Three days in a row. Today Chase reported a mid-summer breach of 465K pre-paid card accounts. Together with digital identity losses reported on the 4th by Facebook, Google, and Twitter (2,000,000 hacked accounts), and the debit and credit card system failures at RBS and NatWest on the 2nd that affected thousands of banking customers in the middle of peak shopping hours (not enough IT, says CEO Ross McEwan), traditional identity systems and networks based on cards, PINs, passwords, SSN, firewalls, and marginally successful security strategies (PCI DSS 3.0 for one) continue to fall prey to IT complexity gremlins and hackers.
Data breaches are becoming an all to common occurrence, and the reality of the problem is much worse than current events and perceptions, because the general population is only aware of publicly disclosed breaches. We are not aware of the multitudes of breaches that either are not under any disclosure mandate, or breaches that have not yet been detected (the recent Chase disclosure, case in point). The latter category is a very large number by most estimates, since it can take months or even years before an organization detects a breach and has sufficient information to disclose.
This environment demands disruptive thinking, and fewer but bigger bets on the future of digital identity protection and privacy mechanisms. We're in an environment now were protections and policies build on 1st and 2nd platform IT capabilities fall far short of the threats and capabilities in a 3rd platform digital world supporting the mobile and social lifestyles of individuals and businesses. To fuel some new thinking, an all-in index that could collectively measure breach severity in terms of monetary, productivity, and brand loss, and systemic impact of identity supply chains would be helpful to construct.
What would you include in a breach economic index? Here are a few ideas --
- Number of identity related records
- Type of record (personal data, account data, transactions)
- Fraud enabled (account take over, wire transfers, money laundering)
- Notification costs
- $$ and Productivity right-off potential
- Market share impact
- Supply chain impact (other businesses or transactions potentially impacted, consumer productivity loss)
- Identity protection costs
- New IT investments required
- New skill set investment required
Regulations and existing security strategies will not solve this problem, in my opinion. Breaches are no longer a binary proposition where an organization either has or hasn't been breached. Instead they are wildly variable in their severity and ramifications both to the breached organizations, their customers and supply chains.
Part of the answer might be a breach economic index. How would you build a BEI?