As data compromises of various sorts continue to threaten the security of digital payments, the Accredited Standards Committee X9 Inc. this week issued a standard it says covers both data protection and breach notification.
The new standard, “Financial and Personal Data Protection and Breach Notification,” also known as X9.141, is broad, covering both financial and non-financial data, the Annapolis, Md.-based standards body said. It is based on existing rules from the National Institute of Standards and Technology (NIST), but expands on them, X9 added. The new document’s purpose, X9 says, is to clarify rules for protecting data and for notifications when breaches occur.
“A clear need for a data-protection and breach-notification standard has been recognized for years by major industry groups,” said Alan Thiemann, in a statement. Thiemann is a partner with Han Santos PLLC and general counsel for Conexxus, a Louisville, Ky.-based provider of compliance software for content management. “In a joint letter to Congress in 2017,” he continued, “seven organizations called for one strong national standard for all personal data, whether financial or non-financial in nature, eliminating the current inconsistent patchwork of laws. X9.141 is the realization of that goal.”
The new standard comes as known data compromises totaled 1,291 through the third quarter, involving more than 281 million victims, according to data from the Identity Theft Resource Center. Compromises include breaches but also exposures and leaks, according to the ITRC. On the current trend, the number of compromises this year will top the previous record of 1,529, set in 2017, the organization projects. Recent reports have also highlighted a growing threat of fraud as the holiday-shopping season approaches.
Breaches account for the bulk of these compromises. In the third quarter alone, breaches totaled 417 out of 446 known compromises, according to the ITRC data, or 93%. Cyberattacks involving phishing, business email compromise, and ransomware and other malware lie at the bottom of most of the compromises, the organization says.
The rising threat of identity fraud resulting from data breaches is leading some companies specializing in fraud-prevention tools to bulk up their resources through acquisitions. The latest example emerged Thursday with an announcement by GB Group PLC, a provider of software for prevention of identity fraud, that it has agreed to lay out $736 million to acquire Acuant Inc., a specialist in identity-verification technology.
Part 1 of the new X9 standard includes requirements and recommendations for protection of financial data, the standards group says. Part 2 lays out a breach-notification process, with reference to federal and state laws.