 |
||
 |
 |
 |
|
||
|
|
|
The Conference Board Review® Article
Why Isn't Our Data Safe?
Because CEOs aren’t being sent to jail for lapses.
By E.J. Heresniak
E.J. Heresniak consults for a variety of businesses, drawing on more than thirty years of experience with IBM, McGraw-Hill, Standard & Poor's, and academia. Visit his website at www.gatestreetpartners.com or e-mail him at edheres@aol.com.
Almost every month, sometimes almost every day, there is a security incident in which a company loses a tape or a disk or a laptop, has its mainframe hacked, or otherwise, for no good reason, lets people know information about you and me that they have no business knowing — like a Social Security number, mother's maiden name, credit-card number, or medical condition.
Often, we'll get a letter from a company we've done business with saying how sorry they are, reassuring us that while someone cracked their system, we're safe and they care about us. Some companies even use a security lapse as an opportunity to offer a future protection plan, which is like handing a pregnant teen a condom at the end of her first trimester.
Take the Maine-based grocery chain Hannaford, victim of a recent nefarious intrusion. I can remember going to the supermarket only once, when I went to somebody's wedding in Maine, and it might be a good thing that I paid cash. Recently, Hannaford discovered that someone snuck a piece of code into its computer systems that picked out credit-card numbers and other information being routed around the company's IT network. Of course, the Maine attorney general's office investigated whether the store did everything it could to prevent things of this sort, but I'd bet the Hannaford people spend more time preventing me from sneaking a can of peaches out of their store than they spend on keeping their IT systems secure.
Even while the Hannaford hack was still going on, the company claimed it was "in compliance" with security standards required by the Payment Card Industry Security Standards Council, a coalition founded by credit-card companies. What kind of nonsense is that? If such standards can't stop what happened at Hannaford, they're totally useless and not worth the computers they're written on.
Meanwhile, a few months ago, the Associated Press reported that someone got into the computer of Advance Auto Parts, a car-parts supplier, and may have borrowed the financial information of up to 56,000 customers at fourteen stores in eight states. The company sent letters to customers telling them the horse was gone but that they were working with "a security expert" to fix the barn door. The dateline of the story was April 1, but this was no joke.
Last year, I got a letter from the HR vice president of IBM, my former employer, telling me that the company lost a copy of my employment records because one of its vendors got sloppy and lost a tape. So much for outsourcing critical functions. You would think that IBM would be a little more sensitive to losing people's stuff — particularly the personal information of former employees — if only to demonstrate to potential clients that the company "gets it" when it comes to securing client data.
As a result, IBM offered to pay for "ID TheftSmart Enhanced Identity Restoration and Continuous Credit Monitoring," a protection program developed by Kroll, a risk consulting firm. (Only IBM could recommend a program with a name like that.) To get the "protection," however, I had to provide Kroll with the same personal information that IBM lost in the first place. If Kroll was going to be so damned good at protecting my personal information, how come IBM didn't use them to begin with and save me the trouble? And what's the consequence to IBM for losing my Social Security number and employment information? There is none.
Pages: [1] 2
Comments? Write a letter to the editor.
Return to the July/August 2008 The Conference Board Review® issue.
Publications