Thursday, June 09, 2005

Not As Reassuring As They Might Think

So now we hear CitiFinancial is dropping backup tapes after data loss. Perhaps they're thinking that this announcement, together with the repeated statement that it was UPS that lost the tapes, will somehow show they care: "CitiFinancial plans to begin encrypting data and sending it to credit bureaus electronically after data tapes containing the personal information of 3.9 million customers were lost by UPS." This report actually does three things.
  1. Confirms that the lost tapes were not encrypted.
  2. Confirms that Citi knows that the data really should have been encrypted in the first place.
  3. Suggests that sending the data electronically is somehow safer than using a courier.
Try telling #3 to U.S. spy agenices that routinely use couriers versus networks for really sensitive data transfers. And don't forget that one of the largest holders of data about you, dear reader, has suffered several "losses" despite using electronic transfer instead of tapes:
And don't miss the really scary part of Citi's statement: "We and other lenders provide this information each month to credit bureaus...via nationally recognized couriers and require them to use enhanced security procedures to transport the tapes from our data center to the bureaus."

So, like I said in my last posting, large numbers of unencrypted tapes full of your financial details have been flying around the country for years. Untold numbers have likely gone missing, after all, if this was an isolated incident, Citi would be the first to defend their practice of using UPS by saying "This is the first time this has ever happened." It is only the new notification laws that are finally shedding light on this sad state of affairs.

Stephen

Tuesday, June 07, 2005

3 Things (The Cool and The Crap)

Middle Aged White Guys have a reputation for complaining about things and I'm no exception. Ask me to name 3 things that suck and I would have no problem naming 9:
  1. Credit scores
  2. The Dish Network 921 DVR
  3. The AC system on 1996 Jeep Grand Cherokees
  4. The Windows OS
  5. Prescription drug prices
  6. Prescription drug advertisements
  7. Prescription drug profits
  8. Ratio of drug company research dollars to advertising dollars
  9. Banks
I hope to complain at length about these subjects, and more, in future posts. However, by the time one gets to Middle Age it is clear that doing nothing but complain is not healthy, so here are 3 products that I have found to be very cool, meaning, in this case, they manage to work very well while breaking new ground:
  1. Treo 600 and 650 (the photo in the upper right of this page was taken with a Tree 600)
  2. Apple iPod (the real ones--not the Shuffles--make CD players seem so limited)
  3. Firefox web browser (tabbed browsing's now the only way for me to work the web)
Note: I am not employed by any of the makers of the above products. Come to think of it, I'm not employed by anyone but myself.

Stephen

Reasons to Believe

This week we 'welcome' a division of Citigroup to the ranks of major companies that have fessed up this year to 'losing' customer data (i.e. allowing copies of data about people--such as their names, addresses, phone numbers, Social Security numbers and other information that could be used to rip them off--to go missing).

This particular data, covering 3.9 million people, was on tapes being shipped via UPS. Citigroup said the tapes were lost by UPS Inc. "in transit to a credit bureau." So, three things to note:
  1. Misplacing data is nothing new--it's been happening for years--but the public has rarely heard about it before now. The fact that they are hearing about it now is mainly due to California's groundbreaking SB1386 notification law.
  2. Misplacing data tapes should not be a problem. All data tapes that leave the secure environment of the data center should be encrypted by default. That so many big companies are apparently shipping unencrypted tapes via ordinary shipping services is a disgrace, and definitely a failure to meet a reasonable standard of due care.
  3. Until one of these companies gets sued big time, this needless exposure of consumers to the risk of identity theft will continue.
Of course, in this case, as in others, the company was quick to say, "We have no reason to believe that this information has been used inappropriately." This sort of statement never fails to make me smile. Why? Think about it. A company that is so clueless about the value of customer data it hands millions of unencrypted records to a random delivery person is now claiming to be able to detect inappropriate use of said data. Yeah right.

The reality is that IT has delivered massive gains in productivity and profits over the last ten years. The nature of businesses and humans is that the true cost of achieving these gains lags behind the gain curve. It is time for corporate America to accept that data about customers requires way more protection than it has so far been afforded. Smart companies will maintain their edge by increasing security in smart ways. It doesn't have to cost the earth, but it does cost, therefore some will cut corners and lose customers (if I had a Citi account right now I'd be closing it).

Stephen

Thursday, June 02, 2005

Obligatory First Posting

Herewith, the obligatory first posting to Scobb's Non-Blog. So let me explain the title of this blog, which arises from three factors:
  1. Non-Blog? I don't plan on writing regularly.
    1. My schedule is unpredictable.
    2. Some days I don't have much to say.
    3. Some days I have a lot to say but lack the energy to say it.
  2. Non-Blog? I'm not writing in order to spark dialogue.
    1. I'm happy to hear what you have to say about what you see here.
    2. I'm not promising to respond to comments.
    3. If in doubt, see points 1.1, 1.2, and 1.3.
  3. Scobb?
    1. First name = Stephen.
    2. Last name = Cobb.
    3. Default email name at last three companies = scobb.
Now I am going to test the "Publish Post" button. If you can read this, it worked. Next time I post I will see if I can get the spell check to work.

Cheers...Stephen

p.s. Some free advice: Whenever you are asked to explain something--by the press, your boss, your partner--it is safe to assume there are three reasons, so start with that.