If you have been giving a modicum of attention to the news in recent months, it seems as though every month or two we hear about another major organization whose “secure and encrypted customer database” has been hacked.
Wikipedia contributors composed a long list of corporate entities that have been hacked in recent years. Using data compiled from various sources, including press reports, government news releases and mainstream news articles, listed are those involving the theft or compromise of 30,000 or more records each, although many smaller breaches occur continually.
It is estimated that the average cost of a data breach in North America will be more than $150 million by 2020, with the global annual cost forecast to be $2.1 trillion. It is estimated that in 2015 alone, 707 million records were exposed as a result of data breaches. Vigilante.pw lists over 2,100 websites which have had their databases breached, containing over 2 billion user entries in total.
In May 2016, Forbes magazine online published a report titled, “Top 5 Industries at Risk of Cyber-Attacks.” In order, the top five are Healthcare, Manufacturing, Financial Services, Government, and Transportation.
The estimated cost of a major system breach is between $100 and $200 per customer record — which includes post-breach costs such as lost business due to reputational damage, and costs associated with required communications and identity-theft services for consumers whose information has been compromised. This is a terribly high cost considering that preventing a breach is only about $8 per consumer record. This creates a strong motivation for institutions to spend more on preventing cyber intrusions.
An organization that has 25,000 records will have an estimated post-breach cost of $2.5 to $5 Million to clean up after a cyber breach. An organization with 100,000 records would bare costs $10 million dollars or higher.
Here’s some simple math related to a potential cybersecurity breach. Most collection agencies are required by various regulation to maintain collection records for at least five years. A medium to large national collection agency is estimated to have at least 5,000,000 records. In the event of a breach, an agency would be required to send letters to each consumer warning them of the breach and advising them what possible actions to take. Printing, processing, and postage is $0.57 per letter; the cost of the lettering alone would be $2.8 million. This cost alone could be enough to cripple an agency that is not carrying a cyber-attack insurance policy, leaving you with the responsibility of following up with your breached records.
How many consumer records does your government agency house? What is your organization doing to prevent a cybersecurity breach?
Do the collection agency(s), or other third-party vendors with whom you work take every measure to protect your consumer/citizen records? Do you know if your vendors have the best in Cyber-Security protections? Do you know have certified documentation of their policies and procedures for the housing and protection of your citizens records? Do they maintain a Cyber Insurance Policy?
I’m guessing that your RFPs and published competitive bids have specific requirements that ask a vendor to explain what measures, technologies, and certifications they have to protect consumer data from a breach. But, how many city, county and state entity RFP’s are requiring their vendors to maintain a Cyber Insurance Policy?
Check Your Vendors
Here at PRC, we strongly suggest that your organization have a very detailed and specific set of requirements that assure your vendors are protected against cyber-attacks and identity theft attempts. We would also recommend that you require your vendors to maintain a robust cyber-insurance policy for such possible breaches.
The primary and most essential step to ensuring cybersecurity is to require your collection agencies and other vendors to obtain and maintain certified processes and programs for all areas of their businesses. Any collection agency you work with should be maintaining an annual PPMS Certification.
PPMS is a compliance and quality control management system for collection agencies based on developing, implementing, and adhering to a set of industry-specific, professional practices and policies. This certification is maintained through the Association of Credit and Collection Professionals trade association. PPMS contains 18 elements, which broadly fall into the following four categories. Note: some elements appear in more than one category.
- Those which relate to the overall management of the business – all operational areas
- Those which relate to the human resource activities
- Those who provide support to the business’s activities – Training, Customer Service, Client Satisfaction, IT Management & Infrastructure
- Those who provide client confidence – Process & Client Satisfaction Measurements
You must also be sure that your collection agencies and other vendors obtain and maintain various certified processes and Certification Programs that assure your organization and your customers and citizens are protected from cyber threats.
For example, PRC considers information security an integral part of our business as well as the first line of defense against all potential internal and external threats to the business: physical, environmental, and computer-security related.
For that reason, we completed an extensive Multi-Scope audit through TECH LOCK ®INC. We engaged with TECH LOCK ®INC in 2016 to begin an extensive Security and Compliance auditing process and achieve TECH LOCK ® Certification. The TECH LOCK® Certified Audit standards aim to meet current applicable laws as well as creditor and issuer consumer data safeguards or controls.
Between our PPMS and TECH LOCK ® Certifications, combined with a Cyber Insurance policy, our agency is providing our customers with the greatest protections available in our marketplace. We encourage you to explore these measures for your own organization and require the from your vendors.
Patrick Miller is V.P. for Government & Utilities Business at Professional Recovery Consultants. You can reach Patrick at (866) 574-0803, or email him at pmiller[at]prorecoveryinc.com.