Fast forward to today, and the size, scale and escapability of financial crime are vastly different and arguably infinitely more lucrative. Most financial crimes of the 21st century start with data collection. Today's financial criminals have developed sophisticated data collection technologies, typically in the form of computer malware, that are unknowingly resident on unprotected or compromised databases. This malware is designed to capture, store and transmit certain fields of data back through a network of servers to the financial criminal, who is typically located in a foreign jurisdiction and outside of US criminal prosecution. These criminals then either sell the collected data across criminal online marketplaces or utilize the data to commit additional fraudulent acts themselves.
Many of the data breach stories that have been in the news of late have focused on the credit/debit card systems of large retailers, including Target, Home Depot, and UPS. Credit/Debit card data has been targeted by financial criminals because there is an active online marketplace to sell this data. While a credit/debit card data breach is of serious consequence to the retailer and bank card issuer, the amount of consumer data available on the magnetic stripe of a credit/debit card is fairly limited, and therefore the consumer impact of a credit/debit card data breach can be somewhat contained.
The database of a payroll company, however, contains detailed consumer information in thousands of logically associated records, including name, address, SSN, DOB, bank account details, etc. Protection of this data is mission critical for your payroll company and the payroll industry. The costs of a data breach are large and would most likely financially overwhelm a typical payroll service bureau:
These costs do not include reputational and client attrition costs.
So what's an independent payroll company to do to combat the potential company-destroying effects of a data breach? Here are several preventative measures to implement today:
- Conduct an annual IT security audit. These are becoming more frequent as part of the scope of work within an SSAE16/SOC1 audit.
- Discuss with your liability insurance carrier the costs and benefits of a cybercrime policy and accurately define the potential exposure limits.
- Conduct detailed and regular due diligence on your payroll software vendor(s) about their database security initiatives and best practices. Evaluate your data reporting processes associated with any system that is outside of your core payroll software platform.
- If your software is hosted at an offsite datacenter, understand where the datacenter's roles and responsibilities for data protection start and end.
- Ensure that you have the latest versions of malware/anti-virus software installed on your network. Ensure that IT security logs are reviewed frequently and anomaly detection alerts/notifications are immediately responded to.
- Have a data breach plan in place as part of your risk management procedures.
There are hundreds if not thousands of modern day Willie Suttons out there trying to make a living stealing consumer data. You will never hear about them and most likely they will never be prosecuted, but you do have the ability to fight back by taking the initiative to protect your data. Why do you hack a payroll company? "Because that's where the data is."