Every time you fill out a Web form or talk to a customer service representative and provide personal data, youre taking a leap of faith.
As a customer, you are trusting that your data will be kept in good care. Youre trusting that posted data protection and usage policies will be followed. Youre trusting that data will be protected responsibly and used for the purposes for which it was collected.
Thats a lot of trusting. As an IT professional, you need to ask if that trust has been earned.
Despite the steady rise in the profile of IT security, it has been only in the past year that Ive seen proper attention paid to security for data repositories. Credit card or Social Security numbers are in flight for just a click; however, they are then salted away for years by multiple organizations in environments that have a much greater risk of data loss than transmission over the Internet does. Its the insecure storage of sensitive data that is IT securitys greatest failing.
Just last month, Wired News reported one more example of this. A security bug was discovered in Apple Computers online store that would have allowed an attacker to easily impersonate another user and then order goods or online music from the store with the users stored credit card number.
Is it really worth the risk to keep critical customer data permanently on file? American Express Private Payments option, which lets users submit one-time transaction IDs in the place of credit card numbers, is an excellent approach. Another is to ask users to enter only a portion of a credit card number at checkout time so the entire number does not need to be stored.
Alternatively, consider the idea of immediately encrypting each credit card record stored with the processing credit card companys public key. Sure, you cant access it, but neither can anyone else who doesnt have a need to know—only the credit card company will be able to decrypt it.
Theres no argument from me that application and data security is not hard. What we need is a new resolve to take responsibility. If we dont, that resolve will come from the long arm of the law.
The most aggressive legislature in the country on data protection law is that of the state of California, which is setting de facto national policy in this area. Last year, Bill SB 168 set the pace with the requirement that starting July 1, 2002, California persons or entities other than state or local government agencies could not use Social Security numbers as access mechanisms for a Web site unless in combination with a password or other authentication system.
This year, California is again shaking the branches with SB 1386, a bill that goes into force just weeks from now on July 1. It requires any organization conducting business in California or—and this is a big “or”—storing personal information on any California resident to disclose to those customers when personal data is reasonably believed to have been compromised.
The brand damage done by telling customers that a break-in has occurred, combined with the risk of lawsuits in case of noncompliance, add up to a powerful incentive to be serious about attack defenses and data encryption to limit damage if a break-in does occur. In addition, SB 1386 even exempts companies that have encrypted customer data from the notification requirement—one more example where this legislation makes good sense easier to cost-justify.
Meanwhile, proposed federal legislation may introduce nationwide data protection requirements. Bill S.228, the Social Security Number Misuse Prevention Act, prevents commercial entities from collecting Social Security numbers entirely in many cases. Bill S.223, the Identity Theft Prevention Act, tackles the credit card number problem by requiring any business that accepts credit cards to include no more than the last five digits of the card number or the expiration date on an electronic transaction receipt.
Customers and business partners depend on IT staff every day to do the right thing with their data. Dont let legislation define your security agenda. Stay ahead of the curve by protecting data like it was your own.
Finally, as I mentioned two weeks ago in this space, Im leaving eWEEK to attend seminary and then to pursue opportunities in the nonprofit sector. Goodbye and Godspeed to you, gentle reader, in your daily pursuits.