Business Technology: Protecting Customer Data Is Good Business
Our insatiable appetite for customer data has overwhelmed our ability or our willingness to match those efforts with increasingly powerful privacy initiatives, Bob Evans says.
If you're a betting person, and you like to roll the dice on some futures, then I've got a tip for you on a market that's going to explode: chief privacy officers. Just as the rise of cybersecurity threats several years ago created the need for the CISO, or chief information security officer, so, too, will the current deeply unsettling string of customer-data security breaches trigger massive growth in what has until now been the important but nevertheless fairly arcane job category of chief privacy officer.
Speaking of arcane: In that last sentence, I refer to "customer-data security breaches," which is an inside-baseball term if ever there were one. Maybe, to help us focus more clearly on the full implications of these "breaches," we should drop that IT-industry descriptor and adopt a customer-oriented term: privacy disasters. Or broken privacy promises. Or massive privacy violations. Privacy lawsuits ... negligence and malfeasance ... reckless disregard for privacy ... failure to comply with Generally Accepted Privacy Principles ... privacy litigation ... privacy crimes. Is it a big stretch from there to jail time?
Look at the astonishing impact that Sarbanes-Oxley compliance has had on public corporations: how much time, effort, and money (that'd be $15.5 billion this year, according to AMR Research) those companies have had to expend to meet mandated requirements. In that context, it's certainly logical to speculate that legislators, armed with red-meat anecdotes about privacy screwups from a growing roster of large companies with thousands or even millions of customers, will climb all over each other to get in front of the cameras to announce that they, in the interest of the American consumer, have proposed federal legislation intended not only to safeguard the public's privacy but also to toss into jail any greedy corporate malfeasants whose companies don't meet mandated privacy policies, procedures, processes, and paperwork.
You think the fire under your keister is hot now with Sarbox deadlines looming? Well, just wait until the U.S. Congress starts pumping out 1,200-page books dictating what you will and will not do with regard to customer-data privacy -- when that lovely day comes, the only market as lively as the one for chief privacy officer futures will be the one for asbestos underpants.
But we have called this one down on ourselves. Our insatiable appetite for customer data -- our desire to collect it, store it, mine it, refine it, and combine it -- has overwhelmed our ability or our willingness (or both) to match those efforts with increasingly powerful privacy initiatives ensuring that no matter how exhaustively we manipulated those customer files, they could never, ever be lost or stolen or exposed. And because we failed to move as aggressively on customer safeguards as we did on customer manipulation, we are on the threshold of having a bunch of career political hacks dictate to us with mind-numbing precision exactly, positively how that consumer protection will be accomplished. We failed to fulfill a primary commitment to our customers, and they got burned because not enough of us were willing to do the right thing and instead settled for doing the easy thing. As a result, the day of reckoning is not far off.
So what do we do? Two choices: we can go cry in the corner and say the world's not fair, or we can begin to make the privacy of customer data as important in our daily operations and in our corporate cultures as financial reporting is. And if some of the recent disasters are any indication of the state of privacy art, then some huge gains can be made simply by no longer doing stupid things. Such as: "In March, ChoicePoint discontinued the sale of information products that contain sensitive consumer data, including Social Security and driver's license numbers, except where there's a specific consumer-driven transaction or benefit, or where the products support government and criminal-justice purposes," we wrote in a May 4 story. What that means is that until two months ago, when the company became the poster child for privacy disasters, ChoicePoint was perfectly content to sell information products containing sensitive consumer data where (1) there was NO consumer-driven transaction or benefit, and (2) where the products were NOT supporting government and criminal-justice purposes. Recognize your own company's behavior in those descriptions?
As Exhibit B, we have the forward-looking geniuses at Reed Elsevier plc's LexisNexis division, who, after letting 310,000 customer-data horses out of the privacy barn, are now trying to close the barn door by "truncating Social Security numbers displayed in nonpublic documents and limiting access to full Social Security and driver's license numbers to law-enforcement agencies, banks, and other legally-authorized entities." I guess that's all nice and sweet, but it also means that until the company became the featured star in the Security Screwup reality show, LexisNexis was perfectly happy to (1) display full Social Security numbers in nonpublic (or public?) documents, and (2) offer access to full Social Security and driver's license numbers to entities other than law-enforcement agencies, banks, and other legally authorized entities. Who made those policies? Who approved them? Who encouraged them? Do those people still have their jobs? I swear, some of this stuff goes beyond stupid -- it can only be described as an expression of mindless contempt for customers, and for the trust those customers placed in companies accumulating private data about them.
The next nominee for Hall of Shame is the venerable Bank of America, whose bungling resulted in the loss of 1.2 million customer records. According to our May 4 story, those files were, simply, "lost in transit." What happened -- did the carrier pigeon get lost? Or maybe the shipping office didn't use enough duct tape strapping the drives to the pigeon's back before sending it off on its appointed rounds?
Many see a strong need for more robust Wi-Fi networks. "We're making a transition from PC-centric applications to next-generation consumer electronics products and converged devices," said [WiFi Alliance managing director Frank] Hanzlik. ... And the experts say voice over Wi-Fi -- or VoWi-Fi -- for phones, laptops, and PDAs isn't too far off.
-- Elena Malykhina, InformationWeek.com, May 3
Say -- when was the last time you heard a story about Bank of America "losing in transit" massive piles of cash? Or gold? Or bearer bonds? Maybe the reason we don't hear about such things is because they don't happen, and maybe they don't happen because the bank makes the necessary investments and takes the appropriate precautions to ensure that they don't happen. The Bank of America story tells us something very clearly: The bank placed a low value on customer-data privacy. Now, bank officials can deny that up and down, and they can get all huffy and say all the right things like customer privacy is sacred, and we will spare no investment and our proud history shows this and that, but the fact is they lost those records because they didn't care enough about them. The company's solution? It "has implemented corporatewide package-delivery carrier services for backup tape transport, said Barbara Desoer, global technology, service, and fulfillment executive. The bank, she said, favors a "national approach to information-security guidelines.' " Well goody-goody-gumdrops -- we should all sleep a whole lot better with that comforting knowledge in mind.
We all need to get a whole lot smarter about this, and a whole lot more courageous, and we need to make those transformations very quickly -- we've all been using tar-fired torches to look for stashes of dynamite, and the game is up. We need to sit with forward-looking colleagues and assess with very great candor the state of customer privacy in our companies -- and as the examples above show, simple and commonsense approaches could very well help us not only reduce our exposure but also increase our respect for our customers. As I mentioned a couple of weeks ago, we all need to get after these things not out of fear of getting caught or getting punished if our sleaziness is exposed, but because it's good business to be ethical and honest and trustworthy. To do the right thing.
The alternative will be sheer disaster. And if that's where we end up, then we can be certain of one thing: We richly deserve it.
To discuss this column with other readers, please visit Bob Evans's forum on the Listening Post.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.