This latest breach of customer data at Wells highlights an issue that Banks are just not getting the message about. I don’t know the specifics of the Wells breach, but based on the theme of this post, there is absolutely NO reason for customer data to be resident on an employees laptop. Very few data breaches are as a result of hacking. More likely they result from physical theft of hardware, and that is avoidable.

Finextra: Wells Fargo hit by data breach

News of the latest Wells Fargo breach comes after reports of the theft of computer equipment containing confidential data from a Vancouver branch of TD Canada Trust.

The bank told reporters last week that the stolen equipment may have contained names, addresses, dates of birth, social insurance numbers, account numbers, bill payment details, transactions and balances.

Meanwhile earlier this month two men were arrested by the FBI on charges related to the illegal access of computers containing personal identification information of Countrywide Home loan customers and the illegal sale of the data.

Why do I say that? Employees are required to perform data analysis and all sorts of analytics. They are required to relationship manage customers, which requires data, right?

Of course these employees are required to do those things, but the Bank’s are doing them a disservice by providing a poor toolset. This is another aspect of not moving with the web lifestyle, embracing it, security and all.

First off, there is this new thing called internet. Data can be retained in ‘the cloud’. Customer data should never be permitted on a portable computer that leaves secure premises. I am now at a social lending company, and we do not even allow customer data on our premises, let alone on anyones computer. Its just not necessary.

Next, which data is required to be used. There is a concept that expert programmers and developers have teach called ‘abstraction’. The concept can be applied to any use of data. It means that the data that is to be analysed does not have identifiable customer information located with it. In that instance there some ability to prevent fraud because if the data is stolen, it is just useless data.

Finally, data that is confidential, and not abstracted, ie identifiable, must only be analysed on secure computers inside the enterprise.

In any event … rule # 1 – never allow customer identifiable information on to a portable computer that is allowed to leave secure, locked down areas in your organisation.