Exposing Customer PII Has Lifetime Impact

Exposing Customer PII Has Lifetime Impact

Negligence, personal injury, breach of contract, consumer protection, invasion of privacy, and data breach notification are terms you’ll need to familiarize yourself with as you enter the new landscape of exposing valuable customer information. Data Breaches get uglier by the day, and with each new breach the consequences grow. Data breaches are no longer focused only on PCI (Payment Card Information), but a much, much more sophisticated data set- PII (Personally Identifiable Information). Just 5 years ago the mere mention of a class action lawsuit had no merit in regards to a data breach. What has changed? What governing bodies are getting involved? Why are breached customers choosing to file state based suits? What is the lifetime impact of a data breach? Businesses must prepare themselves for the new Wild West of data breaches.   

Why Failing to Protect PII Could Be Ruinous to Your Organization

Gone are the days of exposing sensitive credit card data, extending credit card monitoring services, and moving on down the road. PII as defined by NIST (National Institute of Standards and Technology) is Information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, passport number, driver‘s license number, taxpayer identification number, or financial account or credit card number, mother’s maiden name, or alias. All of these data sets can be used to create a persona based on an actual person. Once this is established, falsified tax returns, purchasing homes, etc. can all be done in your name. Guess who has to prove that it wasn’t you? You. So you can see why lawsuits are being filed at lightning rate.

The Ponemon Institute values the cost of each individual record exposed at around $178— and considering the average breach exposes close to 30,000 records, you can do the math. This does not include all of the indirect costs, lawsuits, etc. Also take into consideration that the Target data breach cost Target close to $1 Billion. That is billion with a B. Moreover, the Ponemon price tag does not cover “catastrophic” breaches like the Sony breach that they are still reeling from and paying for.  Ponemon research does not cover breaches that expose over 100,000 records. All of this directly impacts the value of your company.

Breaches Affect Valuations

The Wall St. Journal reported that the breach could affect the recent merger with Verizon through a “material adverse change” clause. Such clauses are designed for situations just like these. Verizon has no way of understanding the long-term fallout or even commoditizing what will result from the Yahoo breach and with only $4.8 billion on the table for the merger, they are now at a crossroads. With the Target breach costing close to $1 billion, why would Verizon put themselves in harm’s way with Yahoo when they have absolutely no idea what that final cost will look like. Yahoo had previously confirmed no breaches had happened or would occur by the time the merger was complete, but obviously things change.

State Vs Federal – State is Easier

The recent Yahoo data breach that exposed 500 million user accounts is certainly bucking the trend of filing state based lawsuits versus Federal. Reason being, the burden of proof becomes much more daunting proving that some form of injury has taken place to elicit a judgment on a federal level. Moreover, certain states have friendlier consumer protection laws ala California, where 6 lawsuits have recently been filed. Look no further than New York resident Ronald Schwartz who recently filed his lawsuit for "reckless disregard for the security of its users' personal information that it promised to protect." To further that, his attorneys filed a motion to “relate” his case to the others recently filed. This is by no means a class action, but it signals the groundwork for this type of case to be filed in state courts.

Federal Trade Commission Oversight

The FTC (Federal Trade Commission) is now the federal watchdog for data security oversight. Wyndham challenged this last year and lost. The FTC was able to prove that Wyndham had “unreasonable data security” in place to protect their customers’ sensitive information. Wyndham was touting to their customers and the court that they had all of the necessary controls in place to properly safeguard their environment. Not only did they lose, but the verdict ushered in precedent on breached people’s ability to sue for long-term damages resulting from breached PII. Moreover, they had to sign a 20 year agreement that they would take the necessary steps to obtain compliance certifications, and most importantly that they would have a comprehensive data security solution in place to properly protect customer data. These are not cheap undertakings. So, how do you secure all of this toxic data? Encryption? Tokenization? Both?

Encryption Alone Won’t Cut It - Tokenize ALL Data Sets

Tokenization vs Encryption? It is true that this shouldn’t be seen as a competition. Both methods are appropriate to use throughout your organization. Encryption can be applied in multiple ways throughout the organization to protect network traffic carrying sensitive documents. Tokenization is better applied to specific data elements like credit card numbers or social security numbers, where the documents need to pass and be used by multiple people and processes, while protecting certain pieces of the document. Layering the two methods, in a payment stream for example, creates an even more flexible and secure environment. Encryption can be used at the point of data entry to immediately safeguard the payment data, even before it is transmitted to the Secure Token Vault and the token returned for storage and subsequent processing. In this scenario, sensitive data never enters the IT business environment, so only tokens are ever passed among people and business processes.

PII data should be tightly controlled, protected, and auditable. Defining and adhering to a documented security control baseline helps ensure proper protection of PII data. Beyond securing the data, an organization must also consider the incident or breach reporting requirements specific to PII exposure. Depending on the data set type and legal course of disclosure, additional reporting requirements may be necessary based on where the data is being stored and how it is being transmitted.

TokenEx is the industry leader in cloud tokenization and layered security solutions. Email sales@tokenex.com or call 877-316-4544 to start securing your organization today. Follow us on Twitter and LinkedIn.

Topic(s): encryption , PII , tokenization

Keep Up With Our PCI & Privacy Blog