Despite a veritable avalanche of negative publicity for companies this year that got caught with improperly-handled consumer information, preliminary findings from the Retail Systems Alert Group show that most retailers do not have any formal procedures in place to deal with protecting confidential consumer details.
One of the authors of that report, Steve Rowen, who also serves as the senior editor for the groups Extended Retail Industry Journal, said there are many possible excuses for the absence, but it needs to change.
“Its a little unnerving. Most retailers are talking a great game about securing customer data, but for whatever reason, whether its budgetary or the difficulty of an internal sell, they are not doing what they should be doing about it,” Rowen said. “Theres a disconnect between line of business and IT on this particular matter. When we have these conversations, most people say, Well, we want to stay out of the headlines. From the research were doing, it doesnt appear as though the proper measures are being taken to do so. It seems to be getting a lot of lip service and not a lot of action.”
Rowen cites several reasons, including cost (“the lack of an apparent ROI in security data”) and a retail IT desire to wait as long as possible. Many retailers told Rowen, “Were simply going to react once theres a reason to react.” (Listen to Rowen and others discuss this during a recent Web panel on data security.)
A much more likely—although discomforting—scenario is the ostrich strategy. Thats where senior retail execs bury their heads in the sands of meetings, hoping theyll be invisible to security threats.
Why would retail IT execs do that? They know that any reasonable data security and privacy policy would set stringent restrictions on how data can be used, how long it can be stored and how many people can have access to it. The longer such a policy is delayed, the longer the data can be used in whatever way IT and marketing feel like using it.
This is not to suggest a deliberate, conscious decision, but more of a convenient avoidance for as long as physically possible.
Greg Buzek, president of retail consultancy IHL, equates the retail data privacy approach with avoiding a physician visit.
“Its kind of like going to the doctor. If youre fat, you dont want to go to the doctor because youre afraid of what the doctor is going to say or the labs are going to say, even though youre the very person who should be going to the doctor,” Buzek said. “That kind of effect occurs here when it comes to retail data security. Man, if we go into this and we really dig into this, are we ready to find out what we will find out?”
Some of this avoidance can be seen internally, when the warning calls of technical managers are consistently, repeatedly and inexplicably ignored. “Whether its an IT employee or someone in network engineering, theyll tell you that they see the value, that they have certainly been shouting warning calls within their organization, but that the warning is falling on deaf ears,” Rowen said.
Next Page: IT cant protect data it cant find.
2
Another reason for the security problem is that the amount of data being gathered today is far greater than had ever been anticipated by the designers of the security systems being used today.
“A truism in retail is that the only thing that grows faster than the proliferation of systems is the amount of data that is being collected, stored and manipulated throughout the chain. Its hard to get a handle on where all of that data is,” Buzek said.
“It gets taken off a variety of different systems and stored in things like Excel sheets, and those Excel sheets are all over the place. This mass-retailing effect over the last 10 years simply has grown these businesses much further than security could handle. The proliferation of data and the proliferation of employees, and how many people are touching the data and Internet to the stores, and everybody having Internet at their desks and access to all these systems, all of that has simply gone way past what the security process is,” Buzek said.
Rowen agrees that the sophistication of todays data collections has fallen far short of the capabilities of todays data management systems. To state the obvious, IT cant protect data it cant find.
“The amount of data being collected is unfathomable. The real problem is Where is it?” Rowen said. “I think that an awful lot of times, retailers are caught not really knowing what their own systems are, whether their motivation for not attacking this is a fear-based thing or a cost-based thing or a communication-based thing, it doesnt change the fact that there is a breakdown and a high level of siloed storage of this type of data.”
The data problem becomes part of a vicious cycle of a growing retail segment, with mega-chains like Wal-Mart forcing the decisions of other retailers.
“When you have data that grows exponentially and staffing that doesnt grow or even shrinks, it causes quite a problem on the security front. Thats the effect of a Wal-Mart taking over so much of a marketplace,” Buzek said. “Everybody else is reacting to that and many are reacting by cost-cutting. When you cost-cut, one of the first things that goes is security.”
It seems that many retail execs need powerful fear-based reasons for setting strict security and privacy policies. OK, here are a few. A company today doesnt even have to get attacked by a criminal hacker to be devastated.
As the Veterans Administration and others have recently learned, all thats necessary is for an employee to take files home and be burglarized or perhaps take some disks and a laptop to the airport and lose the company property there. Whether the cause is criminal or careless, spying or sloppiness, the publicity from a breach can cripple a retailers reputation. And the media is in love with high-profile data problems. Thats Fear-Based Reason One.
Heres Fear-Based Reason Two: competitive differentiator. In the same way that a handful of retail chains are using customer service as a differentiator to battle larger chains, its only a matter of time before a major chain will position itself as the consumer protector. Itll have a privacy policy and do commercials and news releases whenever it wipes out consumer data. With paranoia as its ally, itll make its rivals lack of policy into a lack of caring. It may sound crazy, but is it any crazier than a retailer focusing on customer service? After all, most retailers see themselves working for the consumer goods manufacturers instead of the consumers. They see themselves as distributors of products, and they make money off of product placement.
Having strict data control policies is not merely the right thing to do, its also the safe thing to do.
Evan Schuman is retail editor for Ziff Davis Internets Enterprise Edit group. He has tracked high-tech issues since 1987, has been opinionated long before that and doesnt plan to stop anytime soon. He can be reached at Evan_Schuman@ziffdavis.com.
Check out eWEEK.coms for the latest news, views and analysis on technologys impact on retail.