So I called up in an attempt to resolve things and was informed that it wasn’t my spending that caused a problem, it was the fact that one of the vendors I completed a transaction with reported a breach.  Because my card number was potentially included in that breach I was shut down.  I was fortunate that my bank is setup to help customers manage these situations fairly effortlessly (I don’t love them most of the time but this event won them some points with me) and after a brief stop at a local branch I had a temporary card and was able to continue on my trip.

A few items of note surfaced as a result of this experience.  The first is that my bank would not reveal the vendor that reported the breach.  The customer service representative I spoke with claimed that she didn’t have access to the information which I sort of believed.  But when I asked how I could find that information out she replied that they typically don’t share it.  I thought that a bit odd.  Shouldn’t I as a consumer be able to make informed decisions about who I do business with?  I should be able to find out who the vendor is so that I can decide whether or not I’ll continue to give them any of my hard earned dollars.  The second thing that I found curious was how seamlessly the replacement process was.  They had a stack of temporary cards about five inches thick and a process so well defined and efficient that it almost seemed like I was asking to borrow a pen so I could sign something.  When I returned to the car my son who had been waiting for me assumed they weren’t able to help me because I was out so fast.  How often does this sort of thing happen?  And to make their degree of efficiency that much more notable a friend of mine experienced something similar and it took her bank over a week to get a new piece of plastic into her hands.

I recognize that this is a sign of the times we now live in.  We use plastic everywhere, our sensitive account information is digitized all over the place and security controls protecting that information are only as strong as their weakest link.  It’s why you’ve heard me say many a time that requirements like PCI are an excellent starting point but by no means the end-all to be-all for securing the perimeter.  All it takes is one USB storage device to go missing, one new appliance added to a network with default values unchanged, one person printing off a report with NPPI and forgetting to pick it up from the printer and viola, a breach is born.

I’m frequently onsite at clients of wildly varying sizes and I find something every day that makes me realize that sometimes the best weapon against a company being embarrassed by some sort of exposure is just dumb luck.  Regardless of whether they have a well formed team of risk and compliance folks working hard to protect information assets or just a single person serving in a related function it comes down to human nature both in terms of those not following the rules and those who are ready to exploit that fact.  A prime example is that when I find sensitive information left exposed I collect it and either dispose of it properly or lock it up to share with the appropriate party as a “for instance”.  However in those places where less honest people make similar discoveries  that same information becomes a commodity to be sold to those who indulge in things like identity theft.  Like I said, it comes down to pure dumb luck.

And so I’m left wondering if my now deactivated and defunct bank card was the victim of human nature, a sophisticated scheme to access otherwise properly secured sensitive information or just plain incompetence.  And while I’m glad that my bank was swift to react and protect me I wish they’d extend that to also inform and educate me as well.  I mean honestly, if I’m going to be forced to memorize a whole new series of numbers shouldn’t I at least be allowed to know who’s to blame?

Why I bring this up is because sometimes I feel that my industry does the same exact thing only in writing.

After staying up late last Sunday night to follow the developing story regarding Osama Bin Laden, I remember quite clearly what was going through my mind.  It was a delicate blend of relief, national pride and something that can best be described as detached ambivalence. I also experienced a touch of concern wondering if those aligned with the terrorist leader would attempt some measure of revenge and wishing that I wasn’t traveling this week. I also remember wondering if my children were going to remember this moment in any measurable way so that perhaps one day they might tell their children the story about where they were when they heard the news. But what I didn’t think at all about was how this turn of events was going to impact the banking industry. Apparently I was missing something.

When I had a chance to scan the industry sites on Monday, a number of them had lead stories about how important it was for banks to step up their monitoring efforts in the wake of Bin Laden’s death to detect the movement of monies used to fund terrorist organizations. Several rehashed the impact that 9/11 had on the banking industry discussing AML and BSA. One even had a story that sort of spun things in a way that might make the reader think the banking industry was at increased risk of disruption due to malicious efforts.

Really? I mean, really?

