by Robert L. Siciliano

The FTC has stated that in 2005, consumers and industry lost over $55 billion due to identity-theft-related fraud. And while the media and activist groups continue to bang their pots and pans, industry seem to be looking the other way.

In March of this year, high-tech thieves hacked the computer systems at Citibank and made off with countless ATM cards PIN numbers—the four-digit consumer security codes previously considered impervious to cyber attacks. The same month witnessed the loss of a laptop computer from Fidelity Investments, the Boston-based financial firm, containing customer data on 196,000 retirement accounts. And we saw the reported loss of personal and financial records for nearly 100,000 people during April alone.

Unfortunately, security breaches like this have further stained the reputations of many financial institutions because of their lax response times. Adding insult to injury, many have also placed the burden of responsibility for mitigating the resulting damage to their customers’ credit profiles on the customers themselves!

While state laws vary regarding notification, financial companies are responsible—both from a regulatory and an ethical perspective—for securing their customers’ information and quickly and effectively responding to a security breach. By being forthright with the customer and effectively responding to a security breach, financial institutions can not only mitigate the damage done to their customers, but also protect—and improve—their own reputations and strengthen their brands.

It’s a playground out there
Computers and the Internet are the criminal's new playgrounds. With every incident covered in the news, the magnitude and sophistication of computer-based crimes boggle the mind more and more—and these are just the reported cases. Countless unreported breaches surely occur every week.

Identity thieves and computer hackers seek increasingly unconventional and shady channels for their shenanigans, and con artists will exploit every channel and employ every tool at their disposal. The rogue, individual hacker is often the culprit, but organized crime is behind much of this, too. Crime rings—across the globe–have fueled widespread phishing scams. The Russian mafia has long displayed an appetite for identity theft; a Nigerian crime ring was suspected to be behind last year’s thefts at ChoicePoint; and Asian crime rings crop up regularly.

Another manifestation of the identity theft criminal is the “web mob.” Web mobs flourish online, functioning much like traditional organized crime rings, but with looser affiliations. In this way, they more easily evade law enforcement to bilk individuals and organizations out of untold sums of money.

Regardless of their geography or affliation, they all conspire to wreak havoc, stealing our identities for some quick cash or an alias under which to commit yet more crime.

The pace is outpacing you
The speed of technology’s invention and adoption, in fact, has far outpaced the implementation of measures necessary to keep technology secure. Hackers and thieves are ahead of the game. They quickly take advantage of every new technological convenience to exploit our weaknesses.

As a result, over the past few years, attention has moved from the build-out of eBusiness to efficiency, cost-cutting, and now, compliance. Forrester Research says new challenges such as the rising threats of fraud and identity theft are causing a fundamental shift in identity management.

Many studies show that consumers think that institutions aren't doing enough to protect them. Even if they are, perception is reality, and one misstep in data security can put a company and all its executives’ actions under the microscope for a very long time.

In fact, banks and credit card companies often respond in a reactive mode—and only when the costs of not doing so begin to outweigh the benefits. Ensuring the security of your customers’ information is about being proactive and protecting your customers before something happens. It’s a tall order—in part because commonsense actions that seem reasonable to business leaders can seem invasive to customers. This in itself can lead to inaction, but during times of heightened awareness, inaction can be costly, and damage control, no matter how genuine, can be too little too late.

Take action and communicate
Solutions reside in development of appropriate policies and procedures, and implementation of systems for authentication and account protection—and in proactive communications to your customers.

One way to reassure customers—and employees, for that matter—is to draft a privacy policy statement and make it available to all. Be clear with your business constituencies. Stakeholders want to know that their information receives the utmost care.

While it’s important to strengthen your consumer data privacy protection policies, security is not about assuring your customers of their privacy; it is about protecting their information. Consumers think they want their financial information to be private, but what they really want is to know it’s safe. The only way you can convince customers that their data is safe is by also advertising that their information enjoys proper security.

