Magazine article Information Today

Protecting Private Information

Magazine article Information Today

Protecting Private Information

Article excerpt

Al Decker, executive director of security and privacy services for Electronic Data Services (EDS), the Plane, Texas-based business and technology services company, is one of three people in charge of security at his company. While he oversees design of security solutions for EDS customers, another executive checks the security of these designs, and another oversees company security.

This separation of duties is one of the many policies and procedures that Decker and other security experts rely on to protect customer information. While security breaches in technology get the majority of the headlines, secure technology is only one part of the formula to protect customer information from getting into the wrong hands, according to Decker and other security experts.

"A lot of times companies start their [security plans] with the technology, but then they rely just on the technology," Decker said. "Security plans need to include people, processes, and technology. People in the organization need to have the cultural mindset toward security."

Indeed, technology wasn't the culprit in the recent, well-publicized information database compromises at ChoicePoint, Bank of America, and a handful of universities.

Poor Policies Lead to Fraud

ChoicePoint reported that the personal information of 145,000 Americans may have been compromised in its breach, in which con men posing as businessmen looking to do background checks on their customers were given access to its credit information database. The company reported that about 750 of those people whose information was released were defrauded.

CEO Derek Smith and company president Douglas Curling earned $16.6 million from sales in ChoicePoint stock after the company learned of the breach and before it was made public. Soon after the ChoicePoint leak became public, Bank of America divulged that backup tapes containing the financial information of government employees were lost while being shipped to a data warehouse.

The Federal Trade Commission estimates that 10 million people were victims of identity theft in 2002, the most recent year for which it has data. According to Gartner, Inc., 9.4 million online U.S. adults were victimized between April 2003 and April 2004. The losses amounted to $11.7 billion.

Proper Database Protection

In spite of these breaches, there are a number of companies providing strong protection for their customer information systems.

Many firms are reticent to discuss their security policies and procedures because they don't want to give potential hackers any advice. Others decline to discuss security issues, because they don't want their companies to become targets. (Saying a company has strong security presents the type of challenge some hackers love.)

Yet Decker discussed some of EDS's security procedures as well as what the company recommends to its clients, many of whom are financial institutions or healthcare facilities with sensitive customer information. Most that are doing good jobs protecting customer information are following many of the same "best practice" precautions that security experts recommend for all companies.

In addition to the separation of security duties, the culture of the company may be one of the most important aspects in protecting sensitive information, according to Decker.

"Employees have to understand a company's security policies and procedures, and they have to follow them," Decker said. The security policies need to be enforced, even on seemingly trivial items, to ensure that bigger breaches are prevented. So someone who uses a badge to access a room, for example, shouldn't hold the door open for someone behind him unless the second person has a proper badge as well. If someone needs a password to access certain parts of a company's network (i.e., a customer information database), he shouldn't be able to "sweet talk" an administrative assistant or other employee into giving him access to the information without the password. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.