Sunday, January 08, 2006
Laws, Breaches Lend Urgency to Retail Security
By Jaikumar Vijayan at ComputerWorld
Growing privacy concerns and emerging laws governing the use of sensitive personal information are increasing the pressure on retailers to make sure that their data security practices are rock-solid, according to IT managers at a conference here last week.
They added that an inability to demonstrate due diligence on security could expose companies to serious reputational damage, financial losses and increased customer churn.
Brian Kilcourse, a former retail industry CIO who is now a consultant at Retail Systems Alert Group Inc. in Newton, Mass., said a survey of 71 retailers conducted by the firm last summer showed that companies are increasingly associating demographic information and transaction-level data with customer profiles.
Kilcourse said that while many retailers have assigned responsibility for ensuring the security and integrity of that data, the information often isn't encrypted, and queries aren't well controlled. Similarly, companies aren't always capturing forensic data about the creation of customer information and its retrieval by end users, added Kilcourse, whose firm organized last week's Retail Data Security Forum.
Demand for ROI
Within information security organizations, there's a broad understanding of what needs to be done to fix such issues, said the IT security director at a major franchise chain based in the Midwest.
"The problem is the executive sponsorship," said the security director, who requested anonymity. Although the series of high-profile data compromises that have come to light this year have raised overall awareness of the stakes involved, there still is an unwillingness to invest in security projects "without a clear, demonstrable ROI," he said.
Even so, retailers overall have done a relatively decent job of protecting consumer data, said Bob Belair, a partner at Washington-based law firm Oldaker, Biden & Belair LLP. Going forward, the key is for companies to be able to prove that they have invested an appropriate amount of time and resources in securing their data, he said.
That means having a formal information security plan spelling out protections that are commensurate with the sensitivity of the data at risk, according to Belair. He advised that such a plan also has to be dynamic so companies can respond to changing security threats. In addition, it should include processes for periodic security reviews and audits, and for training workers who handle consumer data, he said.
"If you do all these things and a hacker still breaks in, chances are you aren't liable, because you've acted in a reasonable manner that met the relevant metrics," Belair said.
The director of information security at a California-based specialty retailer with about 400 stores said that distinguishing between sensitive information that's covered by regulatory requirements and confidential data, such as information about intellectual property, is critical to the process of identifying the key data assets that need to be protected.
The security director, who asked not to be identified, said his company is working to encrypt all of the regulated data on its networks via a system that's based on public-key infrastructure technology.
Michele DeMaree, president of DeMaree Consulting Inc. in Colorado Springs, said it's also important to form cross-functional teams, develop a process for assessing risks by measuring the frequency of policy violations against customer data and other information, and educate business managers about the risks to their data.
Growing privacy concerns and emerging laws governing the use of sensitive personal information are increasing the pressure on retailers to make sure that their data security practices are rock-solid, according to IT managers at a conference here last week.
They added that an inability to demonstrate due diligence on security could expose companies to serious reputational damage, financial losses and increased customer churn.
Brian Kilcourse, a former retail industry CIO who is now a consultant at Retail Systems Alert Group Inc. in Newton, Mass., said a survey of 71 retailers conducted by the firm last summer showed that companies are increasingly associating demographic information and transaction-level data with customer profiles.
Kilcourse said that while many retailers have assigned responsibility for ensuring the security and integrity of that data, the information often isn't encrypted, and queries aren't well controlled. Similarly, companies aren't always capturing forensic data about the creation of customer information and its retrieval by end users, added Kilcourse, whose firm organized last week's Retail Data Security Forum.
Demand for ROI
Within information security organizations, there's a broad understanding of what needs to be done to fix such issues, said the IT security director at a major franchise chain based in the Midwest.
"The problem is the executive sponsorship," said the security director, who requested anonymity. Although the series of high-profile data compromises that have come to light this year have raised overall awareness of the stakes involved, there still is an unwillingness to invest in security projects "without a clear, demonstrable ROI," he said.
Even so, retailers overall have done a relatively decent job of protecting consumer data, said Bob Belair, a partner at Washington-based law firm Oldaker, Biden & Belair LLP. Going forward, the key is for companies to be able to prove that they have invested an appropriate amount of time and resources in securing their data, he said.
That means having a formal information security plan spelling out protections that are commensurate with the sensitivity of the data at risk, according to Belair. He advised that such a plan also has to be dynamic so companies can respond to changing security threats. In addition, it should include processes for periodic security reviews and audits, and for training workers who handle consumer data, he said.
"If you do all these things and a hacker still breaks in, chances are you aren't liable, because you've acted in a reasonable manner that met the relevant metrics," Belair said.
The director of information security at a California-based specialty retailer with about 400 stores said that distinguishing between sensitive information that's covered by regulatory requirements and confidential data, such as information about intellectual property, is critical to the process of identifying the key data assets that need to be protected.
The security director, who asked not to be identified, said his company is working to encrypt all of the regulated data on its networks via a system that's based on public-key infrastructure technology.
Michele DeMaree, president of DeMaree Consulting Inc. in Colorado Springs, said it's also important to form cross-functional teams, develop a process for assessing risks by measuring the frequency of policy violations against customer data and other information, and educate business managers about the risks to their data.
# posted by raveneye @ 11:03 PM 
