"The Battle Over Personally Identifiable Information is Lost"

The report indicates that despite significant US media attention, increased state legislative demands, negative customer reaction and substantial costs associated with consumer data loss, millions of customer data records continue to be lost or stolen every month. Financial institutions must now assume that all of their clients' and prospects' personal information has been compromised or will be. Over 100 data breach incidents containing millions of data records were reported in just the first four months of 2009. Recent instances include hackers accessing a Federal Aviation Administration system and the theft of laptops from the Dezonia Group. Compromised PII has a crippling impact on businesses and consumers.

"While greater access to customer data is key for businesses to improve customer relationship management and business processes, there will always be repercussions, including the possibility of personal data landing in the hands of the wrong parties," said George Tubin, Senior Research Director for Financial Information Security at TowerGroup. "However, while the battle to protect data has been lost so far, TowerGroup firmly believes that the war can be won."

TowerGroup recommends the following guidelines for financial services institutions to curb the use of compromised PII to commit financial fraud:

• Assume that traditional account information such as a client or prospect's name, social security number, address, telephone number, date of birth and account balance are useless as authentication factors. Instead, consider using knowledge-based authentication and one-time passwords delivered via Short Messaging Service (SMS).
• Implement an integrated, cross-channel fraud prevention strategy that detects and diagnoses possible use of fraudulently obtained PII in real time and across all business practices.
• Continually evaluate and evolve fraud prevention approaches because smart fraudsters constantly change their means and tactics for breaking security systems and stealing data.

TowerGroup recommends that, concurrently, government regulators implement meaningful data breach prevention requirements and penalties that compel businesses to actually protect data. Until legislative and regulatory bodies implement these penalties, data loss incidents will persist and worsen. Highly effective and usable data loss prevention practices and technologies are readily available to all businesses but are grossly underutilized.

The TowerGroup Research Note titled "Protecting Personal Information: We Lost the Battle, Can We Win the War?" may be purchased online at the TowerGroup Store via credit card by using this link: http://store.towergroup.com/index.asp?PageAction=VIEWPROD&ProdID=656.