Vincent H. DeLuca, a risk management and fraud prevention veteran, has served as director of investigations and risk operations at GE Capital and vice president of security and risk management and director of fraud control at MasterCard International. During the span of his impressive career he has investigated significant fraud cases and implemented data protection and recovery solutions for several multinational corporations. For CardNotPresent.com, DeLuca examines the likelihood of a company experiencing a data breach and delineates steps your company can take in advance to deal with that eventuality.
Protecting Customer Data from Internal and External Threats
By Vincent H. DeLuca
Data breaches affecting merchants and financial institutions can have damaging and far reaching implications if not handled properly. And, it is becoming a growing certainty that nearly every business will face the problem. According to the 2009 Ponemon Institute U.S. Cost of a Data Breach study, approximately 85 percent of businesses have experienced a data breach, up from 60 percent in the 2008 study. In other words, the chance your business’ data security will be compromised is overwhelming, and it’s getting even more likely as time passes.
In addition to any money stolen, financial institutions and merchants that experience large-scale fraud also incurs costs related to legal fees, reporting breaches to customers and any fines levied by compliance organizations or payment card companies. In addition to monetary loss, companies affected by fraud risk the loss of customer confidence and reputational damage.
Despite the incredible media scrutiny that has accompanied repeated—and very public—data breaches at companies of all types and sizes, most organizations remain surprised when they have been victimized. More importantly, they don’t know how to react or handle the situation. A recent Milward Brown survey found that half the companies surveyed either did not have a plan for handling a data compromise, or revealed that their plan was inadequate.
Merchants and financial institutions can ill afford to take this risk, but with planning and practiced execution, they stand a good chance of staying off the evening news and out of the media glare. Companies need to prepare for when, not if, a crisis occurs.
Getting Ahead of Potential Problems
Baseline preparation for companies serious about data protection and crisis response should include: appointing an event response team comprising executives and participants from various areas of the business (e.g. senior management, risk management and security, compliance and audit, IT and operations, legal, corporate communications, customer facing groups). The response team should be charged with developing a risk assessment and response grid or matrix that will inform the way your team responds to breach events of varying severity (a First Data white paper published in January of this year provides an excellent example of an effective response matrix). And, as part of its normal corporate communications function, a company should have a communications plan in place to try to control messaging.
When protecting valuable and confidential data your company must consider how to account for external and internal threats, how to ensure its customers’ data is protected when exposed to third parties and how to bolster its ability to quickly detect theft or loss (see below).
In 2005, a computer hacker broke into the network of Arizona-based payment processor CardSystems and stole confidential and restricted data of 40 million bankcard and other card customers, making it one of the largest data breaches in history. The company’s brand was so damaged by the attack that it was quickly sold to Pay By Touch. Even under new ownership, part of the legal settlement requires that it submit to an independent audit every year for the next 20 years and new lawsuits continue to pop up in the case. Other high-profile breaches have come and gone including discount clothing retailer TJX Companies and processors Heartland Payment Systems and RBS WorldPay. The results are brutally expensive and long-lasting. Do not assume that it will not happen to your company. In fact, assume it will and prepare accordingly.
Sources of information for this article: Tedder, Krista. Don’t Wait for a Data Compromise First Data Jan. 2010. Protecting Financial Enterprise Data from Two Faces of Risk . Lumension June 2010.