Are You Taking Corporate Social Responsibility or Driving the Getaway Car?
While it is true that consumers need to take it upon themselves to use the available tools designed to
protect them, such as using multi-factor authentication or opting for biometrics over user-generated PINs
and passwords, corporations also need to step up to the plate big time to thwart these attacks. They need
to understand that, as a target, they must ensure they are putting the proper controls in place to stop
fraudsters with stolen information from getting into their own accounts not only because it’s the right to
do morally, but also because the reputational risk of doing too little can be tremendous.
Although the global voluntary International Standard ISO 26000 identifies consumer data protection and
privacy as a key consumer issue that corporations should be addressing, this is just a guidance for
organizations in the public and private sectors that want to operate in a socially responsible manner. It is
not the law of the land.
To help pivot companies toward taking the right cybersecurity steps, a handful of U.S. lawmakers are
working to enact legislation to prosecute companies and their executives who fail to protect consumer
privacy. In Canada, measures have already been taken to remedy this issue. The Personal Information
Protection and Electronic Documents Act (PIPEDA) requires Canadian businesses to report any breach
of privacy (any loss or mishandling of PII that might lead to a real risk of significant harm such as financial
loss or identity theft) to the Office of the Privacy Commissioner of Canada. According to PIPEDA, “Failure
to report the potential for significant harm could expose private-sector organizations to fines of up to
$100,000 for each time an individual is affected by a security breach, if the federal government decides
to prosecute a case.”
In the U.S., the Corporate Executive Accountability Act proposed in early April by Sen. Elizabeth Warren
(D-Mass.) would impose jail time on corporate executives who "negligently permit or fail to prevent a
violation of the law that affects the health, safety, finances or personal data" of one percent of the
population of any state. While in spirit this proposal is a nice attempt to address this massive growing
issue, it only applies to companies that generate more than $1 billion in annual revenue and to companies
that are either convicted of violating the law or settle claims with state or federal regulators, which
ultimately does not address most data breaches given their size and scope. A slightly more aggressive
data privacy law proposed by Sen. Ron Wyden (D-Ore.) would give executives up to 20 years in prison
for violations of their customers' privacy.
But should companies wait for laws to be put in place, or should they be ahead of the issue?
How Can Businesses Grab Hold of this Issue?
For starters, it is a shared responsibility among CISOs and IT teams as well as fraud and operation teams
to understand the fraudulent entry points into their businesses. As the channels for businesses grow, so
too do the points of entry for fraudsters. Fraudsters do not approach account access in a siloed manner.
Instead, they take advantage of the growing channels and devices—mobile apps, contact centers, smart
speakers, etc.—using them all as entries points into an organization. In addition, new and repeat career
criminals attempt to steal from institutions every day. If they find a weakness in a channel, they will
continue to go back to that channel and then turn to another one when that initial channel no longer
works. And, even if some industries find the number of frauds committed on the voice channels might
seem to go down, call center agents are still heavily targeted by fraudsters and socially engineered to