Data security standards - A toothless tiger?

Some alarming statistics have been published by Verizon regarding data breaches. According to the 2009 Verizon Business Data Breach Investigations Report, more electronic records were breached in 2008 than in the previous four years combined, and banks were the worst culprits for compromising records.

The report says that the financial sector accounted for 93% of the 285 million records compromised during 2008 and that 90% of the records breached were reportedly targeted by groups involved in organised crime.

Interestingly, most (74%) of the data breaches were from external parties, and only 20% were caused by insiders. So the biggest threat to confidential customer data still appears to come from external hackers hacking into servers and applications online. Financial service providers are doing nowhere near enough to secure customer data, including implementing basic forms of protection such as data encryption.

The credit card companies introduced the PCI-DSS (Payment Card Industry Data Security Standard) standard which includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures for securing credit card data. The standard includes basic requirements such as implementing a firewall, and encrypting the transmission of cardholder data across open networks.

However, according to Verizon's report, 81% of affected organisations subject to PCI-DSS were non-compliant prior to being breached. Firms that fail to comply with PCI-DSS risk losing their merchant account, and could be subject to fines, lawsuits and bad publicity, as in the case of TJX in the US, which suffered the largest known data breach to date when hackers stole 45.7 million credit and debit card numbers, as well as personal data, including driver's license numbers of another 455,000 customers.

TJX did not comply with PCI-DSS as cardholder data was unencrypted. Penalties for noncompliance range from fines of up to $500,000 to increased auditing requirements or losing the ability to process credit card transactions. But if Verizon's stats are anything to go by, PCI-DSS appears to be somewhat of a 'toothless tiger' in terms of forcing companies to implement even the most basic of data security measures.

It begs the question, why aren't companies encrypting data? Is it a cost factor, a technology issue (what form of encryption to use) or just plain ignorance? Certainly the reputational implications, as evidenced by TJX, outweigh the upfront costs of securing and encrypting customer data.