Portals and Rails, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Portals and Rails and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
May 05, 2014
There's No Such Thing as a Good Data Breach
While data breaches have been a persistent problem for many years (see the chart), until recently, their stories would quickly fade from the headlines due to their limited reach. In the three or four months that have passed since the huge data breach at some major retailers, there have been many congressional committee hearings, several new federal legislative bills on data security issues, and countless panels and speakers at industry conferences and workshops discussing this growing problem. Unfortunately, the interactions have occasionally included a little finger-pointing, which doesn’t always lead to effective solutions. Recent efforts to bring banks and merchants together to address the problem hold some promise.
It is important to understand the number of breaches from a trends perspective, but it is more important to understand the magnitude of the breaches in terms of the number of records obtained and the type of data in those records. Because state and territorial laws with differing requirements generally control data breach notifications, the notification reporting information is often incomplete. Additionally, many data security industry experts suspect that data breaches are underreported or even not reported at all. After all, what company wants to confess to having incurred a data breach when the result will be fines and reputational damage?
In the health care industry, the 2013 implementation of the HIPAA Breach Notification Rule (45 CFR §§164.400–414) addressed this reporting concern by involving a monetary cost to the breached company. The rule requires a HIPAA-covered business and its associates to notify its customers and the U.S. Department of Health and Human Services of any breach or it could face significant financial penalties. Because of the stronger notification requirement, it was not surprising to see that the health care industry reported a 63 percent increase in data breaches in 2013 over 2012, according to the Identity Theft Resource Center (ITRC). Health care accounted for the largest share of breaches on an industry segment basis, surpassing the general business segment for the first time since the ITRC began tracking this data in 2005.
But notification requirements are post-event, not preventive. While no data security architecture can provide 100 percent protection, there clearly is the need for improved security in the handling and storage of sensitive data to prevent such breaches from occurring. As with any risk management program, the level of security depends on the sensitive nature of the information that could be monetized in some way by the criminal. Because of the large losses from the production of counterfeit cards, the public has made much of—and justifiably so—the retailer payment data breaches involving more than 40 million accounts.
We must also remember that there was an even larger data breach at the same time as the retailer's payment card data breach, this one involving 70 million accounts. But the criminals obtained such sensitive information as customer's name, address, phone number, and e-mail address—no payment information. Because the data was not related to payment transactions, the incident has not received as much attention. Still, criminals can use such data to foster identity theft operations that generally result in much higher losses and greater customer impact.
These incidents serve as a reminder that not all data breaches are alike and will require different prevention and response methods.
Portals and Rails is interested in what you think is the best way to address the prevention and notification aspects of data breaches.
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference There's No Such Thing as a Good Data Breach:
- Top 10 Payments Events in 2014
- Under Pressure: The Fate of the Independent ATM Operators
- What’s Unsettled in Faster Payments?
- Consumer Prepaid Protections May Be Catching Up with Prepaid Use
- Virtual Currency Environment Still Fluid after Latest Rulings
- ISO 20022 in the United States: What, When, Why, and How?
- Let's Talk Tokens, Part III: What Problem Does Tokenization Solve?
- Mobile Biometrics: Ready or Not, Here They Come
- Starting Off on the Right Note with Mobile Enrollment
- Let's Talk Token, Part II: Distinguishing Attributes
- December 2014
- November 2014
- October 2014
- September 2014
- August 2014
- July 2014
- June 2014
- May 2014
- April 2014
- March 2014
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud