This article can also be found in the Premium Editorial Download "Information Security magazine: Security Readers' Choice Awards 2008."
Download it now to read this article plus other related content.
If the risk of losing customer or partner information outweighs its value, why collect it in the first place?
No sweat says the cashier. Within 30 days, all returns are refunded with a receipt.
So I bring it back the same day and explain the situation. No sweat. Same cashier takes my receipt and starts typing away. After about four minutes, she looks up and says: name, address, phone number. "Why?" I ask. It was a cash transaction. Her brilliant answer: "Because you're returning the game."
Oh, I get it: In order to get my five bucks back, I have to trust, as a consumer, that your security house is in order and that some hacker won't inject some malicious SQL code onto your Web site, waltz into your database and steal my personal information? Seriously, this is what runs through my paranoid mind at this point. In the end, however, I stop short of asking for their IPS logs, give up the goods, and in classic security by obscurity fashion, I start praying that some day I don't get caught up as an innocent bystander in a TJX-style
This is Case-in-Point A of a franchise that collects too much needless information from its customers. TJX, for example, was spanked for exactly the same thing. "The company collected too much personal information, kept it too long and relied on weak encryption to protect it." Those were the words uttered last September by Jennifer Stoddart, privacy commissioner of Canada.
That quote should not only be embossed in neon in the CISO office of every major corporation in America, but tattooed on the torso of every marketing manager as well. If it's time to walk the walk when it comes to the alignment of security and business, this is the perfect place to start.
Is your company collecting Social Security numbers from customers? If so, do you really need that kind of identifier? (The answer is no.) What data are you grabbing from the magnetic strips on credit cards? How are you storing it? More importantly, why?
Ask yourself these questions about any type of customer or partner information your organization collects. Better yet, ask your marketing and sales people whether this data is worth the risk of losing it in a breach, or if a backup tape falls off an Iron Mountain truck.
The notion of limits on data collection is nothing new. In 1980, the Organization for Economic Cooper- ation and Development established eight basic principles within its privacy guidelines, and the top two deem there be limits placed on data collection, including how it is obtained, and that data should be relevant to the purpose for which it's collected.
Today, the Payment Card Industry Data Security Standard and the updated Federal Rules of Civil Procedure impose specific rules on how data should be treated. PCI mandates encryption and restrictions on physical access to data. Reading between the lines of the new FRCP e-discovery rules, you're encouraged not to collect and store reams of data indefinitely.
Starting on 'here', you'll read which security products won our annual Readers' Choice Awards. We hand out gold, silver and bronze awards in 16 categories, covering the gamut of tools from antimalware to wireless security. Each product we surveyed our readers about could be a critical facet of any organization's data protection efforts. But your most important tool just might be the piece of paper on which you map out your data collection policies and processes.
Take my advice. I promise not to take your name, address and phone number.
Michael S. Mimoso is editor of Information Security. Send comments on this column to feedback@infosecurity mag.com.
This was first published in April 2008