Retailers Take Ostrich Approach to Consumer Data

Opinion: Most retailers still do not have a formal incident response plan for consumer data security. The most likely reason: Such a plan would tell retailers things they don't want to hear.

Despite a veritable avalanche of negative publicity for companies this year that got caught with improperly-handled consumer information, preliminary findings from the Retail Systems Alert Group show that most retailers do not have any formal procedures in place to deal with protecting confidential consumer details.

One of the authors of that report, Steve Rowen, who also serves as the senior editor for the groups Extended Retail Industry Journal, said there are many possible excuses for the absence, but it needs to change.

"Its a little unnerving. Most retailers are talking a great game about securing customer data, but for whatever reason, whether its budgetary or the difficulty of an internal sell, they are not doing what they should be doing about it," Rowen said. "Theres a disconnect between line of business and IT on this particular matter. When we have these conversations, most people say, Well, we want to stay out of the headlines. From the research were doing, it doesnt appear as though the proper measures are being taken to do so. It seems to be getting a lot of lip service and not a lot of action."

Rowen cites several reasons, including cost ("the lack of an apparent ROI in security data") and a retail IT desire to wait as long as possible. Many retailers told Rowen, "Were simply going to react once theres a reason to react." (Listen to Rowen and others discuss this during a recent Web panel on data security.)

A much more likely—although discomforting—scenario is the ostrich strategy. Thats where senior retail execs bury their heads in the sands of meetings, hoping theyll be invisible to security threats.

Why would retail IT execs do that? They know that any reasonable data security and privacy policy would set stringent restrictions on how data can be used, how long it can be stored and how many people can have access to it. The longer such a policy is delayed, the longer the data can be used in whatever way IT and marketing feel like using it.

This is not to suggest a deliberate, conscious decision, but more of a convenient avoidance for as long as physically possible.

/zimages/7/28571.gifIT professionals say they cant stop data breaches. Click here to read more.

Greg Buzek, president of retail consultancy IHL, equates the retail data privacy approach with avoiding a physician visit.

"Its kind of like going to the doctor. If youre fat, you dont want to go to the doctor because youre afraid of what the doctor is going to say or the labs are going to say, even though youre the very person who should be going to the doctor," Buzek said. "That kind of effect occurs here when it comes to retail data security. Man, if we go into this and we really dig into this, are we ready to find out what we will find out?"

Some of this avoidance can be seen internally, when the warning calls of technical managers are consistently, repeatedly and inexplicably ignored. "Whether its an IT employee or someone in network engineering, theyll tell you that they see the value, that they have certainly been shouting warning calls within their organization, but that the warning is falling on deaf ears," Rowen said.

Next Page: IT cant protect data it cant find.