MicroBilt Corp., a Kennesaw, Ga., consumer data unit of Bristol Investments Ltd., is requiring that all its clients use Fair Credit Reporting Act training software, which it hopes will prevent data security breaches.
The software is aimed at eliminating human error in how data is handled, said MicroBilt, which was involved in a July breach regarding its data. It is one of several companies that have been hit with breaches and are taking steps to prevent recurrences.
MicroBilt said the training requirement has been in the works since late last year and predated the breach, in which a password belonging to a Wells Fargo & Co. user was misused, an incident that compromised the Social Security numbers of 7,000 people.
Brian Bradley, MicroBilt's executive vice president of strategy, marketing, and product development, said that misuse of its data is uncommon, and when it does occur, it is more typically an incident in which someone accesses a particular file in an inappropriate manner, rather than a large data breach.
The training software is meant to address "all those 'soft' kind of breaches that happen where somebody pulls a famous celebrity or even is pulling information on their spouses or relatives — things that … happen too frequently," Mr. Bradley said. These breaches are different from "the significant ones, like the one with Wells Fargo; those are the ones that make the news."
The training software costs $29 a user and will be mandatory for all MicroBilt customers starting next month. It is based on the training and certification services offered by ComplyTraq LLC, a joint venture between MicroBilt and Oscar Marquis, a former general counsel for TransUnion LLC and a partner with the law firm Oldaker, Biden & Belair LLP.
Mr. Bradley said the program is not a direct response to the Wells Fargo incident and would not address how clients protect their passwords.
The FCRA training course is the first of several MicroBilt will offer to cover various laws.
MicroBilt regularly monitors use of its data for breaches of the FCRA and other rules and reports them to law enforcement agencies. As part of that process, it must revoke access to its system for users who break the rules, and for the small businesses it serves, revoking a single user could be devastating, he said.
"That data is central to the financing of purchases of cars and appliances, and it's a core part of small businesses in getting their business done," he said.
When MicroBilt detects a breach at one of its customers, "it's often the employee of our businesses, as opposed to the business owner, that is using that data improperly," Mr. Bradley said.
Small businesses may have only one employee authorized to use the system, so in some cases, "there are customers that we have to shut off," he said.
"Even though we lose business, it's part of what we have to do when we discover breaches."
Most companies that are involved in breaches offer remedies for the immediate incident, such as credit monitoring for the people whose data was exposed. Some companies are taking additional steps to prevent the problem from recurring.
In February, Bank of New York Mellon Corp. lost a data tape with the personal information of millions of people. Though initial reports said the tape had the data of 4.5 million people, the company said last month that an additional 8 million people had been affected.
Also last month, Bank of New York Mellon outlined steps it had already taken to eliminate the possibility of another breach. It said it no longer uses tapes to send data it can transmit through an encrypted electronic transmission. It has also launched a companywide security training and awareness program.
A Bank of New York Mellon representative would not make an executive available to discuss its security policies.
Avivah Litan, a vice president and research director at the Stamford, Conn., market research company Gartner Inc., said that MicroBilt and Bank of New York Mellon are not the only examples of companies taking extra steps to prevent further breaches.
Several years ago "any large bank, such as Citi or B of A, that lost a data tape quickly moved electronic transfer to the top of their priority list," she said. Since then "there haven't been many big banks losing data tapes."
But by and large, companies that have been breached have been slow to make sweeping changes to their security practices on their own, she said.
For example, it took a mandate from the Federal Financial Institutions Examination Council to prompt most banking companies to put stronger authentication on their Web sites, Ms. Litan said. "It just seems to me that when it comes to the FFIEC guidance and a real fraud problem, they're not relying on training and good faith and audits."
She praised MicroBilt for monitoring its customers' use and catching breaches that would otherwise go undetected.
"Frankly, most of the companies don't do that, and they should," she said.
