10 Data Security Lessons of 2015

Data Doesn't Disappear

Ashley Madison, a dating site for cheaters, made a promise it couldn't keep: It said that it could delete users' data without a trace (for a fee) if they choose to leave the site. But its breach proved the data was still out there, and this is a problem other companies face with containing payment data as well.

Crime Never Stops

After a massive data breach in 2008 prompted Heartland Payment Systems to scour its systems for any previously overlooked vulnerabilities, the payment processor still wasn't able to shore up its defenses completely. This year, it dealt with a different kind of breach a physical burglary, in which four computers were stolen from a payroll office. The machines might have contained personal data of 2,200 people.

A customer tries out the new Touch ID fingerprint scanner on an Apple Inc. iPhone 5c during the launch at a Verizon Wireless store in West Valley City, Utah, U.S., on Friday, Sept. 20, 2013. Apple Inc. attracted long lines of shoppers at its retail stores today for the global debut of its latest iPhones, in the company's biggest move this year to stoke new growth. Photographer: George Frey/Bloomberg

George Frey/Bloomberg

Fingerprints Don't Do Enough

Apple popularized the use of fingerprint authentication for mobile devices and payments, but even its Touch ID system isn't foolproof. Phones protected with Touch ID can still be unlocked with a PIN, so Apple plans to raise the minimum PIN length to six characters when it updates iOS this year.

Glitches Make Headlines

The so-called glitchfest, a series of tech outages affecting an airline, a newspaper and the New York Stock Exchange, raised red flags throughout the financial services industry. Though the problems were chalked up to coincidence, regulators still took notice and reached out to banks to check in. Those banks had to make sure they had a plan in place in case something nefarious was going on.

PCI Compliance Is Hard to Hold

Staying compliant with the Payment Card Industry data security standard is tough work; Verizon's 2015 report on PCI trends found that less than a third of companies overall are found to be fully PCI-compliant less than a year after a successful validation. Richard Moulds, vice president of product strategy at Thales e-Security, put it bluntly: "Companies fall out of compliance almost instantly upon achieving it."

Physical Security for Digital Systems

Just because a system is digital doesn't mean that firewalls and encryption are the best tools to defend it. "You could have the most secure bank in the world with locked doors, three-foot thick fences and gates that come down at night, but they still have an alarm inside of it," said Javelin analyst Al Pascual. There are software-based alarm systems that can alert a company when a cyber-intruder inevitably gets through its defenses.

Consumers Can Help...

With mobile banking apps, consumers can manage any aspect of their accounts on the go. They can limit their card's spending to certain merchant categories or temporarily shut the card off entirely if it gets misplaced. If a bank wanted to, it could even use these tools to place the liability for fraud on the consumer thus giving the consumer an incentive to use these anti-fraud tools proactively.