Security Breach from the Inside

Filed in archive News on August 3, 2007

For the second time this year, I received word from a credit card company that my data had been breached. As a consumer, I'm disturbed by the news. As the credit card company, I'd be mortified. This particular breach was not the work of an outsider - an employee of Certegy Check Services lifted and then sold countless files containing consumer information. The data was sold to a data broker who then sold some of the data to direct marketing organizations. While this may be no more than a case of more junk mail, the financial impact could still be devastating to both company and consumer.

The Payment Card Industry Data Security Standard (PCI DSS) requires that companies processing, storing or transmitting credit card numbers comply with certain guidelines or the feds can take away their privileges. While the requirements call for firewall, regular audits and anti-virus processes, what about the rogue employee intent on stealing? The company is liable for its employees' actions, so unless Certegy is carrying a fidelity bond or some other form of insurance on employee misdeeds, the costs could be devastating.

Does your compliance or Risk management plan include the possibility of employee breach of your data? It should. Work directly with your risk management department or consult a risk management firm in order to cover the potential loss and take steps toward prevention.