Behind the firewall with Dennis Fisher:
@31107 The revelation Wednesday that Framingham, Mass.-based
retailer, TJX Companies Inc. suffered a
network intrusion and data theft sometime last month has kicked
off another round of wailing and gnashing of teeth about the
epidemic of such incidents in recent years. But anyone who's been
paying attention would realize that these
intrusions
have been going on for decades. The only difference now is the
notification laws in California and dozens of other states that
compel companies to publicly disclose any incident in which
customer data may have been compromised.
Those laws have resulted in the almost daily reports of data
thefts at universities, government agencies and companies large and
small. Clearly, this kind of legislation is a net positive for
consumers, alerting millions of people to threats to their credit
ratings and bank accounts that they otherwise would be unaware of.
The laws also have helped push the issue of data security into the
boardroom and the executive suite, which is where it belongs.
Multimillion dollar fines tend to do that.
However, the constant drumbeat of media reports on these
incidents seems to have had the effect of making many consumers
blasé about the dangers. I see people on TV who have been affected
by these thefts saying there's nothing they can do about it, so
they're not going to worry. I hear corporate PR folks saying that
they're working diligently to protect consumer data, but these
incidents are almost unavoidable in today's world.
Absurd. The truth is, there's plenty that both corporations and
consumers can do to effect change. To start with, any enterprise
that stores customer data--which is to say all of them--should be
encrypting that data. There's no excuse for not taking such a basic
precaution.
Companies complain that database encryption products are
cumbersome, expensive and difficult to manage. Really? You know
what else is expensive and difficult to manage? A data theft. It's
bad enough that attackers are able to get inside the perimeters of
the companies, but they certainly shouldn't be able to find any
unencrypted customer records once they get there. The same goes for
government agencies. Just do it.
Next, there needs to be some standard on how long companies are
allowed to store customer data. It's not enough for them to say in
their privacy policies that they won't sell or misuse customer
data. Once it's stolen, they don't have much control over how it's
used. Companies like TJX, BJ's Wholesale Club, Guess, Victoria's
Secret and others that have been hit by data thefts have no real
reason to keep data such as credit card numbers, phone numbers and
addresses indefinitely. They do it to build out their marketing
databases and they do it because no one has said that they
can't.
Finally, consumers can start voting with their wallets and
staying away from companies who are careless with their data. Why
continue to spend money in a store that has proven it would rather
save a few thousand dollars by not securing their networks than
protect your personal information? There are plenty of other places
to shop. Don't be lazy and just shrug it off; let these companies
know that what they're doing just isn't good enough, not
anymore.
It's also time to stop pretending that all data thefts are
created equal--they're not. A careless employee leaving a laptop in
a taxi or a Starbucks is one thing. No matter how good your
security policy is, you can't stop people from being dumb. But for
large multinational companies like TJX with multimillion dollar
security budgets to suffer breaches on the networks holding their
most sensitive data is something else entirely. That's just plain
laziness, or perhaps ignorance. Either one is unforgivable for a
company with more than $16 billion in revenue last year.