All kinds of organizations have been affected by data security breaches, from government departments to well-known financial institutions. There is no indication that the problem is subsiding. Recent research found that there had been over 25 million exposures of personal records to potential theft and fraud over a 12-month period. This equates to the same number of households in the UK and highlights the enormous security challenge facing British public and private sector organizations in today’s data-rich society.
Organizations of every kind keep records on their clients and customers, which is vital for a whole array of business practices such as sales activity, marketing campaigns and customer service. Transactional processes such as billing, credit and finance requirements all involve maintaining detailed personal records. The need for more sophisticated methods of tracing fraudsters and data thieves has never been greater.
Most institutions have already put tight internal measures in place, but all too frequently these measures do not pay attention to the eventuality of a breach. Most companies would be appalled to find their customers were contacted inappropriately by rogue traders with, at worst, fraudulent intentions. Unfortunately, these breaches are all too often a result of human intervention.
A whole host of situations involving human interference might be to blame; from something as simple as an employee loosing their work laptop to a more sinister stimulus like an employee who is being blackmailed by criminal elements to obtain customer data. For larger list owners, the consequent recovery of client’s marketing communications would typically run costs into hundreds of thousands of pounds or Euros, not to mention the subsequent chaos for customers and employees alike.
The security and accessibility of data sets is frequently viewed as a purely internal issue. If an organization were to admit that it had experienced a breach of its data security, that might open it up to potential legal liability as well as exposure of its reputation. So most keep quiet if it happens. Even the requirement of the Data Protection Act 1998 to keep personal data secure has tended to be viewed as an entirely internal process.
One consequence of this inward focus has been a lack of clear ownership and specified processes to deal with data security. Often the issue is handled within IT departments rather than as a standalone function.
Abuse of this “out of sight, out of mind” attitude has therefore been relatively easy. It is an uncomfortable fact that most breaches of data security are carried out by an organization’s own staff, including its director and senior managers. Recent research by KPMG Forensic found that the typical company fraudster is a trusted male executive who gets away with over 20 fraudulent acts over a period of up to five years or more.
Significant changes in the broader culture across commerce and the public sector – and especially among data subjects – mean that “laissez faire” is no longer an acceptable attitude. Growing legal pressures, from industry-specific regulations to international laws, now mean that every organization that has data needs to be sure it is holding on to it. Indeed, leading brands are becoming increasingly aware of the damage security breaches can do to their image. As a result, data security is moving from an IT discussion to the boardroom, not least because the brand is often the most highly-valued asset on the balance sheet.
Data security can never be 100 percent. It is not possible to guarantee the total safety of any asset, whether physical or virtual, which needs to be in constant use. Certain measures will deliver a much higher degree of security, however, and are more likely to meet compliance requirements.
Perhaps most importantly, data security is being addressed almost exclusively from the point of view of stopping data leaving the organization through, or to, an unauthorised party. Firewalls and encryption routines help prevent illegal access to sensitive information. The problem with this approach – whilst absolutely necessary – is that such measures cannot protect against computer theft, loss or theft of data on physical media, or loss/theft of physical records. Moreover, although escalation procedures once a breach has occurred can minimise the impact of identity fraud, it cannot help trace the fraudsters.
Therefore, there is a significant need to widely implement measures for tracking and tracing identity thieves and fraudsters once a breach has occurred. There are various means of doing so, whether electronic or physical. However, all involve the use – in one way or another – of “seed names”. Seed names are agents or identities that appear to be real customers, but have in fact been inserted into the database to obtain a view of any unauthorized use of record.
In a real life example, the direct marketing industry uses such ‘sleepers’ as standard practice to guard against unauthorized use of commercial mailing lists. Now corporations and government bodies are beginning to adopt the same approach in order to monitor data abuse. Even in the early stages of such techniques in the wider commercial and public sectors, there have been cases of preemptive discovery, where unauthorized data usage (in fact data theft) has been identified, which would have otherwise lain undiscovered.
Notification of data security breaches is likely to become a legal requirement. In the US, in 2002, California became the first state to pass a Notice of Security Breach law requiring any organization that suffers a breach of its data security and the loss of personal data to disclose this fact and to offer assistance to the data subjects affected. A further 33 states have since implemented similar legislation.
Some European Union states have similar laws in place, though not currently the UK. However, the introduction of the E-Commerce Directive 2006 has created a new regulatory framework for electronic communications networks and services. The objective of this framework is to protect citizens and businesses within the EU when they are using e-commerce.
To meet the terms of the directive, the UK’s Information Commissioner drew up new proposals affecting Internet Service Providers and network operators. These require the notification, to the national regulator, of any security breaches involving the loss of personal data. The regulator must then decide whether it is in the public interest to inform the general public of the breach. Notification to the customer is also required where any breach of data security leads to the loss, modification or destruction of, or unauthorized access to, personal data.
While not yet implemented, these requirements are likely to come into force in 2007. They create a new climate of opinion and a legal background that is likely to lead to pressure for the same standards to be applied by all data owners, whether using electronic networks for data transmission or not.
Public and private sector organizations are holding an increasing volume of data on customers and citizens. If such organizations are to continue to be allowed to use this information to improve customer service, they also have to take on the responsibility of keeping it safe and secure. The exposure of 25.45 million personal records every year to potential theft and fraud is already unacceptable. In addition, individuals must become more savvy and responsible about the way they keep and dispose of their personal records.
For organizations to concentrate only on internal systems security is not enough. Equal attention needs to be given to ways of tracking and tracing abusers and fraudsters after a data breach has occurred, so that the perpetrators might more frequently be brought to justice. Only by removing the criminal element from the picture can the tidal wave of identity fraud be turned back.