Digital Security Threats in Modern Banking

Individuals who have discovered unauthorized charges on their credit cards or learned that someone has used their name to take out a loan are not alone. Identity theft is a growing concern that affects millions annually. A recent CNN/Money magazine article highlights a troubling trend: over 13 million people were victims of identity fraud last year, up from 12.6 million in 2012, according to a study by Javelin Strategy & Research. This marks the second-highest number of victims recorded in the decade-long history of the study, indicating that consumer data is increasingly at risk.

In recent times, high-profile data breaches at companies like eBay, Home Depot, Neiman Marcus, and Target have underscored the vulnerability of consumer data. Businesses, especially retail organizations and financial institutions, have long been aware that storing payment card information requires robust security measures. Stolen data can be used for unauthorized purchases, creating fake IDs, securing fraudulent loans, and other illicit activities. Therefore, internal auditors must prioritize protecting credit and debit card information as part of their broader fraud prevention efforts.

Introduction

Identity theft in the United States is often viewed as an escalating problem. However, an examination of available data reveals a more nuanced picture: while certain types of identity theft are indeed on the rise, others are showing a decline. The primary concern for individuals remains the unauthorized disclosure of sensitive personal data, such as social security numbers. Recent data breaches at major corporations like Target, Sony, JPMorgan Chase, and Home Depot highlight the critical need to prevent unauthorized access to personal information. A notable example is the 2014 breach of Home Depot’s payment card systems, leading to the theft of vast amounts of consumer information. This essay will explore the Home Depot breach's facts and legal implications through three lenses. First, it will assess Home Depot's accountability under current data breach notification laws. Second, it will consider Home Depot’s potential liability if a proposed federal data breach notification framework, introduced by Senator Leahy, becomes law. This essay argues that current state notification laws fail to adequately protect consumers, and while Senator Leahy’s bill offers improvements, it may still fall short. Lastly, it will examine the potential impact if the Federal Trade Commission (FTC) were to implement a penalty system akin to the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). Such a model, imposing significant penalties on companies experiencing breaches, could better serve public interests.

Data Protection: A Multifaceted Challenge

In today’s digital age, information that can uniquely identify an individual, such as credit card numbers, bank account details, social security numbers, and driver’s license numbers, is routinely collected by businesses during transactions. This data collection is essential for verifying the legitimacy of transactions and preventing fraudulent activities. However, when organizations store Personally Identifiable Information (PII) in their databases, they become custodians of this sensitive information, bearing the responsibility for its protection. Internal auditors play a crucial role in identifying potential vulnerabilities where customer PII may be exposed and ensuring that internal systems do not allow unrestricted access to sensitive data.

The Three States of Data

Understanding data protection requires an awareness of the three states of data: data in use, data at rest, and data in motion. Data in use refers to information on terminals, displays, handheld devices, and paper reports that employees use in their daily tasks. Data at rest encompasses information stored on file servers, computers, tablets, and repositories like email and web servers. Data in motion is information transmitted over networks. Each state presents unique challenges and requires specific protection measures.

Data at rest typically requires encryption to prevent unauthorized access. However, encryption may be overlooked due to management’s belief in the security of their devices or networks, or due to performance concerns related to encryption and decryption. Should these devices be compromised, the data could be exposed. Similarly, encryption is the preferred method for protecting data in motion, though it may not always be feasible if the recipient lacks decryption capabilities. In such cases, alternative security measures like password protection, security keys, and biometric identification should be considered.

The Role of Internal Auditors

Internal auditors must thoroughly understand the specific information their organization seeks to protect and the associated costs. As data security is primarily an information security issue, collaboration with the information security team is essential. Auditors should perform a comprehensive inventory to locate all instances of PII within the organization. This involves listing each application, hardware device, report, and item that may contain PII, and categorizing them according to their data state: in use, at rest, or in motion. The inventory should also note how each PII item is protected or where additional protection may be needed. This inventory serves as a roadmap for identifying and securing PII, demonstrating due diligence in data protection.

Armed with this inventory, auditors can evaluate the organization’s risk exposure and determine appropriate protection methods. Beyond testing existing encryption, auditors should scrutinize data usage controls and data security policies and procedures. This proactive approach helps identify potential risks and implement effective security measures to safeguard sensitive information.

Judicial Insights into Data Security

Recent court cases have affirmed the FTC’s authority and approach to establishing data security norms. For instance, in the Wyndham case, the court upheld the FTC's jurisdiction over data security standards, reinforcing the commission's role in regulating corporate data protection. However, the LabMD case presented a challenge, as the judge expressed concerns about the FTC's jurisdictional reach in the administrative context. This judicial pushback highlights the evolving legal landscape surrounding data security and the need for clear, enforceable regulations.

Conclusion

The Home Depot breach of customer credit and debit card information underscores the urgent need for comprehensive data security regulations. The company’s alleged failure to secure its payment systems resulted in the exposure of millions of consumer records, including email addresses and payment card data. The consequences for both consumers and Home Depot have been significant. To prevent such breaches, companies must be incentivized to secure customer data effectively. Current state data breach notification statutes are insufficient, as they require proof of damages from inadequate notification. While Senator Leahy’s Consumer Privacy Protection Act of 2015 offers some improvement, the FTC should be empowered to impose fines on companies that experience breaches. Adopting a regulatory framework modeled after HIPAA and HITECH, which incentivizes compliance with data security regulations, would better protect consumers. The FTC should implement similar regulations, including provisions from HIPAA’s Privacy, Security, and Enforcement Rules, with affirmative defenses and exceptions to prevent undue liability on companies targeted by hackers.

Did you like this example?

1181

49