The Going Gets Hot

Is that a bead of sweat on your forehead? The list of companies suffering customer-data losses keeps growing. Here's what you can do to avoid being next.

As if angry customers, declining consumer confidence, and the threat of fines weren't enough, business executives have something new to mull on the troubling issue of lost or stolen customer data. Two U.S. senators are floating the prospect of jail time for business leaders who knowingly conceal such breaches. If top managers can't secure data in a well-guarded environment, well, perhaps they'll find themselves in one.

Things aren't that dire yet, but it's a sign of how fed up people have become with the endless reports of customer data that's been hacked, stolen, lost in transit, or otherwise mishandled. Strategic planning is probably in order to address the problem, but some steps can't wait. Business and technology managers must take action right away. Today wouldn't be too soon to start.

The broadening scope of the gaffes shows no company is immune. CardSystems Solutions Inc. earlier this month revealed a security breach that, according to MasterCard, exposed data on potentially more than 40 million payment-card accounts. UPS Inc. recently lost tapes containing the names of 3.9 million Citigroup customers. Bank of America, Ameritrade, and Time Warner have lost backup tapes, too. In March, DSW Shoe Warehouse disclosed the theft of credit-card data on 1.4 million customers.

No wonder the president of the American Automobile Association of Reading-Berks in Berks County, Pa., wanted to speak with IT director Peter Wallace after he heard about the CardSystems fiasco. The topic: his organization's own level of security. "The news out there makes people ask questions," Wallace says.

That's a good starting point. But you'd better have some good answers--or get them fast. A Deloitte Touche Tohmatsu survey found that only two-thirds of financial-services firms queried had a defined security program in place, and 18% were drafting one.

One reason for the laggards may be a continuing disconnect between top-level executives and IT-security managers in some companies, says Dave Stampley, general counsel and compliance specialist at Neohapsis Inc., an information-security consulting firm. (Stampley writes an online column on security for InformationWeek.) That's partly because the vocabulary of system security--encryption, firewalls, patch management--doesn't translate easily into business-speak, he says. However, with financial losses and brand damage ratcheting up, the fact that data security is critically important is dawning on top executives. The threat last week from Sen. Arlen Specter, R-Pa., and Sen. Patrick Leahy, D-Vt., of legislation prescribing prison sentences, drives the point home.

The first steps for any company reassessing its data-security posture are to take an inventory of all data assets, especially customer data and other sensitive information, and determine the company's vulnerability and what might happen if that data were to be lost or stolen, says Ken Silva, chief security officer of security-software company VeriSign Inc. and former technical director with the National Security Agency.

HNTB Corp. already takes care that sensitive internal data isn't exposed to outsiders, IT manager Travis O'Dell says. But the engineering firm's human-resources department wants to raise the bar two notches. It wants to encrypt employee medical data and store the information in a secure area that only employees can access.

Businesses also are scrutinizing how they move data around, both when sharing it with business partners and customers or for backup and archiving purposes.

Data encryption is one area where companies-including some with detailed customer-data-protection plans-see a chance for immediate gains. Too many have been lulled into a false sense of security by hiring professionals to transport unencrypted tapes to off-site facilities. "The moment someone picked up the tapes, we felt the chain of security hadn't been broken," says Joshua Levine, chief technology and operations officer at E-Trade Financial Corp., which hasn't reported any major breaches or data losses. "Now we recognize we should have thought, 'What happens if the chain is broken?'"

Since its brush with notoriety, Bank of America has taken steps to improve its tape-tracking procedures, and it's testing data encryption. Likewise, Citigroup next month will begin sending encrypted data electronically, rather than unencrypted on physical tapes. And BMO Financial Group (formerly the Bank of Montreal) is considering changes. "We're looking at solutions that could encrypt a tape so that the risks of losses during transit are minimized," says Vivek Khindria, senior manager of security practices.

Acxiom Corp., which maintains huge marketing databases of consumer information, was itself the victim of several highly publicized hacking incidents in 2002 and 2003 and has since taken extensive steps to strengthen its security practices. The company not only encrypts data as it's transmitted to clients, but increasingly is encrypting stored "data at rest," says chief security leader Frank Caserta. Acxiom is encouraging clients to do the same and is even providing them with encryption tools and services.