Even though consumers generally avoid liability if their payment card or account is breached, their troubles can go well beyond the initial financial hit for the bank or merchant, said long-time data security expert Brian Huntley.
"Technical security is great, but the card holder's data has a great footprint," said Huntley, who earlier this year joined security company IDT911 as a senior information security officer, following two decades working in security in the financial services and public utility sectors.
In the case of a breach, card-issuing institutions quickly take the necessary step to replace payment cards. But that’s just part of a larger program that should consider how stolen information can be obtained beyond a high-profile breach, and how it can be used once stolen, Huntley said.
"It's not just securing the technology channels, but it's as much or more about securing the human interfaces," Huntley said. "It's about management practices…and with information shared across other areas of an organization, the controls may be inconsistent."
IDT911 just finished work on what it calls a concierge-level household cyber coverage product that monitors the impact of a breach. Huntley recommends institutions have a data breach response plan that works across employee functions and considers the role of human resources and customer service as well as IT, security and compliance departments.
The goal is to offer proactive repairs and education after tracking, monitoring and recognizing how crooks use compromised data after a breach. The system also monitors how consumer data is accessed inside an organization as a potential guard against intentional or accidental insider fraud or exposures.
"Data breach security planning is typically postured toward hacking or someone breaking through a security perimeter," Huntley said. "But data breach response planning touches vastly more operations than a pure-play response can."
IDT911 did not release names of banks using its new product, but issued a press release naming Old Point National Bank as an adopter of its ID management and credit and fraud monitoring services.
IDT911 is launching its product amid a flurry of high profile data breaches over the past two years, many of which resulted in mass payment card replacement.
New security and technology products are proliferating in the wake of the breaches, as many issuers are searching for ways to update data protections to accommodate the risks attached to stolen data. There's also a trend to improve vulnerability assessments across an enterprise as part of the strategy as issuers and merchants identify weaknesses.
Because credentials and personally identifiable information [PII] is harder to trace through commonly used security analysis, it becomes “even more valuable to criminals," said Julie Conroy, a research director at Aite Group.
"Credentials open multiple doors for criminals, since the majority of consumers still use the same credentials across all of their online relationships, and personal identifiable information can be used to open new accounts," Conroy added.
Healthcare records in particular are subject to breach risk, but because they gain more money "per record" because healthcare records are rich in PII.
"As we move to EMV, we'll likely follow the same path as other countries, and issuers will see a surge in application fraud, as criminals use synthetic and stolen identities to obtain payment cards," Conroy said.