•Doron M. Rotman, audit and RAS managing director for Information Risk Management; and
The participants included:
•Scott B. Moritz, director of KPMG Forensic;
•Hugh C. Kelly, principal of Financial Risk Management;
•Joanna Taylor, senior associate for Financial Risk Management;
•Linda H. Gallagher, principal for Financial Risk Management;
•Carolyn Greathouse, manager for Financial Risk Management;
•Grace Brasington, account relationship director for Information Risk Management.
In the first part of the two-part discussion, the participants examined the scope and source of the problem, and the need to use a multi-disciplinary approach to fight identity theft.
Technology Insider: Identity theft has received considerable attention, but is the problem as bad as the perception?
Moritz: Identity theft is a growing problem for a number of reasons. One of the reasons is the extent to which businesses and public institutions are reliant on digitized information and transmitting that information in e-mail and via the Internet. All of that combines into a much larger vulnerability.
Add to that increased regulatory obligation, driven initially by the California legislation, SB 1386. Institutions that disclose personal identifying information now have an obligation to notify the potential victims or the affected persons. That has cast light on a problem I think has probably been out there for a long time, but is getting more attention now.
Kelly: The issue of notification is obviously the key point, because institutions are very concerned not only about liability, but the reputation risk – which can be a bigger risk. There is kind of an accumulation of those data breaches. Whether or not customers’ financial information identities are viewed by the bad guys, there is reputation risk, and the regulators are raising the ante with respect to their examination processes.
Gallagher: [Identity theft] is now an issue that people talk about in casual, cocktail conversation. And, as somebody pointed out at a presentation, when breaches involve members of Congress, that also gets a lot of attention.
Technology Insider: Can you elaborate about reputational risk?
Greathouse: We saw survey results a couple of weeks ago [from the Ponemon Institute and PGP Corp.] that said, among people whose identity was breached or were customers of a company that had a breach, 20 percent of those people actually closed their account,s and another 40 percent of the customers considered closing their accounts. It’s just such a huge risk – if [businesses] lose 60 percent of their customer base, that’s huge. So it really is getting a lot of attention.
Technology Insider: Is the identity theft problem more severe in some industries than in others?
Moritz: ID theft affects anybody that has possession of identifying information about employees and customers, or anybody who’s collecting information on the Internet. It’s affecting higher education, public sector, financial services, health care and any sort of business-to-consumer enterprise that collects that type of information.
Rotman: If you look at it, in education, some of the laws have some privacy requirements. The No Child Left Behind Act has some very significant privacy clauses. A number of U.S. universities have reported privacy breaches.
Moritz: You’re absolutely right. The two industries that are most affected are higher education and financial services. Higher education has the greatest number of breaches, and financial services has the greatest amount of lost information.
But we don’t want to convey that identity theft is purely a financial services issue, because it cuts across all industries.
Technology Insider:
Where are
the identity
theft attacks
coming from?
Moritz: We’d be remiss if we didn’t point out the increased sophistication of the people committing identity theft as a significant factor to its growth. A lot of the people writing malicious code, in addition to those who were involved in denial-of-service attacks and other computer hacking activities have found that aside from extortion, it’s not very profitable.
What is profitable is taking those same skills and using them to do things like phishing and pharming (redirecting Internet traffic to a fraudulent site) or going after institutional holders of large quantities of personal identifying information and selling it on the black market. This information has value and is traded like commodities.
Technology Insider: Is there a
difference between identity theft
and traditional credit card fraud?
Gallagher: The organizations dealing with these crimes are also struggling with these important distinctions. So when people commonly use the term “privacy” or “identity theft,” the issue might be fraud, it might be identity theft or it might be privacy.
The reality is bleeding through consumers. They cannot make the distinctions, and therefore it causes the problem to even feel greater than it really is.
Moritz: There is an important distinction between identity and credit card theft. If you lose your credit card information and somebody inappropriately uses your credit card, they haven’t really committed identity theft.
However, if someone has successfully established a consumer credit relationship in your name, that means that they have successfully obtained enough of your personal identifying information to assume your identity. It’s a very important distinction and one that the media has not done a good job of explaining.
Kelly: The guidance from regulators does draw the distinction between the security guidance versus privacy rules, and doing well on one doesn’t mean you’re doing well on another.
Technology Insider: How significant
a security challenge is it to protect
customer information?
Moritz: Regulators go so far as to define information security as a “control.” It’s a control to protect information, but privacy goes to the appropriate use of that information. That’s not a control – it’s more of a compliance issue and doing what you said you were going to do.
Kelly: It is a mistake to pigeonhole it or come up with just one label, because this also affects non-Internet transactions. A lot of breaches are due to the fact that someone stole a laptop or went through confidential information in a Dumpster.
Those are probably the biggest sources of fraud and identity theft, but obviously, as the Internet channel becomes more popular, it becomes a greater security exposure.
The banking regulatory agencies have not only focused on privacy, they’ve also focused on information security in a general sense, and they’ve also recently issued guidance on authentication for Internet banking transactions.
The regulatory requirements are hitting all these different aspects, which kind of all roll up under this general theme of making sure banks are doing what they can to protect against the improper use of customer information.
Rotman: A lot of companies are starting to think and plan about their data governance issues. It’s about where we get data, where do we collect, reprocess it and apply security. This is the point of the controls.
Moritz: I like the term “data governance” because I think that brings home that this is a tone-at-the-top issue. It is a corporate governance issue, and organizations that delegate this to information technology alone or an individual compliance officer do so at their own peril, because it is an interdisciplinary issue. It’s a complex issue, just like any security problem.
Gallagher: I have tried to illustrate to clients the importance of approaching this from a multi-disciplinary standpoint, so it’s not just defined as regulatory challenge, etc. Everyone really all has to be involved and the organizations need to be aligned in the same way. At a minimum, they need to have a senior-level multi-disciplinary committee addressing this issue.
Kelly: In our discussions with chief risk officers and operational risk managers, they realize they have to bring this IT risk issue into their assessment of operational risk as well as compliance. It’s challenging to cut across all these silos and I think, like Linda said, it begs for an interdisciplinary committee or response. It requires a lot of bridging across silos, which is not an easy thing to do.
Christopher Westfall is managing editor of KPMG’s “Insurance Insider.” This article is being reprinted with permission from KPMG’s Insurance Insider. Copyright 2006 KPMG LLP. All rights reserved.