So we don’t need the IRB, but we want more framework and credibility around the process and make sure that we really have an ironclad methodology, and that’s where we’ll partner either with some of our collaborative partners, the for-profit organizations that support us, or sometimes we have research students that just reach out to us and say, I’d like to volunteer and work with you guys. I — I know I am extremely lucky in that sense that because what we do has, is so in alignment with what’s going on out there in the tech sector and in other sectors, we do get a lot of interest from the public in volunteering for our research efforts and working with us on how we can make this a safer space for everyone. And I know not everyone has access to that. Data analysts in the tech sector, they just love to sink their teeth in. They’ll just do it as a personal project on the weekends, even though it has nothing to do with their day job. And I understand that not everybody has that opportunity, but, you know, leverage volunteers, and I don’t think you have to have a one-size-fits-all process. We really take a look at what are we trying to understand? What need is it going to meet? Where does it fit within our strategic goals? So now what level of framework do we have to set up in order to meet those objectives?

Susan [00:16:28] Yes, I think most providers would be really envious of the fact that you have students and others coming to you volunteering their services. But I’d like to talk a little bit about you mentioned that outside corporations might have an interest, a parallel interest, in a research topic that you are interested in. What are the challenges when you’re working with that sort of a third party funder who might, might have a different object in mind?

Eva [00:17:00] You know, there definitely are challenges, and I think first and foremost, you really have to know your partner. You really have to know that the company that you’re going to be collaborating with, because it’s not one-size-fits-all. And we’ve had some excellent experiences with our corporate partners who truly are mission-driven. And, yes, they work for a corporation. Yes, a corporation sole purpose is to make money. But when you can find the issues that they’re in alignment, where you know that the motivation is pure, you can really avoid a lot of the problems that I know some other organizations have had. I know that here and there we have faced where you get the feeling that it’s sort of like I paid for the research, so I want outcome to be x. I can honestly tell you that with our long-term partners, we have not had that issue. But there’s a lot that goes into the back end, so make sure that you are, if you’re going to go down that road, that you have an established relationship and you’ve done some other work with them first so you get a feel of where they’re coming from. Really look at the issue that you’re working on and see — make sure that they’re in alignment. And the example I would give is, you know, when we do research with financial institutions, a lot of it is fraud-based. We’re looking at fraud. So those companies have an incentive to reduce fraud to get those dollars, those fraud dollar losses down. So they are definitely incentivized to work on that problem and provide meaningful solutions. And that helps them, and it helps the people who are being defrauded or whose identity credentials are being misused. So here is one of those few instances where you have corporate America and consumers in alignment. And we really stick with those because they have less pitfalls. And then, of course, just make sure that even with a, with a trusted partner, even with an established partner, have the agreement, the MOU, the service agreement, the SOW, whatever it is that you use in your organization, to outline very specifically what the roles and responsibilities are, you know, who owns the copyright, what the copyright usage is. All of those things you really need to get detailed. I would definitely recommend that if it’s the first time you’re doing something like that, that you have an attorney. Even if you don’t have one on staff or one on retainer, you pay outside counsel to review that agreement and make sure you have all the nitty-gritty in the details in there.

Susan [00:19:42] How long a process is that? Let’s say you have a corporate partner, it’s someone you know somewhat about how long would you say it takes you to come to an understanding and a final agreement before you can get underway?

Eva [00:19:56] You know, I wish I had a a very conclusive answer for that, but it is somewhat inconsistent because there’re just a lot of factors that go into it. And I would say from a, from a — if it’s a new partner, but one that we’ve done some work with before, and if it’s a large entity, remember, their legal team is also going to get involved. So then you’ve got two legal teams kind of battling it out and doing reviews and edits, so that is one of the factors. If you can get through just one round of edits, then maybe it’ll only take a couple of weeks. If you have to go back and forth, that could take two or three months. I would say for the most part, when we’re doing it as sort of a standalone and not part of an agreement, an established agreement that we have — on the short end, I would say two months and on the long and I would say up to five or six months. I mean, you can’t skimp on the time because remember, you’re protecting your organization. You’re making sure that there are no questions about what we’re doing, that we are going to publish the outcome regardless of the findings. You know, again, who owns the copyright that we’re not going to charge or put a paywall against this, because for us, it’s, we are putting this information out to the public. That’s first and foremost. So, you know, if you use your mission as your guiding principle and just realize, hey, I’ve got to put all these, all those little details in there, and especially if you haven’t done it before, I mean, it can, it can be an arduous and tedious process, but I do think it’s worth it because research is expensive and time-consuming and we need the support.

Susan [00:21:42] That’s a great guiding principle to think about using your mission as you are crafting these agreements. Eva, what would you say are the pressing issues right now where you wish you had research or where you are about to undertake research to guide your work?