The only silver lining to any of this was that it sort of pushed the Sony data breach to the back of the line which was another hot topic that had me scratching my head. Many industry experts were clamoring about the enormity of the breach (no one actually knows how big it is, it’s all speculative at this point).  Several articles were thinking aloud about how significant this incident could be if it also included credit/debit card information. Some were estimating that the potential cost of the breach could set records. If I didn’t do what I do for a living this would have had me freaking out a bit. But really in the end I know better and by putting things in perspective could see that this wasn’t another Heartland but really something more closely resembling the Epsilon breach.  Sony clearly stated that while there was the potential that credit card information might have been exposed it was less than one percent of the total number of accounts involved and all were exclusively outside of the U.S.A.  So for most of the tens of millions of Playstation users who were affected, it was pretty much a minor event

At the end of my workday on Monday and after reading all the blaring headlines and posts dissecting the Bin Laden and Sony story, I came to the conclusion that my banking clients had nothing new to worry about that wasn’t already on their radar when they left for the weekend the previous Friday. All of the institutions for which I have knowledge of their operations were already addressing what they needed to address AML/BSA requirements and none of them had any new exposures due to the Sony breach (unless of course they had a Sony Playstation at home). All those headlines and so little to learn from any of it.

Really?  I mean, really?

There are legitimate news stories that can and will naturally extend themselves to banking and regulatory compliance but not all of them will. And not all re-occurrences of a now all-too-common affliction (data breaches) require a “stop the press” mindset. I remember shortly after the Heartland breach was announced back in 2009 being onsite at a credit union client. I was amazed by how much it impacted their operational area but only until their COO shared with me that this was only the most recent such event and it was something they had to deal with fairly regularly – what I was witnessing was, sadly, a new type of business as usual. Here I was thinking Heartland had been a game changer but all it was in the end was an unusually large incident. Some banking media sites at the time rode that story for months despite the fact it was only big in scope but not in impact.

And so in the end I wonder what exactly is the difference between publishing content about an event that isn’t really an event and my cat chasing his tail.

Wrong!

Doing something because you have to almost always converts into doing the bare minimum necessary in order to appease the regulators and auditors.  It’s an approach that encourages addressing all key points within scope for the requirement, but all but ensures you’ll never think past it and look for additional risk factors to address.  I speak from experience having seen clear examples where this proved to be true.  For example, take a client I did work for last year who was absolutely PCI compliant but who also would occasionally create Excel spreadsheets that included credit card information and used to support batch payment processing.  Those spreadsheets would be created by one person and emailed to another for processing.  Because the client’s corporate policy prohibited using email to convey personally identifiable information (PII) between their employees and customers, the company did not pursue any testing or further documentation of controls to address the associated risks.  I asked all sorts of questions about what happens to those internal emails: Are they archived, backed up and stored somewhere off-site?   Can the attachments be downloaded to a USB storage device without detection?  Can the email be forwarded to an external email address without detection?  The client didn’t really have all the answers (though they certainly did a short while later).  And yet they were PCI compliant.

This subject came to mind this week after news out of Boston about a loss of nearly 800,000 patient records by South Shore Hospital.  This first caught my eye because most (if not all) of my Boston-area based nephews and a niece were born there and several of my in-laws had stays  there over the past fifteen years. My first thought was how could this have happened?  There’s no doubt that they had some manner of controls in place to address this, which is how they first came to realize there was a problem.  When shipping almost anything there are tags and bar codes everywhere so you know who picked up what, where they picked it up, when they picked it up and where it was moved to along the way.  I mean honestly, I can track a new Dell laptop across their production floor, onto a truck, through a few distribution centers and back onto a truck right up until it shows up at my front door.  How is it that something far more significant wasn’t tracked similarly?  And from all available information, it sure seems as if though South Shore Hospital followed proper protocol on its end.

Still, despite having controls in place and being able to establish that the rules around those controls were followed, there are 800,000 former patients who have no idea who has access to their personal information.

This is a perfect example of why compliance by itself is not enough.

I’ve advocated for years that any regulation is an excellent starting point but there’s a healthy dose of vigilance required in order to ensure the spirit and intent of that regulation are properly addressed. At best,  compliance is a point in time validation and absolutely no guarantee that the most significant risks are being properly managed.

When a client tells me that his goal is to be compliant with whatever set of regulations govern his industry, I counter with, “Your goal should be doing whatever is necessary to avoid being on the front page of your local newspaper.”  Hiding behind a statement claiming that you were compliant with all necessary regulations at the time of the security breech is cold comfort for your customers (or patients) and a poorly formed management strategy.  I’m willing to bet I can find 800,000 people to agree with me up in Beantown.