Optimal Security : the Lumension Blog

Sometimes, I’m sure, folks out there think we’re in the scaremongering business. Take, for instance, the notion that failing to protect your customers’ Personally Identifiable Information (PII) can expose your organization to both direct *and* indirect costs. You can find this notion in ad copy and whitepapers from almost all security vendors, us included. And certainly the former, the direct costs, are well explored in many research reports such as the annual Cost of a Data Breach report from the Ponemon Institute. But the latter, the indirect costs? Well, that’s a little more nebulous.

But no more. Earlier this month, the Federal Trade Commission (FTC) reached an agreement with Compgeeks, which runs Geeks.com and Computer Geeks Discount Outlet, and its parent company Genica regarding the loss of customer during the first half of 2007. [See the FTC's complaint and settlement for details (warning: PDF files).] In addition to agreeing to not make any “deceptive privacy and data security claims” (useful how?) and establishing a security policy (sounds reasonable), Compgeeks/Genica agreed to submit to third party audits every two years for the next 10 years. Wow! That’s 10 years of having the Feds in your pocket, asking tough questions which will take actual cash, not to mention management & operational time and resources, to answer.

[Oh, and BTW … we don’t know yet what it will cost them to get back in the good graces of Visa and the Payment Card Industry (PCI), but this will undoubtedly add to both the direct and indirect cost columns.]

Sure, the FTC could have simply fined them and been done with it. But how would that have improved security? Indeed, this feels to me like a case of teaching a man to fish, rather than simply giving him a fish. In this case, one can hope that this will lead to security being woven into the company’s DNA, becoming just a routine housekeeping thing instead of some extraordinary feat. Of course, the devil’s in the details … will they get into the spirit of the agreement or will they merely follow the letter of it, falling off the wagon between audits … but one can be hopeful. So, as a consumer and as someone involved in the security arena, I rather like this approach.

Anyhow, what do we learn from this? I see a few things which apply to (particularly online) retail businesses:

• Only collect the data you really need to complete a transaction.
• Don’t treat all information collected as a monolithic entity; it should be easy to separate out the necessary (e.g., e-addresses) from the unnecessary (e.g., card verification nos.) … and then only hold onto that data which is needed for some (future) business purpose.
• Protect that data which you do hold onto (encryption, access controls, copy limits, etc…).
• Don’t hold onto data indefinitely (or, put another way, implement an information lifecycle management plan).
• Recognize that there are both direct costs (e.g., notification, credit monitoring, etc…) and indirect costs (e.g., loss of business and customer trust) associated with a data breach incident, and that the FTC will get all up in your grill if you’re not taking reasonable care.