Image courtesy of Shutterstock
2014 has been described as the year of the data breach. 2015 will be the year of the regulator, according to Suni Munshani, CEO of Protegrity, a provider of data security solutions.
According to the Identity Theft Resource Center, there were 708 breaches that took place in the past year, grabbing headlines and sending warnings to retailers to prepare for the 2014 holiday shopping season that is now in full swing.
Against the backdrop of the still-unfolding catastrophic Sony data breach, this holiday season, what is at stake may be even greater for stores that do not properly ensure customer data. On December 4, a U.S. District Judge said that financial institutions can proceed with a class action against Target for negligence. In the past, it was the banks that were on the hook after a breach, and left to handle the responsibility for replacing stolen or compromised cards. One of the largest breaches ever, in the 2013 Target case, up to 70 million individuals may have been affected, according to Target itself.
According to Munshani, what is needed are data-centric security solutions that move beyond single-factor authentication with an overarching data access policy driven at the enterprise level not within traditional data silos, as well as enforcement of a strict data protection policy covering who’s accessing it, who’s monitoring it, and who’s storing it.
The sophistication with which attacks are being deployed is growing because the return on investment is so extraordinary in terms of the money that can be made in a very short period of time, and as a result it is a safe bet that there will be many more there will be many more, says Munshani. In addition, the majority of data breaches are occurring with the right credentials, which have been compromised, as in the Target case.
To get control of the situation, what is needed is for retailers to arrive at a comprehensive, holistic data policy to think cover the data itself and not just the access to an environment or a system, because there are so many different ways to access an environment.
Technologies are becoming available but they are not being deployed quickly or widely enough. EMV (Europay, MasterCard, and Visa) has advanced a global standard for authenticating credit and debit card transactions. In addition, ApplePay tokenizes the data providing a way to complete a transaction and have a much higher level of security but not everybody uses an iPhone and not everybody uses ApplePay, noted Munshani. “The adoption of that is many years to come.” Fundamentally, the approach that retailers must take is to find ways to reduce the surface area of the data.
The risk to credit card data is an obvious one, but what people are not paying attention to and this will unfold over the next 3 or 4 years and perhaps much sooner, is the "nightmare" of what is happening to all that data with customers’ physical presence inside the store, and the invasion of privcy that is taking place. Retailers are routinesly collecting data on customer habits and practices that is being shared with store planning and merchandising teams inside and outside stores, says Munshani. Things will change because regulators and lawmakers are going to weigh in, he notes, adding that he expects a grass roots revolt on the horizon in the form of kind of "Arab spring of data privacy."
As far as the - by contrast - relatively simple issue of credit card data protection, Munshani says that Congress is starting to pay attention and asking who is really responsible. “Clearly, wherever the breach happens in my opinion is where the responsibility lies,” he noted.
Yet, for this holiday retail season at least, Munshani says, whatever safeguards are in place at the beginning of the quarter are all there is. “There is absolutely nothing that retailers can do for this holiday season. In the last quarter of the year, retailers across the board are reluctant to do anything at all. It is the most important period for them and they will not entertain any new ideas, new projects or new initiatives.”