MADISON, Wis. (10/5/11)--Data breaches have taken over theft of physical assets as the No. 1 fraud type, with most data theft occurring in the financial services industry. To avoid crippling financial damage and loss of member trust, credit unions must implement measures to prevent breaches and have a solid mitigation plan if one occurs, said CUNA Mutual Group.
Ken Otsuka, CUNA Mutual Group senior risk consultant, offered tips to credit unions to avoid financial, reputational and legal risks from the No. 1 type of fraud--data breaches--during Tuesday's Online Discovery Conference. (Photo provided by CUNA Mutual Group)
Speaking to Online Discovery attendees Tuesday, CUNA Mutual Senior Risk Consultant Ken Otsuka cited the 2010 Annual Global Fraud Report from Kroll, a risk management consulting firm. The information-rich financial services industry leads in data theft incidents among various companies, with 42% in 2010. That's an increase of 24% from 2009, the report indicated "Data breaches have quickly become a top concern," Otsuka said. "They are increasing in frequency and severity in terms of number of records breached and recovery costs." Breaches can involve electronic or paper data, and occur through many ways, including:
* Lost or stolen disks, laptops and other data-bearing devices; * Dishonest employees; * System intrusions by hackers; * Negligent disposal of data; and * Breaches at third-party vendors housing confidential personal member data.
A data breach can be devastating for a credit union, potentially even bankrupting it, Otsuka said. According to a 2010 Ponemon Institute study, the average cost to repair a compromised record was $214. For financial institutions, that cost was $353. But that's not the only cost of breaches. "A breach could shake members' confidence in the credit union's ability to protect their personal information, which could have a devastating effect on the credit union's reputation," Otsuka added. He also noted compliance and legal risks. "The federal Gramm-Leach-Bliley Act requires credit unions to protect and secure members' personal information. Penalties for non-compliance, whether at the state or federal level, can be severe. In addition, numerous well-publicized lawsuits have been brought by consumers against organizations that experienced data breaches." Otsuka urged attendees to implement proper technology, policies and procedures to protect confidential member data. He offered these tips:
* Protect confidential member data residing anywhere on the network, including workstation hard drives and servers. Encrypt data residing on networks, all mobile devices, and in data transmissions over the Internet and e-mail. * Install a data loss prevention solution to identify where confidential member data are located on the network and determine if employees inappropriately transmit data via e-mail or downloading data to external devices. * Lock down USB ports and CD ROM/DVD drives of workstation computers, based on employee job duties, to prevent downloading of confidential member data. * Implement an identity and access management solution that allows only authorized users to access the network and secures remote access for employees and vendors. * Have an end-point security solution to protect all entry points to the network, including firewalls, and software for viruses, malware and intrusion detection. * Protect corporate mobile devices by ensuring confidential member data are stored in encrypted
If all else fails, have an insurance backstop, Otsuka said. He provided an overview of CUNA Mutual Group's Cyber & Security Incident Package, which provides coverage for credit unions if there's a breach. Online Discovery is CUNA Mutual's Web-based virtual conference. The free event attracted more than 1,800 attendees. Watch for more coverage in Thursday's News Now
. See related story, "Online Discovery speaker: Make mortgage loan opportunities," in today's System News.