Your reassurances, of course, need teeth. A company needs a security policy, and all organizational systems used for processing, storing, or transmitting personal information must fall under the security policy’s purview.

As you develop the policy, assess the risks your company faces. Devise cost-effective measures to reduce these risks to acceptable levels. Monitor and periodically review the security policy.

With privacy and security policies in place, the key is to keep the data fresh and make sure employees are following proper protocol. All too often when a laptop computer is taken out of the office or a hard drive is lost in transit, the excuse is, “the employee didn’t follow protocol.” Consumers are wise to this over-used excuse and will not tolerate incompetence.

The Privacy Rights Clearinghouse is a “take-no-prisoners,” “in-your-face” Web site that shines spotlights on exactly what corporate America and government is doing wrong. Using 20/20 hindsight and learning from others' mistakes is a great way to avoid disaster.

The Financial Services Roundtable is a great resource for building and maintaining a fully comprehensive security policy that reflects current events and recent breaches of data. While the rules will generally stay the same, the circumstances under which the breaches occur will vary, requiring updating certain protocol.

When things go wrong: A proper response protocol
You’ve built your policies and procedures, trained your management and staff to implement, and informed your customers of your protective policies. Unfortunately, things can still go wrong. What can you do to protect your customers—and your own reputation—now?

The components of an effective response protocol include:

• Immediate customer notification of the circumstance
• A dedicated call center to assist with and alleviate customer concerns
• A media response team to handle press inquiries
• An offer of different levels of credit monitoring for free and fee

Take steps before losing your customers’ confidence
Consumer trust is slipping. Soon, it may be lost altogether unless financial institutions implement sweeping measures not only to combat actual identity theft, but also to fight the perception that a person’s personal information is fundamentally unsafe.

To do so, financial institutions must:

1. Recognize the reputational risk that is associated with not having a strong, executable, and credible security policy.
2. Seek and implement the tools that are necessary to defend against identity theft. Whether it’s through software solutions, credit monitoring, security audits, or consumer education, actions speak louder than words.
3. Communicate the security policy to customers. Financial services are built on trust. Once that trust is broken, it is difficult, if not impossible, to regain it.

To learn more about what you can do to prevent and appropriately address identity fraud and data theft issues, register to attend the Seattle Bank’s Web seminar, “The Identity Theft Epidemic: Prevention Tactics that Build Client Relationships through Customer Care.” I’ll be presenting and will welcome your questions and comments.

In the interim, how about offering a paper shredder in lieu of a toaster for your next new account promotion?

Robert L. Siciliano is a Boston-based professional speaker, personal security consultant, and president of three security-related companies. He is the author of books on the subjects of personal safety and identity theft and has been featured on CNBC, CNN, MSNBC, Fox News, and numerous television and radio talk shows. He will be presenting on “The Identity Theft Epidemic: Prevention Tactics that Build Client Relationships through Customer Care” via a Seattle Bank Web Seminar on July 11. Register online today.

IMPORTANT DISCLAIMER, PLEASE READ: The Federal Home Loan Bank of Seattle ("Seattle Bank") publishes What Counts for educational and promotional purposes only. The data and analysis presented are based upon information obtained from sources that we consider reliable. The opinions expressed represent the current opinions of our staff and are subject to change without notice. We make no warranties, express or implied, regarding the accuracy or completeness of any information, analysis, or opinions presented. No part of this newsletter may be reproduced in any manner without the written permission of the Seattle Bank. The Seattle Bank, its employees, agents, and contractors are not registered investment advisors, financial advisors, or broker dealers, and they are not acting in a fiduciary capacity. The information contained in this newsletter does not constitute a recommendation, offer to sell, or solicitation of an offer to purchase any particular investments or products, including without limitation securities of any companies discussed, and it should not be construed as such. It is the reader’s responsibility to evaluate the suitability, risks, and merits of any investment, funding strategy, or business proposal presented in this newsletter. Newsletter content is for our readers' informational purposes only. Please refer to our Terms of Use for details.