It’s been a bad summer for corporate data risk management

Network with other risk managers online
Join StrategicRISKs exclusive LinkedIn group

First, there was the news in July that the UK Financial Services Authority (FSA) had fined three HSBC firms over £3m for not having adequate systems and controls in place to protect their customers' confidential details from being lost or stolen.

During its investigation into the firms' data security systems and controls, the FSA found that large amounts of unencrypted customer details had been sent via post or courier to third parties. Confidential information about customers was left on open shelves or in unlocked cabinets, and could have been lost or stolen. In addition, staff were not given sufficient training on how to identify and manage risks like identity theft.

Next came the news in August of the US indictment of three men – Albert Gonzalez, a former government informant, and two unnamed Russians – for allegedly stealing more than 130 million credit and debit card numbers. Prosecutors claim that they perpetrated five corporate data breaches from 2006 to 2008, stealing card numbers from credit card processor Heartland Payment Systems and retail chains 7-Eleven Inc and Hannaford Brothers Co. They are also alleged to have targeted two additional un-named companies.

The losses resulting from this case are expected to be huge. In May, Heartland reported that the breach had already cost it $12.6m, a figure that included legal costs and fines from Visa and MasterCard in respect of non-compliance with Payment Card Industry Data Security Standards.

These are just two of the latest incidents in a long chain of global IT and data security disasters. The HSBC case is alarming, suggesting that large financial institutions are still not taking their data protection responsibilities seriously. The successful hacking attack on Heartland and other US companies demonstrates once again the ability of criminals to outsmart supposedly secure protections.

In addition to the losses involved, there are likely to be additional outcomes. First, regulators will get tougher. Gartner Inc predicts either government regulation or industry self-regulation of IT products and services in both the US and Europe, with vice-president and analyst Richard Hunter saying that the state of IT security is now viewed as ‘unacceptably dangerous’. ‘It is probable that the EU will take formal steps to establish a regime for regulation of consumer-oriented IT products and services as early as 2011,’ Gartner claims.

Secondly, consumers are going to become increasingly reluctant to disclose credit card and other personal information, particularly online. There must be few of us who do not know at least one person who has been the victim of identity theft. Now, where did I put my cheque book?