Intrusion Inc. executives stressed that participating institutions could not be identified from the data used in the study. "No personally identifiable information was used in the preparation of this study and only aggregate or de-identified data were used in compiling statistics," said Intrusion President/CEO G. Ward Paxton.

The institutions studied were in 16 states across the country and included small and large institutions such as banks and credit unions, the company says. Paxton said his firm's Compliance Commander systems picked up on a total of 121,829 incidents and that the majority of the institutions experienced "high-risk" incidents, defined as those which included personal information that could "reasonably be expected to cause significant loss or damage" to customers and members. The apparent violations of FFIEC, GLB and other regulations involved a wide range of transmission methods, including FTP file movement, SMTP e-mail, instant messaging and even custom Web services using proprietary protocol.

By category, the study found that 58.1% of the incidents involved movement of data to business partners, while 30.3% involved customer support. Mobile workers accounted for another 4.8%.

Of particular concern may be the 1.1%, or 1,346 of the incidents that Compliance Commander technology was able to identify as "targeted attacks," the company says. Typically more difficult to detect, "by their nature these attacks must be taken seriously," said Paxton. "They are criminal in their intent. They target your network. They target your customer information. And almost all the stolen data will end up in the hands of criminals."

While such attacks are perhaps the most nefarious, all unprotected movement of consumer data across the Internet should be of concern, and could be potentially damaging, as the experience of such companies as ChoicePoint and B.J.'s Warehouse illustrate, according to the white paper.

"This study confirms that sensitive customer data are often exchanged with business partners as part of the routine operations of a financial services organization," said Paxton. "It also confirms anecdotal information from recent FTC enforcement actions–that companies are not adequately protecting customer data."

And it's not like they couldn't.

"Although many organizations had access to secure protocols for transfer of consumer data to third parties, our study found they were not always used," Paxton said.

"A significant number of data transfers to third parties were conducted across insecure channels–or 'out in the open.'" –[email protected]