Solutions for Medium-Sized Community Bank

Abstract
This report analyzes the phenomenon of data breaches, defines their types and reasons why they still exist, looks at their consequences, analyzes data breach chronology, and describes solutions for this problem that exist within the industry. The paper also proposes problem-solving strategies for mid-sized institutions (community banks) that help to prevent unauthorized data exposure, and/or react adequately in case it takes place. The report is designed for executive management team of the mid-sized community bank looking for strategies to minimize risks of data breach within their organization.

Introduction
During the past thirty years computers took their place in most contemporary businesses, becoming a place to store info, a means of communication, and, for many institutions, the most important and versatile working instrument in the office. This is especially true for banks. All of the information about checking accounts, loans, transactions, their personal identification data, their investments and more are stored on the hard drives and media devices used by the bank. It has changed banks’ functioning, allowing reductions in paper workload, but, at the same time, creating numerous possibilities for data loss, and, as a result, financial breakdowns.
In today’s high-tech and criminally motivated times, banks have to deal with constant threat of exposure of sensitive financial data, and their customers’ personal information. Costs, associated with data breaches are enormous. Data breaches bring financial and reputational losses, triggering loss of market capitalization, loss of customer confidence, and, of course loss of potential and existing customers. The problem of data breach is a big concern for millions of companies worldwide. Numerous strategies are designed and implemented, thousands of security protecting software and hardware devices are designed and implemented, but still the costs of losing personal and financial data are becoming greater with each passing year.
The purpose of this report is to analyze existing information about data breaches, their effect on banks, existing problem-solving strategies, their prevalence and fallacies, and create a strategy that is usable for preventing data breaches in mid-sized institutions. This report is written to highlight the existing state of things considering this problem, look over data breach types, and existing measures for dealing with them, and introduce a solution to protect mid-sized community banks. The paper is designed for the executive management team of community banks who are looking to protect their organizations from problems associated with data breaches.
This report describes a complex program of preventive measures to elude data breach as a solution for mid-sized institutions, describing physical, hardware and software security measures crucial for preventing unauthorized data exposure.

Problem analysis
Data breach is a huge and costly problem that thousands of companies worldwide encounter. Banks, credit unions, merchants and other organizations suffer this “unauthorized acquisition of computerized data that endangers the security, confidentiality, or integrity of personal information maintained by the person or business” as defined[1] by California notification laws. In fact, according to this definition, data breach is a compromise in systems or a theft that results in the loss or misuse of personal information, which is protected by the state statutes.
According to these statutes, notification must be provided to the individuals impacted by the breach including company owners, company personnel and/or customers in addition the individual consumers. According to California Civil Codex, shared by most states, personal information includes these types of data:
“any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information.”[2]
Stolen by wrongdoer, personal information fetch a hefty profit, and reward the victim with a huge amount of problems related with identity theft. It is estimated that to repair the damage, caused by identity theft, an average victim has to forego $25,000, and about 175 hours of time to deal with the fallout. U.S companies and consumers spent about $50 billion a year to deal with the consequences including restitution in some cases. Identity theft involves about 10 million U.S citizens annually, exposing them to numerous financial, reputational and even criminal risks.[3]
Data breach is one of the most widespread, and at the same time, damaging cyber crimes. Cyber crimes are divided into three categories where a computer is:

A target;
The tool of the crime;
[4]

It is interesting to note that the computer is the target of a hacker and, at the same time, the tool of the hacker to breach the data and commit the theft.
There are different purposes for which personal information can be stolen. In most cases data breach results in using the victims’ credit cards and accounts, but it is also possible that the stolen information can be used for identity fraud – committing crimes under a false identity, and/or fraudulent documents. Stolen data allows criminals to create false identifiers, which allows them to spawn other documents which are then used for creating a totally credible identity that has access to all the data and facilities a normal U.S. citizen has.
This is one of the ways contemporary terrorists facilitate their activities. In addition, there is always a risk that stolen identity data will be used for creating false documents which can be sold to anyone willing to pay including illegal immigrants.  Modern technology makes the forgery of these documents one of the easier tasks in this diabolical plot. [5]
Terrorism is inextricably connected to identity theft, as terrorists rarely use their real names for their activities. It is known that in the case of 9/11 several terrorists used false and/or stolen passports, credit cards, driver licenses etc. [6] In fact, stealing even a small piece of personal data can help a criminal to build a whole new, but credible identity, with a clear credit and criminal record.
Using false documents, an identity can appear and disappear, making it harder to find out about the true personality of the wrongdoer. Investigations started by the U.S. government after 9/11 revealed that identity theft was an “integral part” of many crimes, committed by the global groups of criminals, like cyber criminals, drug traffickers, gun runners and others. [7]
Until recently data breaches were not such a debatable issue, and companies had much less motivation to enhance their security measures, as their reputation was not so badly tarnished because of them. Before the recent legal requirements were placed on businesses, companies were not required to publicize data breaches.  Even a courteous notification depended on a company’s good will. This made it very difficult for citizens to take security measures to ensure the safety of their credit accounts, and other financial information.
But after notification laws were enacted in California, and other states, companies became obliged to notify customers about the threat of their personal data usage, in order to let them protect their financial wellbeing and reputation. [8]. According to the 2003 FTC survey, half of the identity theft victims did not even know that their personal data had been stolen, and they were under the threat.[9] In 2002 California enacted S.B. 1386, the first legislation requiring organizations to inform people in case of unauthorized exposure of their personal records. [10]
Moreover, there were some other imperfections in the U.S. laws that made it easier for the wrongdoers to collect personal data of unsuspecting citizens. The thing was that when there was no disclosure agreement, between company, and customer, there were no obligations to protect personal data from the third parties disclosure imposed on companies. Of course such obligations existed for doctors, lawyers and some other categories, but online stores, pay-to-use sites and other organizations were not obliged to enhance security measures to ensure that their customers’ personal data would not be stolen and used by the third parties. [11]
The number of records containing sensitive personal information involved in security breaches in the U.S. since January 2005 was 218,621,856 as of February 26, 2008. [12]. Here is the shortened chronology of the most notorious data breaches since that last three years:

Date
Name         (Location)
      Circumstances
Number of Affected Records

Feb. 25, 2005.
Bank of America (Charlotte, NC)
Lost backup tape
1,200,000

April 28, 2005.
Wachovia, Bank of America, PNC Financial Services Group and Commerce Bancorp
Dishonest insiders.
;