As cautionary tales go, two recent high-profile data breaches pack quite a punch.
In May, a Bank of America employee had allegedly leaked confidential information about hundreds of customers' accounts to a ring of fraudsters -- a breach that cost the bank an estimated $10 million in losses. Then in early June, a hacker tapped into Citigroup's online banking platform, Citi Account Online, potentially exposing the personally identifiable information of hundreds of thousands of Citi customers.
The incidents made consumers nationwide think twice about the institutions in which they place their money -- and their trust. The banking world, meanwhile, was left not only with the sense of being yet another industry under siege by data thieves, but also with a clear picture of the financial implications should administrators fail to shore up security.
Current statistics validate the concerns: According to a study by the Ponemon Institute, criminal data breaches are on the rise, accounting for 31 percent of breaches in 2010 -- a seven-point increase from 2009. (Employee negligence ranks as the most common cause, accounting for 41 percent of breaches.) The institute also found that the average organizational cost of a data breach climbed to $7.2 million in 2010, while the cost per compromised record averaged $214. Overall, total breach costs have grown every year since 2006.
Banks are not without recourse, however. Nor do managers have to wait to begin fighting back against data theft. A number of cost-effective, easily implemented strategies are available to the typical branch banker.
The first step is simply to understand the data life cycle at your bank -- that is, take the time to identify how data is collected, used, transmitted and destroyed. From there it becomes easier to pinpoint vulnerabilities in the chain and establish strategies for mitigating risk.
Also, learn the four fundamental rules for managing sensitive data: If you don't need it, don't collect it. If you collect it, collect only what you need. If you do need it, control and encrypt it. And when you no longer need it, get rid of it securely.
Remember as well that data exists in three forms: on paper, electronically, and in human memory. Paper and electronic data can by managed through system policies, security measures and audits. The human element, however, is more difficult to control. As a result, it's important to limit data access to those who "need to know;" to grant access only to necessary data; and to be deliberate about how it's used and shared.
While most banks would benefit from tailoring a plan to meet their particular security needs, there are also basic strategies that any bank can employ to improve data risk management.
Consider these 10 steps to get started.
1. Protect bank waste. Take a dumpster dive. You'll be surprised to see what the branch has actually thrown out. Are documents containing customer information properly shredded?
2. Secure the ATM. Examine it for signs of tampering, such as the installation of a skimming device or unauthorized camera. Make sure routing, transit and account numbers aren't visible on printed receipts.
3. Stand outside and look through the windows. Make sure customer data isn't visible at workstations, computers, or desktops.
4. Identify sensitive data that can be exploited by insiders. That may include customer applications, account holder's agreements and signature cards, transaction documents, and branch-held customer statements and checks, to name a few.
5. Keep an eye out for customer information that is left unattended or unsecured. Develop a procedure to check for unsecure data at the close of business. Provide secure storage areas such as locking desks and file cabinets for this data.
6. Separate sensitive trash from regular waste. Place it in a secure disposal bin. Set up a reliable crosscut shredder that's easily accessed.
7. Secure in-branch computers available for online banking demonstrations. Make sure they can't be easily stolen. Wipe confidential data from their memory. Lock down USB ports so unauthorized software can't be loaded onto the devices. And update firewalls, antivirus software and patches on a regular basis.
8. Establish a sign-in process for visitors. Nonemployees shouldn't have access to nonpublic areas in the branch, and they should be required to produce adequate identification upon entry.
9. Check video surveillance daily to ensure that it's operating properly. Consider using video surveillance systems with motion detection to document after-hours branch activity by maintenance and security personnel.
10. Wipe clean the memory on hard drives of copiers, computers and fax machines before disposing of them.
The above steps may be simple, but -- when incorporated into daily practice -- they can go a long way toward tightening data security at your branch. The cost of complacency, on the other hand, is one no bank can afford.
Brian McGinley is the senior vice president of data risk management at Identity Theft 911. With more than 30 years of experience in risk management, security, loss management and compliance within financial institutions, he has held senior positions at Wachovia Corp. and Citigroup. Previously, he served as chairman of the Financial Services Roundtable/BITS Identity Theft Assistance Center.