A senior official at a private sector bank took along with him information about the bank’s customers, as he moved to another bank for better career prospects. Such and other instances of data theft go undisclosed by banks for fear of damage to the reputation.

The risk of data theft in the financial services industry is high considering the kind and amount of customer information that’s stored at banks.

In the US, the annual loss suffered by corporate as well as individual customers because of data thefts is estimated to be in excess of $50 billion.

There is no information on the extent of data security breaches in India and the losses suffered by customers.

In the US, it is mandatory to make disclosures of every data thefts.

“In India, the issue is that there is no regulatory requirement to disclose data thefts. Companies do not disclose data breaches as it would lead to loss of reputation and also loss of business,” said Vishal Gupta, chief executive officer of Seclore Technology, a company incubated by IIT Mumbai.

Seclore is an enterprise information rights management company providing risk mitigation from information leakages while enhancing collaboration and data security.

To secure data, banks have begun to ensure access to information is only on a need to know basis. “Also, no one is allowed to copy the information to which they have been provided access,” said Vishal Salvi, chief technology officer at HDFC Bank.

Some companies have also begun to track how an employee is using (or misusing) the information that he/she possesses.

This is done by having an application built into a document to ensure that it is accessed only when the computer on which it is being accesses is connected to the internet. If the employee tries to open the document off-line, the embedded application will ensure it does not open.

Seclore’s Gupta said it is necessary for a fundamental shift from context based or perimeter security to a more information centric security mindset.

“Security control can be made to travel with the information wherever it goes, instead of securing just the environment in which the information is used. Also, this control is dynamic and can be aligned to dynamic business relationships,” Gupta added.