TJX breach: There's no excuse to skip data encryption

Companies complain that database encryption products are too expensive and difficult to manage, but customer loss and breach notification costs outweigh encryption expenses.


Behind the firewall with Dennis Fisher:

@31107 The revelation Wednesday that Framingham, Mass.-based retailer, TJX Companies Inc. suffered a network intrusion and data theft sometime last month has kicked off another round of wailing and gnashing of teeth about the epidemic of such incidents in recent years. But anyone who's been paying attention would realize that these intrusions have been going on for decades. The only difference now is the notification laws in California and dozens of other states that compel companies to publicly disclose any incident in which customer data may have been compromised.

Those laws have resulted in the almost daily reports of data thefts at universities, government agencies and companies large and small. Clearly, this kind of legislation is a net positive for consumers, alerting millions of people to threats to their credit ratings and bank accounts that they otherwise would be unaware of. The laws also have helped push the issue of data security into the boardroom and the executive suite, which is where it belongs. Multimillion dollar fines tend to do that.

However, the constant drumbeat of media reports on these incidents seems to have had the effect of making many consumers blasé about the dangers. I see people on TV who have been affected by these thefts saying there's nothing they can do about it, so they're not going to worry. I hear corporate PR folks saying that they're working diligently to protect consumer data, but these incidents are almost unavoidable in today's world.

TJX data breach:
Data breach at TJX could affect millions

Top IT execs could take heat for TJX breach

Did TJX take the right steps after data breach?

How to survive a data breach

Complying with breach notification laws

Absurd. The truth is, there's plenty that both corporations and consumers can do to effect change. To start with, any enterprise that stores customer data--which is to say all of them--should be encrypting that data. There's no excuse for not taking such a basic precaution.

Companies complain that database encryption products are cumbersome, expensive and difficult to manage. Really? You know what else is expensive and difficult to manage? A data theft. It's bad enough that attackers are able to get inside the perimeters of the companies, but they certainly shouldn't be able to find any unencrypted customer records once they get there. The same goes for government agencies. Just do it.

Next, there needs to be some standard on how long companies are allowed to store customer data. It's not enough for them to say in their privacy policies that they won't sell or misuse customer data. Once it's stolen, they don't have much control over how it's used. Companies like TJX, BJ's Wholesale Club, Guess, Victoria's Secret and others that have been hit by data thefts have no real reason to keep data such as credit card numbers, phone numbers and addresses indefinitely. They do it to build out their marketing databases and they do it because no one has said that they can't.

Behind the firewall with Dennis Fisher:
Read previous columns by Dennis Fisher:

Federal government pushes full-disk encryption

Security pros glean insight from '06

Microsoft Kernel Patch Protection should be lauded

Microsoft Vista could improve Internet security

Oracle should heed critical report touting SQL Server security

Finally, consumers can start voting with their wallets and staying away from companies who are careless with their data. Why continue to spend money in a store that has proven it would rather save a few thousand dollars by not securing their networks than protect your personal information? There are plenty of other places to shop. Don't be lazy and just shrug it off; let these companies know that what they're doing just isn't good enough, not anymore.

It's also time to stop pretending that all data thefts are created equal--they're not. A careless employee leaving a laptop in a taxi or a Starbucks is one thing. No matter how good your security policy is, you can't stop people from being dumb. But for large multinational companies like TJX with multimillion dollar security budgets to suffer breaches on the networks holding their most sensitive data is something else entirely. That's just plain laziness, or perhaps ignorance. Either one is unforgivable for a company with more than $16 billion in revenue last year.

Read more on IT risk management