41 Banking Breaches So far in 2010Account Takeover a Top Concern for Banks, Businesses
But it isn't the number of incidents that concerns Linda Foley, head of the Identity Theft Resource Center, which tracks these breaches. Rather, it's the trend of corporate account takeover resulting from ACH and wire fraud.
"There hasn't been a lot of outreach to the business community on this threat," Foley says. "They need a list of 'What to do to protect your business account, now.'"
The other area of concern to Foley is the pattern of retail merchants and restaurants being hit by fraudsters. "There may be a pattern or common cause here, thus the Secret Service is following the trail," she says.
For a complete look at the year's financial services-related breaches, view this timeline of incidents, breaking them down by month and type of breach.
Breach Notification At Hand?While data breaches continue to occur, Congress is mulling legislation that would create a federal notification act. One bill pending on the floor of the U.S. Senate is Senate Bill 139, sponsored by California Sen. Diane Feinstein. The Data Breach Notification Act would cover any agency or business that uses or stores personal identifiable information and make it mandatory that if a breach occurred, the victims would be informed.
This bill, along with the recently reintroduced Carper-Bennett legislation, is aimed to protect consumers and businesses from identity theft and account fraud. The Carper-Bennett legislation, entitled the Data Security Act of 2010, applies to financial institutions, retailers and government agencies, and would require these entities to: safeguard sensitive information, investigate security breaches and notify consumers when there is a substantial risk of identity theft or account fraud.
These bills are all possible action items for the Consumer Financial Protection Bureau. With more than 200 rules still to be issued as a result of the Dodd-Frank bill, privacy, data security and stewardship issues will continue to be front and center for some time, Foley says.
In particular, Foley says, the Feinstein bill offers businesses a safe harbor clause, but with conditions. "It offers coverage of reasonable risk, though they must submit their entire breach event facts to law enforcement to be covered under the safe harbor clause," she says. "We need a single data breach list -- these state notification laws are piecemeal and don't give full disclosure to victims."
The Feinstein bill is still open on the Senate floor, along with the Carper-Bennett bill. No date has been set for committee hearings on either bill. Both the House of Representatives and the Senate are on summer break until September 13.
For now, the underreporting of data breaches remains a problem, Foley says. The ITRC is one of several organizations tracking data breaches in the United States. Example: The New York list of data breaches that was made public this spring had more than 200 breaches that had not been reported by any news media, she says. This is a problem not just for the victims of those data breaches, but for other potential victims. "The only thing that underreporting or hiding breaches is doing," Foley says "is allowing criminals to do the same thing to other businesses without law enforcement becoming aware and investigating them."