Why It's Important: Being branded with the scarlet letter that often follows a data breach incident is a public relations nightmare for financial institutions. Damage to customer relationships often is irreparable in the event of data loss, particularly in the financial services industry. The largest part of the average $182-per-record loss resulting from data breaches is the lost-customer opportunity cost, which Ponemon Institute values at $98 per record. While these numbers represent a cross-industry study, the churn rate for the financial services industry -- the number of customers taking their business elsewhere in the event of a publicized breach -- tends to be higher than other verticals.
Where the Industry Is Now: There were multiple high-profile data breaches in 2006, and financial services firms were not spared. Notable firms in the news for data exposure included Fidelity Investments (196,000 records compromised), ING U.S. Financial Services (21,500 records), Bisys Group (61,000 records) and Nationwide Retirement Solutions (38,443 records), according to the Privacy Rights Clearinghouse. In addition, online brokerages E*Trade Financial and TD Ameritrade reported fraud losses totaling $22 million resulting from a market manipulation scheme executed via hacked accounts.
Focus in 2007: In addition to curbing the number of data breach events, information security professionals are keeping an eye trained to the size of data breaches. Concern is mounting that a major data loss, such as the May 2006 Department of Veteran's Affairs loss of 28.6 million records, will result in a knee-jerk attempt by lawmakers to protect consumers. While new legislation appears likely, industry anxiety is mounting that it will come in the form of possibly misguided federal regulation. Several bills with heavyweight political backers sit in the House of Representatives and the Senate, and industry observers agree that the shift of power back to the Democratic party in Congress should expedite the passing of legislation, perhaps as soon as this year.
Industry Leaders: Despite recent breaches, the online brokerage community has, by necessity, led the way in protecting customer data. Maintaining the integrity of the online channel is essential, as trust in e-commerce is the foundation of the discount brokerage business model. By developing user-friendly online security centers that feature best practices and security software, brokerages such as E*Trade, TD Ameritrade and Charles Schwab have transferred partial responsibility and power to customers. However, customer education efforts won't completely take hold until key players in the financial services industry organize a unified education program. Still, in most cases, financial firms continue to cover losses resulting from security-related breaches.
Technology Providers: Although technology is occasionally to blame for data exposure, the details of incidents repeatedly prove that the problem is, at its core, a people problem. While there are many providers of technologies that are deployed as part of a larger security infrastructure, there is no technological panacea. Still, most firms have a good grip on protecting themselves against malicious attacks -- it's the inadvertent failures, such as lost or stolen laptops, and customer carelessness that cause the biggest headaches.
The Price Tag: The total per-record cost of a data breach increased 30 percent in 2006, according to the Ponemon Institute. Criminals understand the value of customer data, and they're sure to develop more-sophisticated attacks to exploit it. As the threats to customer data mature, the incurred costs will continue to rise. While firms do not disclose the costs of customer education efforts, it is clear that the value of prevention efforts rises with each exposed customer record.
10 Critical Business Technology Issues for The Street