Unsurprisingly, aggregators of financial data are a major target of cybercrime. Some mortgage lenders and brokers have taken steps to invest in security detection and incident response capabilities, but there are key lessons to be learned from each and every data breach. These include:
1. Attackers can steal millions of personal identities in just a few hours, so shutting down all systems and applications may have limited value to breach victims.
2. Although breach notices can be wordy, they are still light on content and include no information about how the breach took place and who is responsible.
3. Critically, breach disclosures rarely include guidance for victims who are now left wondering when they’ll hear about someone using a password in their own name or get a call about a mortgage taken out by an impersonator.
Is it possible to ethically articulate a breach notice letter that emphasizes accountability and delivers actionable guidance to victims, without increasing liability and further damaging the all-important brand? Most likely.
Do I think it’s high time for data breach regulations to enforce standardized reporting communications that use a useful, common language and contribute to privacy protection? You bet.
Member discussion: