Winning the war: Personal information protection

More than a quarter of a billion records containing sensitive personally identifiable information have been involved in security breaches in the United States since January 2005, according to the Privacy Rights Clearinghouse, a nonprofit consumer information and advocacy organization. Recent announcements about massive data loss involve several universities, retailers and government agencies. These ongoing incidents are indicative of a problem so big and so pervasive that it will simply not go away anytime soon, despite significant attention from the media and consumer advocacy groups.

As a result, TowerGroup can now confidently declare that the business sector has lost the battle over protection of personally identifiable information (PII). Fortunately, the majority of the massive amounts of data inadvertently lost will not end up in the hands of criminals. Unfortunately, some will. The financial-services industry, consequently, must consider the ramifications of past, current and future data losses and adjust their security practices for personal information protection accordingly.

It seems that public uproar and the negative press associated with the massive data breaches of the recent past would have spurred businesses to do a far better job of protecting PII. The expansion of state legislation regarding data breach disclosure also should have seriously reduced the amount of PII that was lost and stolen. As if these factors weren't enough, the maturation of data loss prevention (DLP) technologies and widespread availability of data encryption technology should have made a meaningful dent in the quantity of data being lost and stolen. The number and severity of data breach incidents might have been higher without the above factors, but an assessment of recent data breach events indicate the problem is as bad as ever and perhaps getting worse.

Because hundreds of millions of data records already have been lost and stolen and no end to ...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Architecture Insider Multifactor authentication options to secure online banking Security benefits of virtual desktop infrastructures How to secure data backup Too many encryption methods make secure communications difficult How to streamline role-based access control Five considerations for choosing network access control products Fighting fraud: Understanding technology and threats How to shift to centralized authentication and ease compliance Why financials must implement Web application security best practices Identity management for financial firms in turbulent times PII and PIFI data privacy and retention Security benefits of virtual desktop infrastructures Bank computer technician indicted in identity theft scheme Tokenization and PCI compliance Partner data privacy: Issuing stricter guidelines Pushing past the perplexity in protecting PIFI Security controls needed when collecting personal information Types of confidential information TD Ameritrade database hacked, customer data stolen Implementing and enforcing a corporate retention policy Secure user and consumer authentication methods Multifactor authentication options to secure online banking Survey: Consumers don't trust banks to keep their data secure Data breach lawsuit puts spotlight on bank's security measures Credit union launches online banking suite with strong authentication BITS releases guide for implementing email authentication protocols Banks, e-commerce sites use device identification to stop fraud Evolving authentication methods in the financial industry Identity management for financial firms in turbulent times Biometrics project studies ways to combat bank fraud Study of banking malware analyzes underground economy

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary personally identifiable financial information  (SearchFinancialSecurity.com) personally identifiable information  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

the problem is in sight, TowerGroup recommends financial-services firms now assume all of their prospects' and customers' PII has been compromised. Institutions must authenticate their clients and prospects, assuming that information such as name, Social Security number, address, telephone number, date of birth, account balance and transaction knowledge are all but useless as authentication factors.

Criminals continue to focus primarily on obtaining credit card and bank account credentials because they can cash them out more readily. However, TowerGroup expects that criminals will increasingly look to PII as financial-services institutions (FSIs) concentrate on improving their ability to prevent the fraudulent use of bank card information and bank account credentials. Therefore, financial institutions must evaluate and implement a number of technologies to render less effective the use of compromised PII (as well as other evolving methods) to commit fraud. Additionally, government regulations must be strengthened to force all businesses that store consumer PII to dramatically improve their data protection capabilities. We believe three components must be bolstered to meaningfully curtail the use of compromised PII to commit fraud and the continued loss of PII across all businesses: authentication technologies, cross-channel fraud prevention and data protection legislation.

FSIs should continually evaluate the effectiveness of authentication and fraud prevention approaches, considering evolving fraud methods and resources. At this point, knowledge-based authentication and one-time passwords balance effectiveness, cost and customer experience better than most emerging authentication methods, such as voice biometrics. Cross-channel fraud prevention technologies are becoming more important as criminals increasingly exploit the vulnerabilities inherent in FSIs' commonly siloed fraud prevention methods. Only by improving authentication and fraud prevention technologies can FSIs render compromised PII insufficient to commit fraud.

Concurrently, TowerGroup calls on lawmakers and federal regulators to implement substantive requirements that cause businesses to drastically reduce the amount of data loss. These requirements must compel all businesses that collect and store PII, from the Fortune 500 down to the smallest "mom and pop" business, to both reduce the amount of PII stored and protect whatever PII is deemed essential to the business. Although it appears the data protection battle has been lost, we firmly believe the war can be won.

About the author:
George Tubin is a senior research director for TowerGroup's Delivery Channels and Financial Information Security research services. This article is based on research by the Financial Information Security Service at TowerGroup, a leading research and advisory services firm focused exclusively on the global financial services industry. Tubin can be reached at gtubin@towergroup.com. Those interested in learning more about TowerGroup or subscribing to its research services may call +1.781.292.5200 or e-mail service-info@towergroup.com.