Lynne B. Barr, a Boston-based partner at law firm Goodwin Procter LLP, recently observed that "virtually every day, either the evening news, the trade news or the front page of the Wall Street Journal talks about another data security leak."
Today was just another one of those days.
This time, Citigroup (New York, $1.49 trillion in assets) came under scrutiny with its revelation that its computer tapes were lost in transit by shipping and logistics provider UPS (Atlanta). The lost tapes contained the personal information of 3.9 million customers of CitiFinancial, Citigroup's consumer lending arm.
The need to notify the public has been driven by California's Security Breach law (SB 1386), along with recent regulatory guidance under the Gramm-Leach-Bliley (GLB) Act. The resulting regulatory environment has raised public awareness of data breaches when they do occur. "People have been losing tapes for a long time. That's not new," says Barbara Nelson, president and CEO of NeoScale Systems (Milpitas, Calif.), a provider of enterprise storage security products. "What's new is that it's in the newspaper."
Accordingly, financial services firms -- whether they've been directly impacted or not by the notification laws -- are taking several steps to respond to such incidents and to prevent them from occurring again.
Crisis in Confidence
Data breaches cost real money to remedy, starting with the need to assuage the affected customers. "The average cost of notifying a customer of a breach is anywhere from $30 to $50 per customer. Then, the monitoring of credit records is an additional $25," says Maureen Kelly, director of product marketing for security technology firm Vontu (San Francisco). A number that we use that feels credible to [bank executives] is about $75 per customer."
Banks could go even further toward making the customer feel safe -- and that's not a bad idea, notes Vytas Kisielius, president of Adeptra (Norwalk, Conn.). Adeptra offers virtual automated contact centers that can be used to manage customer communications during a crisis. Kisielius compares the current public relations opportunity to Johnson & Johnson's handling of the Tylenol poisonings in 1982. When consumers no longer trusted their product, they responded with tamper-resistant packaging and other prominent safeguards. "As the consumer, you're going to know when someone tampers with your packaging," he says. "They made their customers feel completely safe and secure in their relationship that they had with the company."
A similar approach could help banks to mitigate the crisis in confidence that consumers may show as a result of the rash of data thefts. "The winning banks will be the ones that go out of their way to demonstrate that they're as sensitive to the consumers' data as the consumers themselves -- even more so," says Kisielius.
But the cost of reaching out to the customer can pale in comparison to the legal costs involved with responding to class-action lawsuits. "You're talking six figures to read the complaint, seven figures before you get to a court," says Kevin Kalinich, national managing director for technology and professional risks in Aon's (Chicago) Technology and Telecommunications Group. Aon offers extensions of "errors and omissions" insurance that covers both indemnification and defense costs of third-party claims or losses due to litigation.
The litigation expenses kick in even if the defendant has a solid defense. "It'd be very hard for anyone to prevail on a lawsuit, unless they could prove actual harm, and they could show it traces back to this security breach," notes Prof. Fred H. Cate, director of the Indiana University Center for Applied Cybersecurity Research. "That's a pretty high standard to meet. Nobody's made it so far."
"I would guess the greatest single cost is in the press disclosure," continues Cate. "Do people think less of Citibank, or if you're a Citibank customer, are you going to be more likely to move now?"
The other risk involves the confidence of investors, or their perception that costly regulatory initiatives are in the offing. "One of the things we saw after ChoicePoint was that their share value dropped over 25 percent after the series of disclosures came out," Cate observes.
Speaking in Code
The data on the lost Citibank tapes was unencrypted, just as with the Bank of America incident announced last February, in which information about 1.2 million federal employees was lost in transit.
For CitiFinancial, that's about to change. "Beginning in July, this data will be sent electronically in encrypted form," said Kevin Kessinger, Executive Vice President of Citigroup's Global Consumer Group and President of Consumer Finance North America, in a statement.
By switching from the physical movement of unencrypted tapes to the electronic movement of encrypted digital data, CitiFinancial can mitigate both the risk that someone can capture the data in transit, along with the risk that it can be interpreted if captured. Had the data been encrypted, CitiFinancial would not have had to notify the public under either GLB or SB 1386, observes NeoScale's Nelson. For its part, NeoScale offers an enterprise encryption appliance that works in conjunction with existing tape backup mechanisms, as well as with other transport mechanisms.
Cut the Middleman
A related shift in storage architectures is to reduce the reliance upon physical transportation providers to move information from one data center to another. Given the increasing availability of high-capacity storage bandwidth, why move the tapes when you can move the data? By moving its data electronically, that's what CitiFinancial has stated it would begin doing in July. Over time, this industry trend could have a major impact on the fortunes of transportation providers such as UPS in financial services, in much the same way that Check 21 impacted the business of air transportation for paper checks.
Although switching to electronic transmission would require an up-front investment in order to gain the requisite telecom capacity, encryption capabilities and data transfer mechanisms, the larger benefit can come from reduced transportation costs, as well as the opportunity to shift away from tapes onto dedicated storage devices that do not have to be moved from place to place.
At least from the perspective of storage technology provider EMC (Hopkinton, Mass.), tape is fading fast as a storage medium. "A couple of years ago, people would have looked almost exclusively at tape for archive and backup," says Tom Joyce, vice president of storage platform marketing for EMC. "Before that, it would have been tape and microfilm. Over a five-year period, all those banks turned off their microfilm and moved to magnetic tape and disk."
"In the last three years, a new class of disk technology is eating into tape," explains Joyce. "I'd expect we'll see more customers moving away from reliance primarily on tape for backup and more onto disk."
In general, the architectures that banks use to transmit data within their organizations and to third parties are in dire need of an overhaul. "Companies have been trying to digest all of the advances in technology, all of the systems that they've purchased, and the investments over the past five years in technology -- and some of their processes are out of date," says Vontu's Kelly. "What's going to prevent incidents like [CitiFinancial] is companies taking a cross-functional look at what their people are doing, the processes and the technology."