Editor’s Note: This is the second installment of a two-part roundtable discussion on identity theft. Part 1 examined the scope and source of identity theft, and can be found on page 100 of Insurance Journal’s April 17 West region issue. Visit www.insurancejournal.com.
Identity theft is a growing concern, and “begs” for an interdisciplinary response — not just an IT department — to deal with the problem. To evaluate the need to fold in service partners, as well as the roles of technology and consumer education in addressing an issue that affects an estimated 9 million Americans annually, KMPG’s “Technology Insider” assembled a panel of professionals from its Data Governance and Information Privacy Team for a roundtable discussion.
The participants included:
- Scott B. Moritz, director for KPMG Forensic;
- Hugh C. Kelly, principal for Financial Risk Management;
- Joanna Taylor, senior associate for Financial Risk Management;
- Linda H. Gallagher, principal for Financial Risk Management;
- Carolyn Greathouse, manager for Financial Risk Management;
- Doron M. Rotman, audit and RAS managing director for Information Risk Management; and
- Grace Brasington, account relationship director for Information Risk Management.
Here’s what they had to say about the ways corporations are fighting the issue.
Technology Insider: How closely do companies have to work with vendors and other business partners to fight identity theft?
Brasington: This is not only an infrastructure issue within a financial institution or a retailer. In many instances, companies have offshore operations. So not only do those organizations need to be cognizant of what their risks are, but also the information they are providing to service-providers. Who also touches the information? Who are the providers, and what information do they have access to?
Rotman: In the hi-tech space, we saw at least one global company that started a vendor privacy program in which it contacted all of its business partners and vendors, and the company assessed them at predefined intervals, based on the level of sensitive or personal information each held.
We saw another hi-tech company that actually changed vendors for its 401(k) and pension plan because the provider refused to make some commitments on privacy and information sharing.
Gallagher: The other thing that we’re seeing in financial services is concern about check couriers, and the making sure that the checks that are collected from various end-points, which have client information, are not missing.
Also, a very large service-provider that works with financial institutions was concerned because some of its clients were requesting more information about what they are doing to protect information. We have been assisting [the service-provider] in taking a look at what they currently do and providing an end-state document that says, “This is what you ideally want to do to restore confidence with financial institution customers.”
Technology Insider: What else are companies doing to combat identity theft? What is the role of technology?
Brasington: I’m seeing a far-more-increased awareness of how critical are some of the initiatives we’ve always had from a privacy perspective. And I’m seeing much more integration with my clients, in which they are pulling their own teams together that are multi-disciplinary. They are talking to the various infrastructure enablers inside their organizations and pulling those teams together.
Gallagher: I’m going to take a different perspective. Some of the real obvious leaders in the financial services space are mobilizing. What I am not seeing, however — and I think it is the biggest concern — are comprehensive, enterprise-wide risk assessments. By virtue of not having that, many companies are not in a position to get senior management and reports in snapshot fashion on the risks that they are facing.
Rotman: The lack of an enterprise-wide assessment is often because the company is focusing on technology — how the computer systems are taking care of those issues. One of the things that is missing in a lot of cases is reviewing not only security, but also privacy.
It’s not just in the computer systems. It has to go down from not only tone-at-the-top, but actually feeding into front-line employees and determining how are they dealing with the paper on their desk, how are they dealing with the phone calls that they handle, those types of things.
Moritz: They just necessarily have to take an enterprise-wide approach because they have to map where the information is — the paper or electronic data that is important for them to protect. Most organizations have no idea where it is, who’s got access to it and what processes they have in place to prevent its inadvertent disclosure or theft.
Whatever drives an organization to take a look at itself from an enterprise-wide basis, they’re going to get ancillary benefits from having done so because there are so many different overlapping things.
It could help with anti-money-laundering, privacy, identity theft risk, or other types of compliance. They are going to facilitate communication across that organization. They are going to find exposures and be in a position to plug those exposures. And that can only happen when they take an enterprise-wide approach.
Technlogy Insider: What role do regulations play in fighting identity theft?
Kelly: There are specific requirements under the privacy laws today, and going forward, they are going to get more stringent. It will require compliance work at a much more detailed level. The examiners are probably going to ratchet up their expectations and drill down more.
I think we are going to see a few financial institutions saying they thought they were complying, but now there are some specific privacy rule requirements they had not paid attention to.
Taylor: For financial services, there is confusion about exactly what financial institutions are required to do to comply with all those regulations and, in some cases, I think banks are spending a lot of money doing things twice.
Technology Insider: Does consumer education play a role in reducing identity theft? Are consumers part of the problem?
Brasington: They can be, but I think the media has done a phenomenal job of educating consumers in terms of, say, dealing with suspicious e-mail messages. If you are not familiar with what you are seeing, and they say “please update your account,” consumers know they should not go to the Web site.
Gallagher: Look at the Citigroup identity theft commercials. I think they have been very compelling.
I will say that the bank regulatory agencies have acknowledged recently, by virtue of guidance, that the consumer plays an extremely important role in this process and that consumer education is critical in managing this epidemic.
Moritz: Overnight, the Internet became a safe place from the consumer’s perspective. There are as many bogus Web sites out there as there are legitimate ones. And there are other Web sites that don’t have proper security around the information that they collect. I don’t know that there’s a lot of widespread awareness in that area.
Rotman: It’s really a fine balance. On the other hand, if you do not provide customers with a good level of security, something could happen, and you risk losing them. The thing you really need to balance is ease-of-use versus the risk.
Christopher Westfall is managing editor of KPMG’s “Insurance Insider.” This article is being reprinted with permission from KPMG’s Insurance Insider. Copyright 2006 KPMG LLP. All rights reserved.
Was this article valuable?
Here are more articles you may enjoy.