Growing up I was a huge fan of the sitcom “The Odd Couple.” Some of my favorite catch phrases have in some part been influenced by lines of dialogue that I memorized. One in particular serves as the best pure definition for a phenomenon I encounter frequently enough in my audit/compliance career: “What you don’t know can hurt you a whole lot.” I can still hear the line being uttered and remember laughing because even as child I thought the phrase that inspired the line, “What you don’t know can’t hurt you” was pretty dumb. All these years later, I’ve collected an impressive body of evidence to support my opinion.
So when the FDIC recently issued new guidance titled “Guidance on Mitigating Risk Posed by Information Stored on Photocopiers, Fax Machines and Printers” (FIL-56-2010),” I was reminded once again of this favorite phrase of mine.
It’s important to explain that my first foray into audit allowed me to work with arguably the best auditor I’ve ever met. I was taught to question everything and assume it was in scope until proven otherwise, and I was encouraged to trust and follow my instincts. And so fairly early in my regulatory career when I first started to search out the myriad threats to personally identifiable information (PII), all sorts of things landed on my radar screen. Accordingly, for nearly a decade I’ve been advising clients on the threats posed by what are typically thought of as secondary devices or peripherals. Financial institutions will spend all sorts of crazy money to protect servers and storage devices but completely ignore multifunction devices that copy, scan, fax and email just about any document imaginable and often retain those images in memory. They’ll have surprise desktop audits where someone will spot check work spaces to see if PII has been properly secured but will walk past the copier room time and again and ignore what lays in the output trays. Our practice has long advocated for related control activities to remove this remarkable blind spot but year over year we return to our clients and find that little has changed.
And so the question needs to be asked: Why?
The answer is very likely found in the fact that no known breaches or cases of identify theft have ever been tied back to information gleaned from a peripheral device. We’ll read about huge PCI-related disasters where millions of credit card numbers were potentially stolen. We’ll see stories on the news about how a laptop has gone missing with hundreds of thousands of accounts containing Social Security numbers. We’ll read about how criminals are piggy-backing card reader devices on legitimate ATM’s to grab your credit and bank card data. But no one can ever recall hearing about any identity thefts cases where the information involved was found to be harvested from just such a device. And odds are you’re never going to.
The amount of information to be gleaned from peripheral devices is relatively small. All but a few of them can only retain a modest amount of data and so you’re not going to find much more than a few dozen opportunities per device. If someone within an office is aware of this treasure trove of information and is skimming it off and either using it or selling it how would you know? How would you be able to develop the trend (remember that very few people file police reports when they discover that their identify has been stolen or accounts accessed). So there isn’t a whole lot of investigating going on. And if someone at either the equipment reseller or company warehouse is collecting the information and using it for illegal purposes how would anyone know? We’re not talking about thousands of accounts or individuals from any one company or institution; it’s more like a patchwork collection. You would only be able to find a trend if you went looking for it, and you would only go looking for it if you had a credible reason to do so.
But here’s the thing; I’ve thought about this information being readily available and difficult to trace and I’m an honest man and one of the good guys. Don’t you think the bad guys have this figured out as well?
So it will be interesting to see how or if the banking industry reacts to this bulletin. It’s been my experience that these things go largely unheeded until an examiner applies a little pressure. I suppose way too many financial institutions are happy enough to apply the “what you don’t know can’t hurt you” logic. Not me.