• January 1, 2006
  • By Marshall Lager, founder and managing principal, Third Idea Consulting; contributor, CRM magazine

Safe Secrets

Article Featured Image
Benjamin Franklin famously observed, "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." That nugget of wisdom is just as apt today as it was then, and its application has extended beyond politics to commerce. The world economy is fueled in part by information. Easy access to information seems to make us vulnerable, but restricting the flow of data to protect privacy is a short-term solution that can have disastrous consequences for business and, ultimately, us. Here's the deal: As our credit scores and contact information become ever more tightly intertwined, and marketers and vendors gather more information about us to understand their customer base, the average Joe (as well as Joe's Widgets Inc.) becomes more vulnerable to privacy violation and worse. Readers of CRM during 2005 will recall reports on a number of large-scale thefts of employee and customer data from supposedly secure systems; more than 40 million Visa and MasterCard customers who thought their payment cards were secure received a rude awakening in July, and that's just one of the many cases in which individuals and businesses were exposed to identity theft, fraud misrepresentation, or other woes. Solutions to the data security problem exist, but many are intrusive themselves, not to mention occasionally inconvenient. One of the classic examples, having a credit card transaction denied at the point of sale because the card issuer thinks you might not be the rightful user, has happened to more than one CRM staffer. When Google debuted its free Web-analytics tools in November 2005, the announcement included the disclaimer that no information gathered would be seen or used by Google personnel, only by users of the tools--partially through fear of negative press surrounding the entire topic of Orwellian information security. So, what's an honest capitalist to do? Do the Right Thing "In order to determine who to market to, we must collect data on them," says Mike Schiff, president and principal analyst, MAS Strategies. "What do you do in order to make that data useful and not [anger] the consumer?" Some of the advice Schiff gives may seem basic, but it's amazing how many organizations aren't following it. "You must give them the ability to opt out," Schiff says. This is not just a good policy, it's also the law. Schiff also advises that customers should have the ability to verify a company's identity, since tactics like phishing rely upon misrepresentation. Two further bits of wisdom are closely related to one another, and ring true for anybody who has had to go through the process of multilevel customer service: "Don't ask for information you already have, and retain whatever you collect during a given session," Schiff says. The reasons are simple: In terms of security, customers get suspicious when you request information on them that should already be on file, again because of identity theft. For company metrics purposes, there's no point collecting data if you're not going to put it to use. Last, there's convenience and the appearance of competence. "People can't stand reading off their information repeatedly to service personnel, or keying it in through the phone only to have to verify it verbally later. And if you force them to give out personal information, they'll make something up," Schiff says. "I've done it myself when the local pharmacy tries to sign me up for their loyalty program, or when a department store offers a discount for signing up for the store credit card." Similar anecdotes abound, which brings up another question: If your loyalty program is partly intended to let you gather point of sale data, what good is it if customers have an incentive to lie? For that matter, what about those times when the cashier or other agent gives you the loyalty discount even when you've forgotten your program ID card? Unless the cashier has a special "null set" card, one that contains no data or alerts the system that nothing is to be gathered, the transaction is tossing garbage into the database. Internal and External Disruptions
Some companies are turning to data warehousing as one solution to their info-security problem. By hosting information offsite at secure, heavily encrypted, redundant facilities, the owners of the data gain some measure of safety--and a place to lay blame should something go wrong--without having to invest any resources other than money. Providers of this sort of security range from specialists like Knightsbridge and WatchGuard, all the way to megacorporations like Computer Associates, IBM, and Intel. A perfectly secure system is one that is completely closed, meaning nobody can put anything in or get anything out. This means it's useless as a resource. "There will always be a trade off between security and access," says Wayne Eckerson, director of research and services for The Data Warehousing Institute. "Every company must decide at what point they feel comfortable." That comfort point is not easily defined. "Most businesses want fairly open access--you must make it easy for customers to do business with you. It becomes an issue of how much information and credentials a user must present," Eckerson says. He notes one case where a bank has begun issuing an electronic key chain with a constantly updating security code for account access. Without the key chain, a person can't transact with an ATM or online banking service. This is one of the uses of smartcards that proponents tout as a security benefit, but the inconvenience of losing, forgetting, or damaging your key chain must be considered as well. Today's private consumers are much like businesses from the middle to late 1990s, in regard to data protection and storage. According to the IDC report "Home Data Protection, 2005," consumers say they are concerned with information loss due to catastrophe or theft, but most are doing little or