This article by me was first published in Retail Banking Review here.

Last year’s Heartland Payment Systems’ spectacular data breach stemmed from errors that allowed hackers to break into the payment processor’s networks and steal data on approximately 130 million credit and debit cards over several months.

But most data breaches do not involve sophisticated hackers. They usually result from not following simple procedures.

In 2009, the UK Financial Services Authority (FSA) fined three HSBC firms over £3 million for not having adequate systems and controls in place to protect their customers’ confidential details from being lost or stolen. These failings contributed to customer data being lost in the post on two occasions.

During its investigation into the firms’ data security systems and controls, the FSA found that large amounts of unencrypted customer details had been sent via post or courier to third parties. Confidential information about customers was also left on open shelves or in unlocked cabinets and could have been lost or stolen. In addition, staff were not given sufficient training on how to identify and manage risks like identity theft.

In April 2007, HSBC Actuaries lost an unencrypted floppy disk in the post, containing the personal information of 1,917 pension scheme members, including addresses, dates of birth and national insurance numbers.

In February 2008 HSBC Life lost an unencrypted CD containing the details of 180,000 policy holders in the post. The confidential information on both disks could have helped criminals to steal customers’ identities and commit financial crime.

The firms have taken a number of remedial actions to address the concerns raised, including contacting the customers concerned, improving their staff training and requiring that all electronic data in transit is encrypted.

In the last four years, the FSA has also fined Capita Financial Administrators £300,000; Nationwide £980,000; BNP Paribas Private Bank £350,000; Norwich Union £1,260,000; and Merchant Securities £77,000 for failings relating to data security lapses and fraud.

Why are data breaches a concern?
Any breach of the secure storage of customers’ personal information can result in the release of personal, identifying information of an individual. That personal information may be sufficient to allow an unauthorised person to assume the identity of the victim and use that illicit identity to open, for example, new accounts in the victim’s name.

What is Australia doing?
In Australia, the Privacy Act currently does not require individuals to be notified when their personal information has been compromised or subject to a security breach.

As Australia does not yet have mandatory data breach notification laws we don’t know about breaches other than those that get public notoriety (eg files dumped in bins, stolen laptops or forgotten CD’s.)

The Australian Privacy Commissioner, Karen Curtis, has released a “Guide to Handling Personal Information Security Breaches“. It is a voluntary guide for use by businesses, agencies and non-government organisations in preventing and, if necessary, responding to a data breach.

The Guide includes four key steps to consider when responding to a breach:
Step 1: Contain the breach and do a preliminary assessment
Step 2: Evaluate the risks associated with the breach (risk analysis is on a case-by-case basis: not all breaches necessarily warrant notification).
Step 3: Consider notification
Step 4: Prevent future breaches.

With regard to Step 3, the Guide suggests that individuals affected by a breach should only be notified where a breach creates a real risk of serious harm to the individuals. This is consistent with the recent Australian Law Reform Commission report recommendation.

By requiring notice to persons who may be affected adversely by a breach, data breach notification laws seek to provide such persons with a warning that their personal information has been compromised and an opportunity to take steps to protect themselves against the consequences of identity theft.

The Federal Government will not make a decision on mandatory data breach until the second stage of its response to the ALRC Report (to be considered once the first stages reforms have been progressed). In the meantime the Privacy Commissioner’s voluntary guide should be considered when developing a policy on responding to data breaches.

The cost of notification
The cost of notification does not just include the actual cost involved in notifying every individual affected by a security breach. Notifying customers of a security breach also gives rise to a real potential for market damage to the organisation, including reputational damage, lost customers and lost future profits.

Avoiding breaches
We can learn from an analysis of breaches notified in the USA. Verizon’s 2009 Data Breach Investigations Report concluded:
74% were caused externally, 20% internally;
67% were aided by errors, 22% involved privilege misuse;
69% were discovered by a third party, 87% were considered avoidable through simple controls.

The 5 recommendations were:
• Ensure essential controls are met.
• Have data retention policies: find, track, and assess data.
• Collect and monitor event logs.
• Audit user accounts and credentials.
• Test and review web applications.