Frontline employees are interacting freely with customers through a diverse set of channels, each of which is often overlooked in corporate governance and compliance policies. In this article, Autonomy presents the most common causes of data breaches and why safeguarding this sensitive data is a corporate responsibility
The problem - customer data is a liability.
Widespread availability of customer and client data is becoming a great liability to corporations, their customers and their clients, creating easier access to sensitive materials and inviting crimes of opportunity. Organisations have invested tremendously against external threats to information privacy, while internal backdoor threats grow and remain unchecked. Recent news reports have suggested a rise in the underground market for sensitive data exchange, where 'data brokers' can sell customers' addresses, credit card information and social security numbers, and call centre operators are compromising credit card and account information for personal profit. This threat of losing personal data has put both businesses and consumers on high alert and begging for better practices and more effective technology for curbing this growing problem.
The corporate responsibility
Safeguarding sensitive data from leakage is a legal and ethical responsibility for any corporation that collects, transmits and processes sensitive data about the company or its customers. Data privacy laws such as the Data Protection Act in the UK, the European Union's Internet Privacy Law of 2002, as well as the US Patriot Act, the Payment Card Industry Data Security Standards and the Health Insurance Portability and Accountability Act, among many others, mandate provisions for customer data privacy and require compliance from all corporations that handle particular types of information. However, despite these regulations, 285 million data records were breached in 2008 alone.1
Between 2007 and 2008, insider theft more than doubled,2 affecting more than 15% of the US population. In addition, many recent, well-publicised cases in the US and the UK have involved corporate data leaks, identity theft and information scams. Failure to prevent data leakages demonstrates negligence, and executives can face significant fines from regulators (such as the Federal Trade Commission), jail time and public scrutiny. The corporate risk from data leakage is truly immeasurable. Aside from legal liability and settlement fees, the tarnish to a brand and its perceived trust after a data breach can be damaging beyond repair.
A number of media agencies and privacy watchdog groups have reported incidents of stolen or compromised data across various industries. Recent examples include the following:
- Data breach in the call centre3
Symantec, a globally recognised provider of security software, experienced their own backdoor data compromise in March 2009 as a BBC investigator was able to purchase valid credit cards from an employee at a call centre in India. Symantec sent warning letters to 200 customers notifying them that their information may have been stolen.
- Financial services company experiencing data leakage4
The FBI arrested a former Countrywide employee in an alleged scheme to steal and sell sensitive personal information, including social security numbers. The breach occurred over a two-year period. The insider was a senior financial analyst at Countrywide's subprime lending division. The alleged data thief was said to have downloaded about 20,000 customer profiles each week and sold files. In a 2009 settlement with the State of Connecticut, Bank of America agreed to pay at least $375,000 in fines.
The real threat of internal data theft
The doubling of data crime indicates current measures are ineffective at deterring data thieves inside the organisation. Preventing such data leaks requires the ability for organisations to comprehensively and continuously monitor employee activity, including desktop applications, website activity, e-mails, instant messages and phone calls, as well as the ability to identify and act on potential data privacy violations. Suspicious activities may include:
- frequent copying of files onto mobile media (CDs or flash drives);
- excessive time on screens containing personal data;
- transmission of files or information to e-mail addresses beyond the firewall;
- discussion of a customer's personal information over the phone without the customer present;
- accessing restricted or unauthorised applications; and
- transferring of information from one application to another (copy/paste).
Knowing what to look for is only half of the solution. With huge numbers of employees and even larger amounts of electronic information being stored and transmitted every day, businesses require advanced technologies that proactively monitor employee interactions and provide business and compliance managers with intelligence that enables them to take decisive action on violations and their proprietors. The combination of 24/7 activity monitoring and severe consequences for employees conducting data theft or leaking information to third parties is a critical step in curbing these crimes of opportunity.
The bottom line
With the increased availability of digital information and records, a corresponding increase in data leakage and theft attempts is inevitable. Organisations unwilling to implement the necessary technologies to prevent the needless leakage of sensitive information are a risk to their customers and business partners - clients who may soon rethink the practice of exchanging data with unsecured organisations.
"Insider theft, now at 15.7%, has more than doubled between 2007 and 2008. On the other hand, data on the move and accidental exposure - both human error categories - showed a noteworthy improvement, but still account for 35.2% of those breaches that indicate cause. Electronic breaches (82.3%) continue to outnumber paper breaches (17.7%)."
Identity Theft Resource Center, January 5, 2009
Autonomy Corporation plc (LSE: AU. or AU.L)
A global leader in infrastructure software for the enterprise, spearheads the meaning-based computing movement. It was recently ranked by IDC as the clear leader in enterprise search revenues, with a market share nearly double that of its nearest competitor. Autonomy's technology allows computers to harness the full richness of human information, forming a conceptual and contextual understanding of any piece of electronic data, including unstructured information such as text, e-mail, web pages, voice or video. Autonomy's software powers the full spectrum of mission-critical enterprise applications including, pan-enterprise search, customer interaction solutions, information governance, end-to-end eDiscovery, records management, archiving, business process management, web content management, web optimisation, rich media management and video and audio analysis.
1. Verizon Business Data Breach Investigations Report
Autonomy Interaction Control Element (ICE)
To protect companies from unnecessary data leaks and security breaches, Autonomy offers a groundbreaking technology that automates security, governance and regulatory processes across the enterprise, allowing corporations to maintain focus on enterprise data privacy. By automatically identifying possible violations that occur in employee communication and desktop activity, Autonomy enables organisations to effectively monitor and take action on potentially criminal behaviour.
Autonomy ICE is language and application-agnostic, allowing it to operate on any system and connect to any application, including web-based applications, recording systems, customer relationship management and helpdesk suites, e-mail systems and chat applications. By combining defined parameters with a real-time understanding of the content within an interaction made via phone, e-mail, chat, web or desktop application, Autonomy ICE identifies and takes action on any suspicious or potentially threatening interaction occurring within the organisation. When a suspicious interaction is identified, Autonomy ICE can be configured to record and archive the end-user's audio and desktop interaction, mask or mute sensitive data from a voice or screen recording, send an alert to a compliance officer, lock a workstation or perform any other number of activities to minimise and ultimately prevent sensitive data from leaving the confines of your organisation. To learn more about Autonomy ICE, download the white paper: www.etalk.com/dataprivacy
Data provided by www.idtheftcenter.org
Graphical representation created by www.pogowasright.org.
More on Regulation
Executives will be liable for banks’ misconduct under Senior Managers Regime
Central bank eyes big data and psychology
Regulators and industry to meet in London on March 2
Regulators have brought in Basel III liquidity measures ahead of peers but the industry is ready
Sign up for Risk.net email alerts
Oxford professor David Vines argues that the carrot is as important as the stick
Sponsored webinar: IBM
Watch highlights of this year's London conference
Operational risk and the challenges of defining and dealing with conduct risk
There are no comments submitted yet. Do you have an interesting opinion? Then be the first to post a comment.