The Javelin report, Data at Rest is Data at Risk, also revealed that payment card and Social Security number data breach victims suffer the highest rates of related fraud, especially in the retail, financial and healthcare sectors.
Among those consumers who were notified of breaches in 2012, 4.4 million Americans were both notified that their payment card information was compromised in a data breach and suffered fraud on their existing credit or debit cards. In addition, 1.26 million Americans were both notified that their Social Security numbers were compromised in a data breach and became victims of identity fraud.
Further, 270,000 Americans were both notified that their online banking credentials were compromised in a data breach and suffered fraud on their financial accounts, including checking and savings accounts; a further 324,000 Americans had both their bank account numbers compromised in a data breach and became subsequent victims of fraud incurred against their checking, savings or other financial accounts.
“By breaching the data stores of businesses in the financial, healthcare and retail industries, criminals can obtain the fuel they need to execute various fraud schemes, and these crimes have crippling consequences,” said Al Pascual, senior analyst of security, risk and fraud at Javelin Strategy & Research, in a statement.
Beyond the risk of civil liability associated with breach-related identity fraud, businesses can also face regulatory enforcement actions and penalties, reputational damage and the loss of customers. Defining and protecting the sensitive consumer information typically stored by these industries is thus essential for mitigating a variety of risks to data custodians, consumers, and third-party businesses.
According to the study, retailers will remain prime targets for payment card breaches and fraud as long as payment cards remain a commonly accepted and popular payment method – which, of course, will be for the foreseeable future. Financial institutions will continue to be natural top targets because of large amounts of client data they store, including account information and payment card data.
The US healthcare industry’s move to digitize protected health information (PHI) through electronic health records holds the potential to reduce costs for healthcare organizations. However, that renders PHI vulnerable to data breaches and could increase costs for healthcare organizations, if not properly managed.
To protect data-at-rest from compromise and subsequent misuse, Javelin recommends ongoing risk assessments, a multi-pronged process that requires analysis.
“Identifying and protecting the sensitive information typically stored by these industries is essential for mitigating the risk of a data breach and, therefore, the risk of financial loss to data custodians, consumers and third-party businesses,” Pascual said.
Companies should first locate and identify sensitive data – defined as any data that has value to the organization or can expose them to risk if compromised. Sensitive data should include consumer bank account information, payment card data, SSNs and other types of personally identifiable information (PII), as well as trade secrets.
Then, they should classify sensitive data accordingly, categorizing the information using a naming convention appropriate to the organization. This step can ease efforts to control the access, routing and storage of different types of data.
Data can then be secured based on risk profile, the firm noted, and security measures should be deployed that are commensurate to the risks associated with the loss of respective categories of data.
Finally, businesses should develop policies to mitigate future data management issues, by implementing and enforcing policies designed to prevent unprotected data from being stored outside of approved locations, Javelin said.