By Roman Mykhaylyshyn
New and constantly evolving technologies, including in the payments industry, are resulting in new products and services, and as such they have become an integral part of day-to-day lives: and this trend is far from over.
However, as with most things, innovation comes with risks. With digital information becoming increasingly valuable, data breaches, private information exposure and cybercrimes (like ransomware, malware, cracking and social engineering) have caused disruption and have forced many organizations to invest in cybersecurity. But despite these security risks, the benefits of speed and convenience of these new technologies to the consumer (like contactless and mobile payments) can outweigh the risks of potential compromise.
A few industry-wide trends are evolving in the payment eco-space that have impact on consumer information and security:
- Payment streamlining. In the spirit of enhanced consumer experience, organizations will look to further improve payment processing by adopting innovative technology. With more players entering this space, data flow, cross-border information traffic, ongoing upkeep and maintenance of tech stacks—and encryption innovation and information security—will become even more important;
- Fraud. While traditionally considered a problem of financial institutions or individuals, organizations that process payments run the risk of improperly safeguarding consumer personal and financial information. In some instances, storing too much information or focusing on the transaction processing aspect of the interactions with cyber protection can be considered lower priority;
- Cost versus benefit balancing act. Frictionless transactions will demand businesses to carefully consider the trade-off between potential fraud mitigation and revenue decline due to consumer attrition; and
- Cross-border transactions. With scale and market share gain being of importance to most businesses, especially in North America, one must be careful to determine the impact of data being shared across the border with regards to privacy and legal ramifications as well as data safeguarding.
While the onus and responsibility for abovementioned actions often falls on the organization, being proactive and prepared to respond to information incidents has become a critical element of successful breach response strategies. Mandatory security safeguards breach notification came into force in Canada as part of the Personal Information Protection and Electronic Documents Act (PIPEDA) in November 2018, and advanced preparations for incidents can be useful as a mitigating factor with regulatory bodies.
Credit reporting agencies can help as they have access to personal and financial information of millions of Canadians. Some of them offer breach response solutions available to help manage the customer lifecycle in response to a data security incident. Organizations can embrace advanced solutions that provide a robust breach response toolkit, comprising products, services and consultative assistance.
Steps to take
While each incident is unique and will require a tailored response, there are certain actions organizations will need to take, regardless of the nature of the incidents. Investing in breach response solutions that assist in protecting consumers from potential identity theft and the preservation of organizational reputation and credibility is no longer an option for organizations.
An organization’s cyber protection framework can be built on three key pillars.
- Readiness. “It is not a matter of if, but when and how badly” is not just a catch phrase. Having a proactive plan and arrangements in place could save a lot of time and cost, especially in a crisis. In the event of a breach, it’s important for organizations to prepare and activate a response plan to help protect their customers, and to have the right processes and partnerships in place to minimize potential damages.
- Response. Credit monitoring is often considered as a default breach response tactic. While credit reporting agencies provide these services, organizations should continuously look to assist consumers by not just offering access to credit scores and credit alerts, but by also incorporating relevant value add enhancements. Examples of such enhancements can include identity theft insurance, dark web monitoring and identity restoration.
- Remediation. While providing consumers with a level of protection is important, it is also important to have frameworks that can empower impacted individuals with relevant and timely education. Understanding “what” usually comes first, followed by “what do I do now?” Providing educational information through online resources, coupled with expertise and guidance facilitated by the dedicated breach call centre agents, can go a long way.
In today’s reality, any organization with digital access to consumer information is potentially vulnerable: from financial institutions, consulting firms, retailers and healthcare providers through to government institutions. In the event of a breach, it’s important for organizations to prepare and activate a response plan to help protect their customers, and to have the right processes and partnerships in place to minimize potential damages.
Roman Mykhaylyshyn is head of consumer solutions at TransUnion Canada (www.transunion.ca).