Monday, June 06, 2005

Reasons to Believe

This week we 'welcome' a division of Citigroup to the ranks of major companies that have fessed up this year to 'losing' customer data (i.e. allowing copies of data about people--such as their names, addresses, phone numbers, Social Security numbers and other information that could be used to rip them off--to go missing).

This particular data, covering 3.9 million people, was on tapes being shipped via UPS. Citigroup said the tapes were lost by UPS Inc. "in transit to a credit bureau." So, three things to note:
  1. Misplacing data is nothing new--it's been happening for years--but the public has rarely heard about it before now. The fact that they are hearing about it now is mainly due to California's groundbreaking SB1386 notification law.
  2. Misplacing data tapes should not be a problem. All data tapes that leave the secure environment of the data center should be encrypted by default. That so many big companies are apparently shipping unencrypted tapes via ordinary shipping services is a disgrace, and definitely a failure to meet a reasonable standard of due care.
  3. Until one of these companies gets sued big time, this needless exposure of consumers to the risk of identity theft will continue.
Of course, in this case, as in others, the company was quick to say, "We have no reason to believe that this information has been used inappropriately." This sort of statement never fails to make me smile. Why? Think about it. A company that is so clueless about the value of customer data it hands millions of unencrypted records to a random delivery person is now claiming to be able to detect inappropriate use of said data. Yeah right.

The reality is that IT has delivered massive gains in productivity and profits over the last ten years. The nature of businesses and humans is that the true cost of achieving these gains lags behind the gain curve. It is time for corporate America to accept that data about customers requires way more protection than it has so far been afforded. Smart companies will maintain their edge by increasing security in smart ways. It doesn't have to cost the earth, but it does cost, therefore some will cut corners and lose customers (if I had a Citi account right now I'd be closing it).

Stephen

No comments: