The financial services industry may be focused exclusively on securing payment card credentials, but other sensitive data can benefit from these efforts.
Other personally identifiable information, such as government ID numbers, home addresses and phone numbers could be used for identity theft purposes, which requires substantially more work to fix than the theft of a credit or debit card, said Erick Kobres, director of software engineering at NCR Corp.
Medical records, for example, can be used to access health savings accounts or flex spending accounts, and in some instances fraudsters have obtained medication or operations with another person's information.
Industries such as health care are "a little behind on the technology side at the point of sale in treating other kinds of data" outside payment card credentials, said Kobres.
While the Health Insurance Portability and Accountability Act (HIPAA) requires certain steps for protecting sensitive patient data, this only extends to medical professionals and organizations. Kobres worries about vulnerabilities in 2D barcode scanners that some businesses use to scan customer information such as government IDs.
"What we're missing is the technology at the endpoints, where the data is actually captured," Kobres said. "PIN pads play an important part in tokenization; there's no similar thing as a PIN pad for...ID scanner or insurance capturing systems."
On a payment terminal PIN pad, there is a tamper-resistant security module, plus data is encrypted. Bar code scanners do not necessarily have these security features, meaning data is transported in the clear. Also unlike the payments industry, when taking and storing other kinds of consumer data "there is not a sophisticated system for tracking where the breach happened or where it's coming from," Kobres said.
The threat of identity theft is only growing, especially in the U.K. where there isn't a disclosure policy and companies don't automatically offer free identity theft protection after a breach, said Neira Jones, a payments, digital innovation and information security consultant based in London.
In the U.S., the Federal Trade Commission and Securities and Exchange Commission have mandated that companies publicly disclose many aspects of a data breach. Those rules are still being discussed in the U.K., she said.
In the U.K., identity theft represented 60% of all fraud in 2013, according to a 2014 Fraudscape report. And of the data that gets stolen, date of birth, government ID numbers, medical records and even phone numbers were taken more often than financial information, Jones said.
But there's a silver lining to this identity theft, according to the Federal Reserve Bank of Philadelphia. In a research document, it found that consumers who had their identity stolen in the past keep a more watchful eye on their credit after the breach and, in turn, had higher credit scores.
While a retail bank will likely not handle medical information, its business clients such as pharmacies, grocery stores, bars and restaurants will.
Especially in light of the U.S. Affordable Care Act, which pushes hospitals and other providers to digitize medical records, the health care industry will need to tighten its security, said James LaPiedra, president and CEO of ID360, an identity security company that competes with the likes of LifeLock Inc.
If a fraudster steals and begins using someone else's health records, the potential damage could be life-threatening, said LaPiedra. While many hospitals see a benefit in authenticating patients, potentially through biometrics, the implementations for enhanced security can be quite costly, he said.
Banks and other payments providers could offer security packages to their clients to protect all identity data the same way card data is protected.
Recently NCR began working with Intel to launch DataGuard, a platform where merchants can apply a security policy to all data that the merchant collects. The core DataGuard technology is built into all the point of sale hardware NCR makes today, with DataGuard software expected to be delivered to merchants later this year.
With DataGuard or a similar system, a bar owner who scans a patron's driver's license could set up the system to encrypt all information, including height, weight, address and even date of birth, at the point of capture. The merchant could then set the platform to allow only the birth date to be decrypted or could even set up the system to give employees only a "yes" or "no" answer when verifying a person's age.
This specific example would be in line with some of the identity privacy and protection work going on around the collection of data by Internet-connected devices.
NCR is hoping merchants will take initiative and get ahead of fraudsters.
"The market value of insurance cards is on the rise on the black market," Kobres said. "And the value of payment card data continues to go down" because banks are getting better at blocking fraud.
Medical records on the black market can go for $50 per record, LaPiedra said.
While the payments industry is locking up existing data, the growing reliance on the cloud and the increasing amount of information being passed through the internet will likely exacerbate the problem, said Jones.
By the end of 2015, more than 75% of U.S. employees and 1.3 million people worldwide will work remotely, Jones said.
"Fifteen or 20 years ago, we knew pretty much what to protect and had a perimeter," she said. "It's become really apparent that the perimeter as we used to know it no longer exists."