Data breaches demand earlier detection, better remediation

Data breaches are becoming all too common -- so common and so large in scale that we are rapidly becoming desensitized to the news. But the effect of a data breach has the potential to crush companies. From the direct financial loss, to protecting consumers whose information has been compromised, to dealing with civil legal issues and penalties and fines from law enforcement and government agencies -- all the way thru to the reputational and confidence damage inflicted on brands that are hit by breaches -- the invisible tsunami can be devastating.

Data breaches are often not found, until days, weeks and months after they've actually happened. When they are discovered, it's usually because damage has already been done. In a world of fast-moving numbers where time truly is money.  When seconds are critical, a week or month is an eternity.  Skimming small amounts from millions of compromised accounts used to be the modus operandi to fly under the radar, but now we see the opposite -- attacking a very small percentage of the stolen data in a rapid coordinated strike to use the "needle in a haystack" principle and speed to escape detection. We clearly need better ways of detecting criminal patterns in real time before they've run off with the money.

Unfortunately, there is no data breach alarm that goes off seconds after the bandits have left the vault.  And sophisticated criminal cabals will continue to evolve their strategies to take advantage of stolen data. Offering consumers a year of credit report monitoring just isn't going to cut it in the future, and we are seeing class action suits being filed in a number of prominent breach cases, some claiming damages in the billions.

The starting point of a solution may be to improve door locks, but in a limping economy filled with worried employees and motivated criminals, fraud will keep rising. Our goal must be rapid detection of fraud at source (usually online retailers, where customer-not-present transactions are the norm and the fraudster can pretend to be anyone he wants to be), before the consumer, merchant and banks are all left holding the bag for losses, damaged reputation and severe inconvenience. (I talked about the extraordinary rise in data breaches reported by ITRC in my last blog post and why this is going to lead to even more online fraud.) If we can meet this standard, we'll also make a dent in the horrific .5% conviction rate, which has more to do with the speed and undetectability of criminal activity before they've long vanished, than even with under-reporting.