01/04 - Is your customer data secure from information hijackers?

If you keep information about your customers, soon you may be responsible for keeping it safe from hackers and identity thieves.

Privacy laws dictate what businesses can do with the personal information that they collect from their customers, but until now, no legal obligations have been imposed on how companies maintain this information within their databases. A new California law requires companies and government agencies to notify consumers when the security of databases containing their personal information is compromised. This is just the first of new legal obligations to ensure that business owners take responsibility for protecting the customer data they collect and store.

California companies are not the only ones being singled out to assume responsibility for the security of the data they maintain. Senator Dianne Feinstein has introduced federal legislation, entitled the “Notification of Risk to Personal Data Act,” modeled after the California law. If enacted, a violation of the proposed federal law could result in fines by the FTC of $5,000 per violation or up to $25,000 per day. In addition, State Attorneys General could bring enforcement actions.

Many retail home furnishings companies now maintain databases of customer information. This information may include an individual’s name, address, telephone number, email address, birth date, credit card number, passwords (such as mother’s maiden name or birth date) and shopping preferences. The database also may include other information that is useful to accurately record transactions and for direct marketing and market research.

California’s legislature has recognized that the widespread collection of personal information puts the privacy and financial security of individuals whose information is being collected increasingly at risk. Recent security breaches by hackers and break-ins at company facilities have prompted the public increasingly to demand that companies protect the personal information they collect.

Electronic crime on the rise; businesses slow to respond
Threats to the security of information a business keeps come from a wide variety of sources, from computer hackers to disgruntled employees. During 2002, the Federal Trade Commission (FTC) received 161,819 reports from victims of identity theft and, in California, identity theft is one of the fastest growing crimes. In most cases, the victim doesn’t know how the information was stolen. Unlike other instances in which the victim is notified by authorities when a crime occurs, victims of identity theft often don’t know that their personal information has been taken. In addition, victims of identity theft are not aware of the crime for months and can do little to prevent the misuse of their personal data.

Increasingly sophisticated electronic intruders and increased dependence on databases to store vast amounts of information together create a security risk that businesses cannot afford to ignore. Data security is now a top management priority for most large-cap companies. Corporate IT departments have the task of putting comprehensive security plans and controls into place.

The situation is very different in small and mid-size businesses (SMBs). SMBs traditionally have under-invested in safeguarding against what they consider to be unlikely risks. This under-investment is illustrated in SMBs’ reluctance to implement business continuity and disaster recovery planning. Even after the events of September 11, only 35 percent of SMBs have comprehensive disaster recovery plans in place and fewer than 10 percent have crisis management, contingency, business recovery and business resumption plans.

Just like disaster recovery and business continuity measures, database security solutions can be expensive, and their implementation requires an investment in managing risks that businesses perceive to be remote. As such, small and mid-size companies are particularly susceptible for breaches of their databases at a time when legal obligations for data security are beginning to take shape.