nothing about it. This is creating an opportunity for businesses to cater to the data protection needs of consumers, as well as other enterprises. "Consumer and business needs are the same, in that there has always been a lot of un- and underprotected commercial data, just as we're seeing now with consumers," says report author Robert Gray, vice president of worldwide storage systems research for IDC. The issue is not confined to the United States, either. "Japan SMB Total IT Security Investment and Security-Related Service Spending Forecast," a September 2005 report by AMI-Partners, indicates a likely 13.3 percent CAGR in the sector through 2009, reaching $1.5 billion by that point. Much of the increased spending, according to report author Yuki Uehara, will be due to the effects of Japan's Personal Data Protection Law. That law, which went into effect in April 2005, imposes fines on business owners and managers of companies that expose consumer data. "Since a failure to satisfactorily protect customer contact data will result in legal penalties, Japan SMBs are now desperate to upgrade outdated or inadequate products and services to more effective solutions," Uehara says. Spending on so-called edgeware (security applications to prevent outsiders from gaining access) is only part of the picture. "Much data crime is done inside the company with human hands, so SMBs in Japan must also adopt access controls and log-analysis systems," Uehara says. Another AMI-Partners report from July 2005 showed a 36 percent jump in security-related expenditures by Canadian businesses in 2004. Senior Analyst Jennifer Chu, the report's author, says, "Like many of their peers from established and emerging economies who are grappling with security threats, there is a realization that a solid commitment must be made in order to adequately protect their businesses." Eckerson sums up the places where customer data needs to have safeguards as database security, application security, access control, and password protection and logon. But IT is only part of the solution to data safety. "Once data is collected closing external threats is difficult enough. Controlling it on the inside is even harder," Eckerson says. Most research shows that up to half of all data crime is an inside job. "[The Sarbanes-Oxley Act] has shed a lot of light on what sort of processes are needed to secure data within an organization." One example he cites is splitting processes for fraud prevention, so that no individual has complete control of a record. "For instance, one person can't both complete a transaction and make a general ledger entry." Even here, technology can help. A September 2005 report from Gartner suggested that something as simple as setting timed logouts for unattended computers is as important as any firewall or spyware blocker. "Unattended PCs represent the computer security equivalent of low-hanging fruit," says Jay Heiser, Gartner research vice president. By sitting down at somebody else's computer, a miscreant bypasses most security measures, since they're not intended to stop an authorized user from gaining access. Said creep can then view confidential information, alter figures, or bypass approval processes. "The excuse [that] 'Someone else must have sat at my PC' has become...typical," Heiser says. Time-outs for inactive sessions would limit the window of opportunity for abuse, and are built into most operating systems. Community Awareness Customers want to receive prompt, personal service no matter what channel they come from. But it's just as important that merchants leave them alone when they wish. To better understand customer preferences, both for their convenience and for business planning, companies must collect data on consumer habits, preferences, and patterns. That data drives the metrics that help businesses grow and change, but it's absolutely crucial to make sure that any information gathered on customers remains tightly locked within an organization's data structure so that nobody--whether employee or hacker--can make improper use of it. Protecting data is not a simple task; outsiders who seek sensitive info use sophisticated software, deception, bribes, and whatever else they can to get a look. And that's only half the problem; the other half is, the people who will misuse customer information are employees whose job it is to work with it. This state of affairs has made consumers jumpy whenever talk of data security or identity theft comes up, and rightfully so. Business has responded by taking more steps to lock up customer information; some, like credit card issuers, even sell that safety back to customers as a service. But in the end, education is as important as passwords and firewalls. Employees must learn that they make themselves and the company liable to legal action if they leave customer data unguarded. And consumers must be made aware of what information is being collected on them, and for what purposes. They should also know about what data will not be collected or used, so that they can spot shady dealings more easily. Reaching out to individuals is a smarter way to do this than waiting for a horror story of data theft and lives ruined through fraud. "It's a wise move to alert consumers to how their data is used before the media does," Schiff says. "It's better to come out and say, 'Oh, by the way, your GPS unit can be used to track you,' than to have them find out on the six o'clock news." It's clear that businesses and governments must establish reasonable guidelines and stick to them. Failure will result in the application of another Franklin observation: "We must all hang together, or assuredly we shall all hang separately." Contact Senior Writer Marshall Lager at mlager@destinationCRM.com
CRM Covers
for qualified subscribers
Subscribe Now Current Issue Past Issues

Related Articles

Two Newspapers Deliver Privacy Breaches

Management is taking steps to prevent misused information; analyst says the mishap likely won't affect reader loyalty.