Solutions remains elusive, but not for lack of trying. California's sweeping database-protection law, which went into effect July 1, requires public disclosure of computer-security breaches in which confidential information may have been compromised. The goal is to encourage companies to encrypt customer data so criminals can't steal it. If companies don't encrypt the data and fail to disclose a breach, they could be liable for civil damages or face class actions.
And on Oct. 28, the Financial Services Roundtable, which represents 100 institutions handling about 70% of the economy's financial transactions, announced a clearinghouse to help victims of identity theft minimize the havoc. Victims can make one phone call, and the clearinghouse will help them obtain an affidavit that can be sent to law-enforcement officials, credit-card companies, credit bureaus, and financial institutions.
Such moves may not be enough, however, thinks IBM Chief Privacy Officer Harriet Pearson. Businesses need to do more -- and fast. "The marketplace has to step up to the plate on the issue.... Any company that fails to do what is necessary to help protect consumers is putting their reputation at risk," she says.
A former attorney, Pearson is now responsible for designing information-collection and -use policies and practices across Big Blue. On Nov. 7, she spoke with me about how she believes IBM (IBM
) and other corporations can help staunch the data-crime wave. Edited excerpts of our conversation follow:
Q: Why haven't companies' security practices kept pace with technological advances?
A: [Having knowledge] of a potential security breach is a lot less common than it might appear. Roughly 50% of malicious hacker attacks go undetected by business. You can't fix a problem you don't know you have.
Last week, we released a study conducted from Sept. 15 to Sept. 26 on the 242 financial-services companies in the BusinessWeek Global 1000. It revealed that two-thirds of the financial-service firms collect sensitive personal data on their Web sites but don't use any security features to protect that data.
People are being asked to give a Social Security number, and it isn't encrypted or protected.... If you're in business to serve your customer and you have a trusted relationship, it's good business to manage the assets and information that the customers entrust to you.
Businesses need to look at it through the eyes of the consumer. They hear about ID theft either by experiencing it personally or through friends and family. They suffer through the long process of trying to regain control of their identities. If something isn't done, consumers will get so skittish that it will begin to affect behavior [to avoid doing business with irresponsible companies].
Q: Where should companies begin to prevent ID theft?
A: The first step is to recognize that many breaches are generated by employees and former employees. Employers need to look at what kind of information is displayed and how it's shared. If it's data on paper, are there security policies that restrict access?
In hundreds of small offices, it's common to have customer information, even credit-card numbers, in file cabinets or lying around. Are cabinets locked? [Security] doesn't need to be fancy. We think of it as basic hygiene.
If the data is stored electronically, do you immediately shut down computer accounts of employees who leave? With employee turnover running at 100% in industries like retail, it's not unusual for 20% of company accounts to belong to employees who haven't worked for the organization for five years or longer. These [unexpired] accounts allow former employees to roam freely inside the enterprise.
Q: What about with current staff?
A: One way to encourage staff responsibility is to help them look out for their own data. That's what our health-insurance initiative was all about. We knew our own data-management practices were good. But when we looked at how vendors were managing people's personal info, we were disappointed.
In particular, we worked with 150 health-insurance plans that serve our 500,000 employees and dependents. We asked them not to print Social Security numbers on ID cards and in correspondence that could be intercepted in the mail. We made it clear that any health plan that wanted our business would limit the visible use of SSNs. Again, it's the hygiene factor. Access to data must be limited to what's necessary.
Q: Is IBM developing software or safeguards to help companies?
A: We do have a privacy-research institute. This summer, I sponsored a project with an MBA student and several masters and PhD candidates in computer science to develop a Hippocratic database. It's a very visual program that collects information about me as a patient - blood type, mental history, age, medical history - but only releases it to people who need it.
So if I go to the emergency room, I want everyone to see everything about me. But at the pharmacy, I want them to see [only] what specific drug has been prescribed. Months later, when a health researcher is scanning information that covers a group of people with a disease, I only want them to see my gender, age, condition. There's absolutely no need to see the name.
It's not yet a commercial product. Right now we're working with our own database division to show that it has potential in the marketplace. It's very hard to find people using databases that allow that granular a restriction of content.
Q: These are huge projects for any organization, no?
A: As with most things that are worth doing, I wouldn't say it's easy, but the result is worth having. Knowing where your information is flowing and how assets are managed is increasingly a [measure] of your own company's trustworthiness.
Imagine not knowing where your inventory was. It's the same sort of thing now with information. Black covers privacy issues for BusinessWeek Online in her twice-monthly Privacy Matters column