Citigroup's Lost Tapes Cast Spotlight On Data Security
Banks are considering a variety of measures to tighten the security for customer information.
This week's disclosure by Citigroup that a box of tapes containing information on 3.9 million customers was lost in transit has again pointed out the chain of vulnerabilities that banks need to strengthen to guarantee the security of customer data.
The tapes contained Social Security numbers, names, account numbers, and payment histories on customers of CitiFinancial, which provides personal, auto, and home-equity loans. The tapes also contained information on customers with closed accounts from CitiFinancial Retail Services, which provides private-label credit cards for retailers.
The tapes were picked up from a Citigroup data center by UPS Inc. on May 2, bound for a data center in Texas operated by Experian, a credit bureau. Citigroup was notified by Experian on May 20 that the box hadn't arrived; three days later it confirmed that the box was missing, whereupon it notified the Secret Service. UPS hasn't recovered the box, but says there's no indication it was stolen. The tapes were unencrypted; starting next month, the bank will begin sending the data electronically in encrypted form. The decision to do so was made prior to this week's disclosure, a spokesman says.
Banks, like all corporations handling customer data, are under intense pressure to revamp their data-protection policies. Following California's lead, eight states (Arkansas, Florida, Georgia, Indiana, Illinois, Montana, North Dakota, and Washington) as well as New York City have passed notification laws regarding information-security breaches. The patchwork of state laws is driving up compliance costs for companies, says Chris Wolf, partner and head of the privacy and data-security practice at law firm Proskauer Rose LLP. Federal laws now working their way through Congress would pre-empt many of the state laws, easing the compliance burden, he says.
Banks have set a high priority on initiatives related to data security. Banks in the United States will spend $1.6 billion on IT security this year, making up 4.1% of total IT spending, according to research firm Celent Communications. Among the top security budget items are combating insider fraud, achieving compliance, two-factor authentication, awareness and education, and anti-spyware and other tools for preventing malicious attacks.
In light of the disclosures by Citigroup and Bank of America, which reported in February that tapes containing information on 1.2 million customers were lost in transit, banks are likely to accelerate adoption of methods for better securing customer data, such as encrypting all data, tightening physical security, and installing perimeter defenses such as firewalls and intrusion-detection systems.
Still, despite the public brouhaha over customer data protection, it may take banks a while to implement all these changes. "We're looking at a redefinition of processes," says Celent analyst Jacob Jegher. "Big banks have a lot of technology and processes, which take time to change." The practice of externally shipping tapes off-site is still quite common and is unlikely to disappear, he says.
IT's Reputation: What the Data SaysInformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
What The Business Really Thinks Of IT: 3 Hard TruthsThey say perception is reality. If so, many in-house IT departments have reason to worry. InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business views IT's performance in delivering services - and, more important, powering innovation. The news isn't great.
InformationWeek Must Reads Oct. 21, 2014InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.