US financial services firms have lost the battle to protect the personal information of customers and must now assume that all their clients' data has been, or will be, compromised, according to TowerGroup.
The research firm says that despite significant media attention, increased state legislative demands, negative customer reaction and substantial costs associated with consumer data loss, millions of customer data records continue to be lost or stolen every month.
Over 100 data breach incidents containing millions of data records were reported in just the first four months of 2009.
Financial institutions must now assume that all of their clients' and prospects' personal information has been compromised or will be, says George Tubin, senior research director, financial information security, TowerGroup.
"While greater access to customer data is key for businesses to improve customer relationship management and business processes, there will always be repercussions, including the possibility of personal data landing in the hands of the wrong parties," he says.
According to a recent study from Verizon, hackers stole 285 million electronic records in 2008, more than in the previous four years combined, with the vast majority of breaches targeting the financial services industry.
Massive breaches involving Heartland Payment Systems, RBS Worldpay, Checkfree and BNY Mellon Shareowner Services have been reported over the last year.
TowerGroup says government regulators need to implement meaningful data breach prevention requirements and penalties that compel businesses to actually protect information.
The firm says that until legislative and regulatory bodies implement these penalties, data loss incidents will persist and worsen. Highly effective and usable data loss prevention practices and technologies are readily available to businesses but are "grossly underutilised", says TowerGroup's Tubin.
Meanwhile, companies should assume that traditional account information such as name, address, date of birth and account balance are useless as authentication factors. Instead they should consider using knowledge-based authentication and one-time passwords delivered via SMS.