Increasingly, over the last few years, criminals are specifically looking to gain access to consumers’ identity data and not just their payment data. The main reason for this is that with consumer identity data there are few limits to the fraudulent purposes the data can be used for, which makes it much more desirable.
Over the last few years the demand for stolen consumer identity data has risen, cybercriminals have responded by targeting more industries that handle their customers’ sensitive personal data, such as healthcare, and flooding the market with identity data ready to be purchased on the dark web. This increase in volume of available stolen identity data is shown in the decreasing prices of US health records. In, 2016 stolen records sold for $20 to $50 on the black market, in 2015 these records sold for $75 to $100. Though there has been a decrease in value of such data, cybercriminals are increasing their focus on the healthcare industry as breaches jumped by 89 percent in 2017, compared with the year before.
For organisations that lose their customers’ or employees’ identity data, the impact can be huge and may result in regulatory and card brand fines, loss in trade, reputational damage, loss of customer trust, legal, forensic and remediation costs. It’s worth noting that from May 2018, with the introduction of the General Data Protection Regulation (GDPR) regulatory fines could be up to 4% or €20m whichever is the greater of an organisation’s global turnover for a breach of EU citizens’ personal data. Additionally, a data breach could lead to clean-up costs that may include lawsuits and credit monitoring/identity theft packages for affected customers. Therefore, when considering how your business handles its customer’s personal data, apply the same security measures that you would wish to be in place to protect and secure your own identity data by those handling it.
The harm caused to the individual whose personal data is stolen and fraudulently used can be substantial. Personal data is the information used to prove a consumer’s identity – that they are the person they claim to be. If criminals have access to this data they can impersonate the individual to access their accounts and content, as well as creating new accounts, applying for loans or making purchases – all for their own gain. Recovering from identity theft is a costly, lengthy and sometimes distressing process for the individual whose data is breached. Take a look at the U.S. Federal Trade Commission’s guide to reporting and recovering from Identity Theft.
Your business should be doing all it can to make sure the personal data you hold about individuals doesn’t get into the wrong hands.
No easy answers
Unfortunately, there is no single or simple solution that will prevent data breaches and for the foreseeable future we must accept that, as this personal data is valuable to cybercriminals; they will continually seek to breach organisations’ security measures or otherwise gain access to the personal data businesses hold.
The following steps will enable an organisation to understand what PII data is in scope, risks to that data, and options to protect that PII data. Therefore, hopefully minimising the potential threats and the risks of a data breach or deliberate misuse of the PII.
- Identify what PII information is used/stored and where it is held.
- Evaluate the risk to that PII – including any vulnerabilities or ways in which the PII may be exposed to attack, and the potential threats that could exploit those weaknesses.
- Manage the risk – determine what protection is required to protect the PII data from those risks; new or additional measures may be necessary.
- Compliance – protect all PII data by establishing rules (policies and procedures). These set out the organisation’s intent and expectations for the protection of PII and provide consistent procedures and processes to be followed to make sure those policies are met.
- Educate staff and consumers about data security – make sure both staff and customers know that their actions are critical in ensuring the protection of PII.
- Protect all PII data with layered controls:
1.Network protection and intrusion detection – measures to control communications into and out of the organisation, and to detection unauthorised intrusion into your network.
2.Encryption and potential segmentation of PII data. Encryption directly protects the sensitive personal data stored by making it readable only to those with access to the keys to decrypt the data. Segmentation may be used to isolate PII from other less sensitive data so that additional measures can be applied to protect it.
3.Access Controls – make sure access control systems effectively protect PII data by limiting access to only those staff members with a business need. Make sure the rights and privileges those staff members have to that PII data are the minimum needed for them perform their job role.
4.Strong Authentication mechanisms – help to prove that a person is who they claim to be by incorporating 2 of the 3 authentication factors; something you know (e.g. password), something you have (e.g. certificate, token, etc.), something you are (e.g. thumb print, retina scan, etc.). Strong authentication helps to make sure that only authorised people gain access to the PII data.
5.Threat Protection – security solutions and technologies to protect the organisation’s systems and data, including web protection (web filtering), email filtering, network access control (NAC), application control and device control.
6.Data Loss Prevention – another threat protection good practice that focusses on monitoring and controlling outbound content rather than protection of the organisation from inbound threats.