[ISN] Retailers under pressure to tighten security

InfoSec News isn at c4i.org
Mon Nov 7 03:10:17 EST 2005


http://www.computerworld.com/securitytopics/security/story/0,10801,105954,00.html

By Jaikumar Vijayan 
NOVEMBER 04, 2005
COMPUTERWORLD

CHICAGO -- Privacy concerns and proposed laws governing the use of
sensitive personal information are making it more important for
retailers to be able to demonstrate due diligence when it comes to
information security practices, according to IT managers at the Retail
Data Security Forum here this week. An inability to do so could expose
companies to serious damage to their reputations, financial losses and
customer churn, they said.

"The brand can suffer real consequences" from a security breach, said
Brian Kilcourse, chief strategist at the Retail Systems Alert Group,
the Newton, Mass.-based organizer of this week's forum. "In the eyes
of the customer, if their data is compromised, the retailer is legally
and ethically bound to report that breach."

The issue is particularly urgent given that a survey by the Retail
Systems Alert Group shows that retailers are amassing a growing amount
of information on their customers, Kilcourse said. Increasingly,
retailers are associating demographic information and
transaction-level details to customer profiles -- even though they
don't appear to be using the data to deliver specialized services for
customers, he said.

While many retailers have worked to ensure the security and integrity
of the data, queries to it in many cases are not well controlled, and
the data itself is not encrypted, he said. Similarly, forensic data
related to the creation and retrieval of customer information is not
captured, Kilcourse said.

Information security executives understand what needs to be done to
fix such issues, said the IT security director at a major Midwestern
franchise chain, who requested anonymity.

"The problem is the executive sponsorship" for the investments needed
to bolster security, he said. While high-profile data compromises such
as those involving ChoicePoint Inc. and BJs Wholesale Club last year
have raised awareness of the stakes involved, there still is an
unwillingness to invest in security "without a clear demonstrable
ROI," he said.

Even so, retailers have done a relatively good job of protecting
consumer data so far, said Bob Belair, a partner with the
Washington-based law firm of Oldaker, Biden & Belair.

The key now is being able to show that companies have done all they
can to protect their consumer data, he said. That means having a
formal information security plan that embodies protections
commensurate with the sensitivity of the information at risk, he said.  
Such a plan has to be dynamic to a changing threat environment and
should include processes for periodic reviews and audits. There also
needs to be clear accountability and processes for training and
educating those who handle consumer data, he said.

"You do all these things and a hacker still breaks in, chances are you
are not liable because you have acted in a reasonable manner," Belair
said.

There are four initial steps companies can take to mitigate the risk
of a data security breach, Michele DeMaree, president of DeMaree
Consulting Inc., said during a presentation at the show. The first is
to identify key data assets and determine what information needs to be
protected. The second is to create cross functional teams to deal with
privacy, security, legal and compliance issues. The third step is to
begin assessing risk by measuring the frequency of policy violations
against customer data and other information assets. And finally,
companies need to educate data owners about risks.





More information about the ISN mailing list