By John Rendleman
Winter 2007

For companies in nearly every industry, protecting customer data is a new priority. “The falling cost of computing power means companies can easily and inexpensively collect and store voluminous databases about customers and their transactions,” says Vadim Lander, chief architect of security management at CA.

With an increasing number of transactions being conducted on the Internet, and with companies linking formerly isolated databases with other systems via the Net, significant amounts of information can now be obtained from a single system. “Eve n a single breach can have major consequences,” Lander says. In a rash of instances, this feared risk has become painful reality. Consider, for instance, the recent run of confidentiality breaches at U.S. agencies. In nearly all the cases, federal agencies failed to perform basic data-protection and data-privacy policies and procedures. This allowed confidential government records, some with data on tens of millions of citizens, to be either disclosed or lost. To use just one example, the Department of Commerce recently admitted to a congressional inquiry that more than 1,100 of its agency laptops had been misplaced or stolen since 2001. Of these misplaced computers, nearly 250 contained identity information that could be matched against individual U.S. citizens.

Running Risks
Security failures of this sort seriously damage the responsible agencies’ credibility. They also threaten to weaken the trust of citizens for their government. What’s more, agencies are forced to spend already limited resources investigating security breaches, responding to negative publicity and working with affected individuals to minimize their exposure to identity theft or worse. They also run the risk of financial liability for confidentiality violations as the targets of several pending class action lawsuits brought by angry citizens.

The problem extends to the private sector, too. Between 2003 and 2006 the number of security breaches increased by 17 percent, according to a study of 642 large North American organizations, conducted this year and sponsored by CA. Worse, nearly 85 percent of the enterprises surveyed suffered a security breach in the last year alone. Of these, more than half say they also suffered productivity slowdowns as a result. And a full quarter said they were publicly embarrassed, lost the trust or confidence of customers, or saw their reputations harmed as a result.

The increasing number of hacker attacks on corporations and the increasing sophistication of hacker techniques is one of the biggest threats to computer security, according to market-research firm IDC. This threat will drive corporate spending on identity-access and identity management solutions, the technologies considered most crucial to preventing unauthorized disclosure of corporate data. In fact, IDC predicts worldwide spending on these technologies to reach $5.1 billion by 2010, up from$3.4 billion this year.

The job description of Michael Norelli, records-management project leader at Lorillard Tobacco Co., may not always have included protecting the privacy and security of customer data, but it certainly does today. “It’s just something you have to do,” he says. “It’s part of your job, a standard business procedure, no matter what your business.”

Lorillard is implementing a records management application from software supplier MDY (acquired by CA in June). The software is designed to assure the integrity, security and accessibility of company documents once they’re entered into the system, Norelli explains. To further protect the security of its systems, Lorillard also uses firewalls and makes sure that potentially sensitive data is maintained on computer systems that are not accessible via the Internet.

That’s because in today’s information intensive, customer-driven economy, companies collect and maintain more data about their customers than ever before. At the same time, companies are under new legal obligations to respect customers’ right to privacy and to handle customers’ confidential data responsibly. Businesses in a wide variety of industries have amassed vast databases of consumer information as a means of identifying and responding to customers. In so doing, they incur the responsibility of properly securing that information, not only to protect invaluable competitive assets, but also to prevent potentially serious liability for allowing disclosure of private personal data.

In response, many companies and public institutions have enacted data-handling policies and implemented security technologies to keep customer data safe. But security specialists, privacy advocates and corporate IT executives say the need to protect private customer data has become an even greater imperative. That’s become especially true in the last two years, they say, as companies scramble to respond to new legal demands and increasing public outcries over glaring breaches of data security. “We take data privacy very seriously,” says Charlene Wacenske, records manager at law firm Morrison & Foerster LLP. “It’s fundamentally part of what we offer.”

Key Concern
Protecting customer data is especially important for the firm, Wacenske adds, because client confidentiality is a key tenet of the legal profession. Also, several staff attorneys specialize in data privacy as part of their legal practice. The firm has created and implemented a set of internal data-protection policies, and a full-time committee is working on the firm’s data-privacy policies and procedures. That said, the issue of data protection and privacy has become even more critical lately in response to growing client sensitivity. “In the past two years, it’s been a key concern of clients,” Wacenske adds.

Companies are also starting to take amore proactive approach to protecting customer data to satisfy the requirements of new privacy regulations. These laws, passed in response to recent data thefts and threats, impose legal penalties and financial liability on companies that have failed to take adequate steps toward securing sensitive data. “Especially in the past, protecting customer data has been about avoidance, something that companies have done only when the cost of compliance exceeds the cost of avoidance,” Lander of CA says. “Today, that’s changing.”

The potential harm to a company’s reputation is another compelling argument in favor of imposing stricter data-security safeguards. As the public grows more anxious about the privacy and security of customer data, companies also try to prevent bad publicity arising from unintended disclosures.

“A single security breach could easily cost a company a substantial amount of money and its good name,” says Galina Datskovsky, a senior vice president of development at CA. But complying with data-protection laws and regulations is far from easy. Complicating the task are the large number and variety of rules that govern how companies can handle customer data. Individual states, the federal government — even other nations — have enacted laws concerning data protection and privacy.

California, for instance, requires companies to maintain employee records for five years. Although that’s an unusually long period, all companies doing business in the state must comply with the record-keeping requirement, Datskovsky explains.

Another complicating factor: Regulations can vary widely by sector. For example, U.S. federal government agencies and contractors must adhere to the federal Privacy Act of 1974. The principal law governing data privacy for financial services institutions is the 1999 Gramm-Leach-Bliley Act, which governs the collection and disclosure of consumers’ banking and other monetary records. In health care, the Health Insurance Portability and Accountability Act of 1996, better known as HIPAA, protects the confidentiality of patients’ medical records. Then there’s Sarbanes-Oxley, which technically enacts standards for how public companies handle financial records to prevent corporate fraud. But Sarbanes-Oxley also contains regulations ensuring data integrity and security. These can serve as a best-standards guideline for securing a company’s computer systems and data to prevent alteration or unauthorized access to sensitive data.

In fact, a comprehensive approach to protecting customer data and ensuring consumer privacy requires companies to adopt data confidentiality as an organization wide goal, says John Sabo, manager for security, privacy and trust initiatives at CA. “The commitment should be reflected in the organization’s business processes and policies, all supported by technical controls needed to secure its computer systems, networks and data,” he says. Sabo further believes that companies need to elevate the issue by appointing a chief privacy officer or a senior executive to institutionalize the management of these issues. “Information privacy,” he explains, “is both intellectually and practically complex, and closely related to, yet distinct from, computer security.”

Whatever solutions companies adopt to fulfill their privacy obligations, they must maintain the confidentiality of customer records, the integrity of stored documents and the availability of records for authorized purposes, Sabo adds.

Expanding on this advice, CA’s Lander advises CIOs to adopt a three-pronged approach to ensure near-impregnable protections. First, companies need to adopt business procedures and policies that properly safeguard customers’ confidential data. Second, they need to implement security technologies that provide full identity management and access controls to company data. Third, they should implement physical security measures to secure corporate computers, including firewalls, intrusion-detection systems and other barriers that block external access to a company’s most valuable and sensitive data.

For companies in every industry, that’s an ongoing prescription for ensuring the privacy and protection of customer data.

John Rendleman is a freelance writer based in Warrenton, Va. He has written for a variety of leading IT publications, including InformationWeek, Communications Week and PC Week.