Data-Breach Dilemma

Data breaches have become an unavoidable cost of doing business in the 21st century.

All companies—including retailers—claim to be adding security layers to protect mission-critical data. To ensure that companies take these protective precautions seriously, the government is subjecting offenders to sky-high fines or worse, jail time. Despite these efforts however, organizations are still susceptible to compromises.

While security breaches seemingly have been happening forever, in 2005 companies were legally required to report incidents. And the breadth of these events was scary.

In April, an estimated 1.4 million credit-card numbers were compromised through DSW Inc.’s point-of-sale systems. The same month, Ralph Lauren electronically lost 180,000 customer records. Even Wal-Mart Stores’ Sam’s Club division got nailed when an undisclosed amount of customer account numbers were breached through a company-owned gas station in December.

Retailers didn’t fare any better in 2006. In June, an Ahold USA employee on a commercial flight lost a laptop with pension data of former employees, including Social Security numbers, birth dates and benefit amounts.

In August, a thief wielding a wireless laptop reportedly compromised data from at least two Dollar Tree locations. As a result, several of the discounter’s customers reported unauthorized withdrawals from their bank accounts.

Clearly, these incidents are unfortunate and everyone is eager to place blame. Rather than play the blame game, though, we have a bigger problem—not enough retailers are regularly monitoring who is accessing data.

If this sounds familiar, something needs to give. And the first step to warding off breaches is to take a hint from the Armed Forces: Operate the (retail) enterprise as a united front.

Too many company departments—as well as corporate brands—operate in vacuums. And each one tends to have its own data repositories.

Besides taking a toll on strategic decision-making processes, and day-today operations, these silos are a breeding ground for data breaches. Retailers need to step back, pinpoint silos and begin integration efforts.

The first step is the hardest: Get buy-in from the entire enterprise—not just IT. To ensure that this happens, retailers need to create a team comprised of one member of each business unit. This team must work with IT to define the specific rules, safeguards and synchronization necessary to protect data.

Companies also need new safeguards to monitor who is accessing information, and when. Tried-and-true tactics are obviously not working.

Maybe it’s time to trade in passé passwords for biometrics-based systems. Unlike passwords that can be shared, stolen or forgotten, biometrics authenticate employees and accurately audit their actions.

Finally, department members need to monitor activity and share it with their data-security champion.

Clearly, I don’t expect this checklist to foil all data breaches. And by no means will the task be easy or quick. By establishing an internal arsenal however, retailers will uphold data integrity, and of course, fight the bad guys.