As the Justice Department situation highlights, the government has its own problems with data security. Two reports by the Government Accountability Office in the last 14 months have found that agencies aren't doing enough to reduce the public display of information like Social Security numbers in public records. A November 2004 report found that 63% of court records and 59% of the records of recording officials made Social Security numbers available to the public. A second report said that Social Security numbers were available in public records in 75% of U.S. counties and 41 states and the District of Columbia.
IT managers shouldn't need laws to force them to protect the personal data of customers and employees. But it's a difficult job. Data can be compromised in many ways: absent-minded posting of data on Web sites, lax controls in handling backup tapes, failure to encrypt, deployment of new systems before security is adequately tested, and the hacker practice of "skimming" data from magnetic strips when credit cards are slid through readers, a technique thought to be used in the Sam's Club incident.
A breach can have long-term consequences for a company, beyond damage to its reputation. BJ's Wholesale Club and DSW Inc., both of which were facing FTC charges for failing to adequately protect consumer data, agreed to implement comprehensive information-security programs and subject themselves to security audits every other year for the next 20 years.
At ABN Amro, the scare caused by its misplaced tape convinced it to replace backup tapes with electronic data transfers across a secure network when it needs to move data to credit-reporting agencies. Health insurer Empire Blue Cross says it has stopped using Social Security numbers as health-care plan ID numbers and has shipped cards with new numbers to all of its members.
Other businesses better take their own steps before they become the next data-security headline. Security 101 is to write a formal security policy and take a data inventory to determine what's most at risk. Firewall traffic must be monitored for suspicious activity, and managers should get very familiar with all the ways data can leave company networks and systems. It also can't hurt to establish access controls, ensuring that only those who truly need sensitive customer data can get at it.
Encryption of backup tapes is "one of the few areas in information security where both the industry and the vendors are woefully behind," Shipley says. The ideal approach is to deploy tape drives that have encryption built into the hardware, which would help protect the data on tapes, even if they fall into the wrong hands. Several vendors, including Cybernetics, Quantum, and Sun Microsystems, plan to introduce such products this year.
Software-based encryption can also go a long way to protect data. Vendors like Decru, Kasten Chase Applied Research, and NeoScale Systems sell products that let companies encrypt data en route to tape devices. Businesses also can encrypt subsets of data at the operating system level before specific files are backed up, but this approach is often hard to deploy in transaction-oriented database environments that haven't been designed for it.
The most important policy companies can put in place is one that protects data at rest, as well as data that's transported over networks or on tapes. "The fact that companies haven't factored this in as a potential threat is scary," Shipley says. "As a community, we've got a lot of work to do in 2006."
That may just be the understatement of the new year.
-- with Elena Malykhina and J. Nicholas Hoover