More than a quarter of a billion records containing sensitive personally identifiable information have been involved in security breaches in the United States since January 2005, according to the Privacy Rights Clearinghouse, a nonprofit consumer information and advocacy organization. Recent announcements about massive data loss involve several universities, retailers and government agencies. These ongoing incidents are indicative of a problem so big and so pervasive that it will simply not go away anytime soon, despite significant attention from the media and consumer advocacy groups.
As a result, TowerGroup can now confidently declare that the business sector has lost the battle over protection of personally identifiable information (PII). Fortunately, the majority of the massive amounts of data inadvertently lost will not end up in the hands of criminals. Unfortunately, some will. The financial-services industry, consequently, must consider the ramifications of past, current and future data losses and adjust their security practices for personal information protection accordingly.
It seems that public uproar and the negative press associated with the massive data breaches of the recent past would have spurred businesses to do a far better job of protecting PII. The expansion of state legislation regarding data breach disclosure also should have seriously reduced the amount of PII that was lost and stolen. As if these factors weren't enough, the maturation of data loss prevention (DLP) technologies and widespread availability of data encryption technology should have made a meaningful dent in the quantity of data being lost and stolen. The number and severity of data breach incidents might have been higher without the above factors, but an assessment of recent data breach events indicate the problem is as bad as ever and perhaps getting worse.
Because hundreds of millions of data records already have been lost and stolen and no end to the problem is in sight, TowerGroup recommends financial-services firms now assume all of their prospects' and customers' PII has been compromised. Institutions must authenticate their clients and prospects, assuming that information such as name, Social Security number, address, telephone number, date of birth, account balance and transaction knowledge are all but useless as authentication factors.
Criminals continue to focus primarily on obtaining credit card and bank account credentials because they can cash them out more readily. However, TowerGroup expects that criminals will increasingly look to PII as financial-services institutions (FSIs) concentrate on improving their ability to prevent the fraudulent use of bank card information and bank account credentials. Therefore, financial institutions must evaluate and implement a number of technologies to render less effective the use of compromised PII (as well as other evolving methods) to commit fraud. Additionally, government regulations must be strengthened to force all businesses that store consumer PII to dramatically improve their data protection capabilities. We believe three components must be bolstered to meaningfully curtail the use of compromised PII to commit fraud and the continued loss of PII across all businesses: authentication technologies, cross-channel fraud prevention and data protection legislation.
FSIs should continually evaluate the effectiveness of authentication and fraud prevention approaches, considering evolving fraud methods and resources. At this point, knowledge-based authentication and one-time passwords balance effectiveness, cost and customer experience better than most emerging authentication methods, such as voice biometrics. Cross-channel fraud prevention technologies are becoming more important as criminals increasingly exploit the vulnerabilities inherent in FSIs' commonly siloed fraud prevention methods. Only by improving authentication and fraud prevention technologies can FSIs render compromised PII insufficient to commit fraud.
Concurrently, TowerGroup calls on lawmakers and federal regulators to implement substantive requirements that cause businesses to drastically reduce the amount of data loss. These requirements must compel all businesses that collect and store PII, from the Fortune 500 down to the smallest "mom and pop" business, to both reduce the amount of PII stored and protect whatever PII is deemed essential to the business. Although it appears the data protection battle has been lost, we firmly believe the war can be won.
About the author:
George Tubin is a senior research director for TowerGroup's Delivery Channels and Financial Information Security research services. This article is based on research by the Financial Information Security Service at TowerGroup, a leading research and advisory services firm focused exclusively on the global financial services industry. Tubin can be reached at firstname.lastname@example.org. Those interested in learning more about TowerGroup or subscribing to its research services may call +1.781.292.5200 or e-mail email@example.com.