The theft of PII is no longer relegated to petty criminals and hackers; it is now organized crime rings that are targeting PII and selling it on the back market. Some nations even tolerate criminal hacking to steel PII as long as the criminals only steal outside of their nations borders. The buyers of PII are interested in steeling an identity for financial fraud and leaving a person or company to clean up the mess, often to the tune of thousands of dollars in legal fees and hundreds of hours working to explain “It was not me!” The criminals don’t care what damage they do to your customers, business partners and you.
The sad part is, the technologies to protect PII and sensitive data are readily available and mature but many organizations have not implemented these technologies. Is it because of the cost associated with implementing the technologies?
Cost of breaches
What is to cost of information security? On the surface there is the cost of additional hardware, software and people to manage and run the systems. But really there is another side of the equation that we get to read about in the papers. TJ Maxx lost data on 45.7 Million credit and debit cards. Forrester Research estimated that the final cost to TJ Maxx at $500 Million dollars and could approach $1 billion. Now I don’t want to be the person explaining to the CEO, we could have prevented that. How many years will pass before people stop associating TJ Maxx with data breech?
Just so you don’t think I’m picking on TJ Maxx: here are other data breaches that have hit the papers. Citibank lost PII on 200 Thousand card holders. CardSystems lost data on 40 Million cards even though a prior audit stated they were compliant with Payment Card Industry Data Security Standard (PCI). A subsequent audit found CardSystems was no longer compliant with PCI. Health Hospitals Corp lost PII and medical data on 1.7 million patients by losing a unencrypted backup tape that was left in a car.
All of these breaches have a few things in common. Business partners were hit financially by having to cover the cost of financial fraud. Consumers were hit with added stress because their information was available to criminals. Many consumers also had to spend hundreds of hours and thousands of dollars cleaning up the mess left by criminals.
Organizations spend millions of dollars branding their reputation. All it takes is one of these events to tarnish the reputation of any organization; creating the need to spend millions on damage control and litigation or go out of business.