Individuals who have discovered unauthorized charges on their credit cards or learned that someone has used their name to take out a loan are not alone. A recent CNN/Money magazine article reports that more than 13 million people were identity fraud victims last year, up from 12.6 million in 2012, based on a recent study by San Francisco-based Javelin Strategy & Research. It was the second-highest number of victims in the 10 years Javelin has conducted its study.
With fraud on the rise, consumer data is at risk. Just this year, thieves have targeted customer data at eBay, Home Depot, Neiman Marcus, and Target. For years, retail organizations and financial institutions have known that having payment card numbers in their company databases required some level of protection. Now hackers, fraudsters, and thieves are going beyond the card numbers to obtain customers' personally identifiable information (PII). They use this stolen data to make purchases, develop fake IDs, take out fraudulent loans, and perpetrate other illegal activities. Internal auditors need to add protecting credit and debit card information to their long list of fraud threats.
Three States of Data
PII is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. This includes information such as credit card, checking account, social security, and driver's license numbers that uniquely identify an individual. Businesses collect such information whenever someone makes a purchase. This enables companies to verify that the person using the payment method is authorized to do so and is who he or she claims to be.
Although collecting customer data is a good business practice to prevent fraudulent activity, the moment organizations bring PII into their databases, they become custodians of it. As custodians, they are obligated to protect that information. Additionally, auditors have a duty to point out instances where customer PII may need to be protected, and they should look critically at internal systems where customers' data is available for all to see or access.
To protect PII, auditors need to know where it exists in their organization. Data security experts consider data that needs to be protected to be in three distinct states:
- Data in use. Data on terminals, displays, hand-held devices, paper reports, or other devices that employees use to do their jobs.
- Data at rest. Information stored on file servers, computers, tablets, or information repositories such as email and Web servers.
- Data in motion. Data sent over networks.
Knowing the state of the data goes a long way toward understanding how to protect and audit it. In most cases, the data at rest needs to be safeguarded. This usually is done through encryption. However, in some cases data is not encrypted because management may believe that the data is on a protected device or network. The other reason people will not encrypt data is because of performance issues such as the time needed to encrypt and decrypt the data. In either case, if the protected device is somehow compromised, the data would be in plain sight and at risk.
Encryption also is the preferred method of protecting data in motion. However, depending on the networks in use, it may not be possible to encrypt data if the receiver of the information does not have a way to decrypt it. In such cases, the organization should consider implementing other data security measures such as password protection, security keys, and biometric identification.
Above all, internal auditors need to be aware of the exact information the organization is trying to protect and the cost associated with protecting it. Additionally, as this is primarily a data security issue, the information security group should assist in any projects in this area.
Once internal auditors know which information needs to be protected and how to do so, they need to perform a simple inventory to find out where it exists in their organization. For example, auditors should use a spreadsheet to perform the inventory analysis. On one side, the auditor should list each application system, hardware device, report, and item that may contain PII. At the top, the auditor should list the three data states — data in use, data at rest, and data in motion — and use a simple check to identify whether PII exists. Next to the cells in the spreadsheet where the PII exists, the auditor can add a column to indicate how that PII item is protected or note where the data is in plain sight and may need additional protection. This spreadsheet can function as a road map to locate all the organization's PII data and identify the method used to protect it. Moreover, it can demonstrate the organization's due diligence in protecting this information.
Now that auditors know where all the data resides, they can scope and plan to assess the organization's risks. In addition to testing the encryption in place, auditors should focus on controls over how data is used as well as appropriate data security policies and procedures. Based on the inventory analysis, auditors can decide whether the data is at risk of compromise and then decide on an appropriate protection method. Some examples include:
- If PII is in clear text on a report, procedures need to be in place for those reports to be protected, secured when being used, locked away when not in use, and disposed of appropriately (i.e., shredded) when they are no longer being used.
- If PII is in clear text on a screen from an application that many people can access, the auditor should recommend that the fields on the screen be masked with asterisks or encrypted so only certain individuals in the organization who need to identify customers can see the full information.
In addition to these areas, auditors should check that backup storage devices that contain PII are protected, as these often are overlooked.
Staying Out of the Headlines
As attackers increasingly target customer PII, internal auditors need to discard their old assumption that outside forces are primarily after internal information such as company secrets, business strategies, and financial data. With customers' data increasingly threatened, internal auditors have an obligation to help protect this information from prying thieves — or run the risk that their organization will be the next business in the news.