Payment data continues to be the most sought-after by thieves, but other types of data, such as employee records and loyalty program information, held by retailers also need protection, says Lisa Sotto, an attorney at Hunton & Williams L.P. who specializes in data security matters.

“Retailers also are employers,” Sotto says. They hold data like employee bank account numbers for direct deposits, Social Security numbers, driver’s license numbers and health data, she says. Criminals who successfully get a hold of that type of data can use it to steal an identity, potentially using the identity to obtain fraudulent credit cards, she says.

Just how prevalent is non-payment data among breaches? Data compiled by the Open Security Foundation in its Data Loss Database shows that of the 369 reported incidents between Jan. 1 to July 21, 335 contained names and addresses, by far the largest type of data stolen. Social Security numbers were stolen in 144 incidents. Only 27 incidents reported the loss of financial data.

Regardless of the type of data to protect, Sotto says retailers cannot assume measures put in place a year ago continue to protect. Criminals change their tactics all the time, she says. “You can’t use yesterday’s tools because criminals are very sophisticated,” Sotto says. “You have to spend resources. It’s critical that retailers invest in this area.”

Sotto also advises that retailers make a point to limit the amount of data they hold. For example, does a loyalty program need to have a consumer’s birth date? If not, do not collect it, she suggests. A thieve can use a stolen birth date with other information, such as an e-mail address, to send a consumer a phishing e-mail in an attempt to get him to divulge additional sensitive information, Sotto says.

Phishing attacks are efforts by criminals to make an e-mail or web site look like that of legitimate brands to typically try to convince unwitting consumers to click to a site controlled by criminals to update their payment account information. Criminals then usually either sell that information to other criminals or use it to conduct fraudulent purchases.

“Making data security a part of the corporate ethos is critical,” Sotto says. It no longer is something to relegate as a secondary concern, she adds.