Eva [00:22:01] You know, when we first started talking about doing this, they were different because the entire external landscape has changed. And, you know, for the Identity Theft Resource Center, a lot of, ah, I won’t say our initiatives, but a lot of our education pieces are very externally driven. What is going on out there in the real world, in the cyber world? What is happening and where is that weakness and that vulnerability that we have to fill in those gaps for the public, for — and primarily consumers, but remember, we are trying to educate and guide business and government as well. And so right now, with the COVID-19 pandemic and the massive, massive amounts of fraud, I am very keen on doing some research on not just the scope of it and the dollar amounts that are lost because that’s being tracked and the FBI is putting out statistics, DOJ is putting out statistics. The FTC, their most recent statistics for COVID-19 fraud-related scams just since for this year, just since this started, it’s over $20 million in fraud losses. And that’s just to the Federal Trade Commission. That’s one reporting arm. My concern is more about the long-term effects that this level of fraud at the scope and scale, that this is going to have on not just our economy, but on the individuals who are affected. When you think about the trauma that people experience when they go through something like this, it has a long term effect on them. They disengage, maybe they don’t use online platforms as much. Maybe if it happens through a government entity, their trust in government just goes down even more. I would like to know what those are, really get a handle on identifying what they are. I mean, I have some ideas, but we need to be thinking about the very long-term when it comes to fraud. And I know right now that’s, that’s not top of mind. We’re thinking about the short-term, the health consequences, the short-term economic consequences, making sure people can get food on the table, get their kids educated, keep the lights on. And that is absolutely as it should be. But from organizationally where we sit, there’s going to be a long, long tail on this fraud and on the identity and cyber crimes that are occurring. And I think we would be much better situated to address that if we start now talking about those things and looking at how can we use research and data to help us better understand what those are so that when we are over this immediate need and over the crisis, we will be situated to begin that work instead of beginning it when we’re over the crisis.

Susan [00:25:06] That’s a great example of always thinking in the moment, but two or three steps away, “What should we be doing now to prepare for then?” Excellent. You all have really capitalized on research and data. Where do you see your research capacity or the research capacity in this area going in the future? What’s your vision for identity theft and fraud research in the next five or 10 years?

Eva [00:25:34] Well, instead of vision, let’s say this is my magic wand. Can I have a magic wand, Susan, so that I can wave and say this is what I wish would happen for the future? So, you know, I talked earlier about the issues that we work on, and it’s not just identity crimes. There’re cyber crimes and data breaches and scams and fraud and even privacy issues because they all feed into the one kind of greater issue. And we are starting to see some of those silos there — they have more porous borders now, I’ll say. They’re not — the silos still exist. And but they’re finally starting to coalesce in some meaningful ways with privacy, actually, — it’s always been confused with cybersecurity. People use them interchangeably even though they’re different. But I would like to see them coalesce into each other and be one conversation. And I would like to see more of these issues become less siloed or at the very least, like I said, have more kind of more porous delineation between them so that we can talk about the issues where they, where they overlap, and so I’d like to see more research. I’d like to be a part of more research that can see where we can connect those pieces and break apart the silos a little bit, or at least in a meaningful way, not to just destroy them so that we don’t know what we’re doing or we can’t sort of evaluate and quantify what we’re doing. We need to have buckets for things. It’s how our brains work. But but sometimes we need to put all the water in one bucket and see what shakes out. And I’d like to see more of that.

Susan [00:27:23] Great. That’s a great vision. Eva, thank you. Your center is really the poster child for the integration of research data into victim response and advocacy. Thank you so much for sharing your experience with us today.

Eva [00:27:38] Well, thank you, Susan. And I’m not sure if we’re the poster children — it’s something we strive to do. I think a lot of people are doing great stuff, but I’m going to take that compliment because we’re working really hard to make those meaningful impacts. And yeah, research and data analysis are just one of those tools and one of the best ones in our toolbox.

Susan [00:27:59] Thank you.

Susan [00:28:00] We hope you enjoyed this episode of “Tell Us About It.” If there are a research or practice experts you’d like us to interview or research tools you’d like us to feature on this podcast, email us at podcasts@victimresearch.org.

Closing [00:28:15] “Tell Us About It” is a production of the Center for Victim Research funded by the Office for Victims of Crime’s Vision 21 Initiative through Cooperative Agreement Number 2016-XVDX-K006. The Office for Victims of Crime is part of the U.S. Department of Justice’s Office of Justice Programs. However, the points of view and opinions discussed on this podcast are those of the host and expert contributors and do not necessarily represent the official position or policies of the U.S. Department of Justice.