Securing A Solution To Data Theft

One of the most popular stories on our site over the last two weeks was "PIN Scandal 'Worst Hack Ever'; Citibank Only The Start," followed closely by "International Citibank Customers Shaken By Data Breach." Day after day, one or both made our list of the five most popular headlines.

I'm guessing another story posted Monday, about two large botnets hacking into users' online shopping carts to steal credit card numbers, bank account details, and log-on passwords, will grab similar reader interest.Little wonder. The banks involved in the first story were huge, with huge IT budgets and even bigger data stores. We all bank and use ATMs, and many use debit cards. And regarding the second story, most of us shop online to various degrees. It just isn't hard to imagine yourself as one of the current--or future--victims of these scams or dubious security policies.

If those stories caught your eye, you're going to want to read the sobering follow-up, this week's cover story on the sorry state of data security. Grab a cuppa, pull up a chair, and take 10 minutes to read it through. Check out the related links, including our interactive graphic, and while you're at it take our quick poll on data security.

If you had any doubts prior to reading this package about the depth and breadth of this issue, it should be crystal clear afterwards that the biggest IT-related problem facing this country right now is data security.

This issue cuts across, and connects, multiple areas of society--legislative, law enforcement, social services, commerce, consumers, and, of course, IT.

It's an issue that must be dealt with if businesses, government agencies, and our health care system are to realize the cost savings they dream about and the services of tomorrow they promise. If some concrete, serious steps aren't taken, many consumers will either step away from the keyboard or never jump on in the first place. There have already been a number of polls and studies documenting consumer nervousness about the security of their data.

Meanwhile, the government wants us to file our taxes online, the health care industry wants to computerize our medical records, the banks want us to bank online, and businesses want us to shop online. And that's just the tip of our electronic economy. If the public backs away from transacting its business online, it would be disastrous.

We know data will never be 100% secure, but neither should it be protected by the high-tech equivalent of Swiss cheese, nor should it be allowed to fall into the hands of hapless or careless workers.

Especially because only some of the data we're forced to hand over is relevant to the transaction we're trying to complete, or the service we need, or the information we want. And never mind that overstated maxim that says consumers "willingly" hand over personal data. For the most part, we don't really have a choice. It's hand it over or be shut out or be economically or time disadvantaged.

As I've said before, if companies and agencies want to be able to collect--nay demand--this data, then it's incumbent upon them to accept the responsibility for safeguarding that information. This should be the case regardless of whether it resides on their systems or the system of a third party, be it a credit processor or one of those "third-party business partners" that we can't seem to stop anyone from selling or giving our data to.

And to make sure the collectors act responsibly, appropriately, and soon, there needs to be painful consequences if they fail.

We simply should no longer have to read about lost laptops filled with the personal data of employees and customers! (Why can't the laptop user dial in to a secure server and save the work there when they're done? Why are they storing sensitive data on their laptops anyway? What's the matter with these people?)

We should no longer have to read about lost tape shipments and unencrypted data. (Why is anyone today even storing sensitive data unencrypted? And here, by the way, is a perfect and immediate use for RFID tags: tracking shipped tape drives.)

We shouldn't have to listen to any more weak-kneed excuses about how the problem really lay with the processes of some third-party partner. Nah uh. The primary vendor collected our data, and that's where the buck has to stop. It's up to them to formulate a data security policy and reasonable parameters for their third-party partners, such as what kind of data to store, in what form, where, and for how long. And they then need to take whatever steps are necessary to ensure that those partners meet that standard. If they can't do that, then at minimum they shouldn't be sharing the data.

Fear of consequences, or at least future consumer outrage, probably played a role in Visa's speaking out this week, claiming that some point-of-sale software may be storing PINs in violation of industry rules. And we shouldn't for even one minute allow companies to get away with not immediately informing individuals whose data has definitely been stolen or could have been compromised. (Why should I have to call the Boston Globe to find out if my credit card information was among the data it inadvertently printed on the paper used to wrap packets of newspaper? Why doesn't it figure out whose data was compromised and then alert them? Isn't that the least they can do?).

You can bet that the first time any major bank or credit card issuer has to individually inform 350,000 customers that their personal data was hacked will be the last time it happens, at least due to some stupid, preventable reason.

And we also shouldn't allow our legislators to wimp out on addressing this problem. We need solutions with real teeth. Consistency in the expectations and penalties should be the plan because many of the companies targeted by hackers and thieves are nationwide. And laws, such as the one proposed by Sens. Patrick Leahy and Arlen Specter, which would require only companies that store information on more than 10,000 people to have to formally enact various security policies, are ridiculous. What are they saying? If you only store data on 9,999 people, you don't need to train your staff and make sure adequate security is practiced by your third-party service providers? That's absurd.

I really think we've reached the point of "no pain, no gain" in this situation. And not just for the companies that fail to safeguard our data. We need to come down hard on the people who steal the data, empty bank accounts, and destroy credit.

The record fines slapped on ChoicePoint were certainly an impressive wake-up call, but unless we make it generally painful for the collectors and processors of data to mishandle, lose, or otherwise fail to secure this country's personal data, a) data won't be personal for long, and b) public trust in the safety of electronic systems of all kinds will erode, and efficiency, productivity, and market growth will stall.

We also need a coordinated, concerted effort focused on plugging the leaks we can plug and eliminating stupid human tricks from the equation. This means getting the affected parties working together on technical solutions, standards, best practices, and training in order to achieve a base level of security we can all be comfortable with.

We're not going to be able to go very far forward if we don't get a grip on this problem of ensuring data security, and soon. It's time we stopped thinking all these companies and organizations have a right to collect our data and start demanding that they treat it like the privilege it is.