Millions of consumers are put at risk each year as companies lose control of customers’ personal data. In just one recent incident, the FTC announced a settlement with two companies for failing to protect highly sensitive information, including Social Security numbers, for many thousands of consumers--and the FTC says that it has brought 34 similar cases against businesses since 2001.
Congress has tried to tighten consumer data security, but so far failed. For example, the Senate’s Data Security and Breach Notification Act of 2010 died in committee late last year. Similar efforts are expected in this session of Congress, especially in the wake of the recent hacking of Sony’s consumer database.
While there are steps consumers can--and should--take to protect themselves (see also our June issue story, Your security with your electronics, for more tips), preventing data theft really starts with the companies that handle your personal information.
Here’s a code of conduct we think that companies should follow to be better custodians of their customers’ sensitive information:
1. Promptly notify customers of data breaches posing identity theft or fraud risks.
Swift notification is crucial when a breach exposes an individual's name along with other identifying information such as address, phone number, Social Security or driver's license number, account numbers, date of birth, mother's maiden name, passwords, or other security codes that give outsiders access to their accounts.
As Sen. Richard Blumenthal (D-Conn.) said in letters lambasting Sony executives for the "egregious inadequacy" of their efforts to notify customers about data breaches posing serious security risks: "When a data breach occurs, it’s essential that customers be immediately notified about whether and to what extent their personal and financial information has been compromised."
2. Disclose specifics on what type of personal data has been exposed in a breach.
The degree of risk that results from a data breach and the steps victims will need to take vary based on what type of information has been compromised. If only names and e-mail address are stolen, phishing is the main risk that victims face. But if compromised data includes Social Security numbers, crooks can make fraudulent charges on existing accounts, set up new accounts using a different mailing address, and commit medical identity theft.
Risk also is heightened if thieves have customers' answers to security questions--such as names of pets, favorite teachers, or their first car--because with that information, they can change passwords and take control of accounts.
3. Offer victims two years' worth of free credit monitoring services.
Even though such monitoring services aren't foolproof, they can help ease the burden on victims who may be feeling overwhelmed and vulnerable. Perhaps even more important, if both breach notification and provision of credit monitoring for consumers hit by data breaches are made mandatory by federal law, as some bills have proposed, companies have a stronger financial incentive to do a better job of safeguarding consumers' data in the first place.
4. Encrypt sensitive data using up-to-date industry standards.
The Federal Trade Commission recently filed charges against a payroll processing company that was breached after indefinitely storing in clear, readable text Social Security numbers and direct deposit information for 28,000 consumers.
Personally identifiable data about customers always should be encrypted, following guidelines established in Federal Information Processing Standard 140-2 (PDF link),
which applies to any company that wants to do business with the federal government involving data that is sensitive, but not classified.
Encryption is not a cure-all, however. In order to be used, data needs to be unencrypted at some point. Criminals often exploit holes in programs that actually work with that data, so great care must also be taken to keep encryption keys safe. Doing so is often difficult, which underscores why companies should not collect more sensitive data than is needed to conduct a given transaction and should retain it no longer than absolutely necessary.
5. Treat consumer data as if it were the CEO’s bonus.
Attitudes regarding the importance of information security are set from the top, yet to the astonishment of information security industry professionals, Sony did not even have a chief information security officer until it created and filled that post in the wake of its headline-grabbing breaches.
Whether customers' personal information is in digital form or on paper, it should be handled as the precious commodity it truly is. Among the high-profile breaches reported in 2009 was an incident at a state university where years' worth of payment information for every student--including Social Security numbers, credit card numbers, and tax records--was haphazardly stashed in boxes or unlocked filing cabinets in an open storage area near one of the most heavily trafficked areas on campus.
Such lax security practices could lead to substantial fines in some European countries. And Canadian Privacy Commissioner Jennifer Stoddart recently proposed the strong-stick approach for companies that are negligent, saying: "It seems to me that it is time to begin imposing fines--significant, attention-getting fines--to companies when poor privacy and security practices lead to breaches."
Want to know more? Check out our June, 2011 "State of the net" feature story, Online exposure.