Data Security Dilemma

The security and confidentiality of consumer data has become a pervasive societal issue. And as more breaches are documented, consumers—and regulatory agencies—grow increasingly concerned about how well companies are securing consumer-specific data.

Today, many retailers capture consumer-specific data at the point of sale, from the Web and at the call center. While companies have adequately protected their computing environments via state-of-the-art network architectures, secure VPNs, firewalls, “DMZs,” virus filters and patch management, the question remains whether retailers are ensuring that consumer data digitally stored within operational databases is just as confidential and secure.

When Retail Systems Alert Group launched its first “Retail Data Security Benchmark Study” last year, results revealed that many retailers collected and kept data about specific consumer purchases. Results also divulged that there was room for improvement in retailers’ efforts to secure consumer-specific data.

As we set out to conduct this year’s study, “Retail Data Security Benchmark 2006-2007” we were committed to understand how consumer-specific information is “acquired, used and secured” by companies in the Extended Retail Industry today.

Results from the just-completed study revealed that almost 75% of ERI companies are using consumer-specific data captured at POS to move toward more demand-driven merchandising, understand affinities between consumer purchases, and learn who their “best” consumers are. This information also helps chains identify individual consumers, according to most respondents. For more than 60% of survey respondents, individual consumers are linked to POS transaction data for subsequent analysis.

Although there is an increase in companies’ sensitivity toward adequately ensuring the privacy of collected consumer information, survey results indicate that a majority of retailers have yet to take the appropriate measures. For example, 61% of retailers have established a data-security coordinator, but only 48% have a formal incident response plan. And while nearly 50% encrypt consumer-specific information, a meager 26% fully comply with data-security standards such as PCI. These are not encouraging numbers.

Meanwhile, 14% of respondents have knowingly suffered a consumer data-security breach. While it is clear that there is a tremendous risk to a retailers’ brand if they fail to act more proactively, retailers are concerned that proposed or pending regulations and standards will impact their businesses. Further, they don’t feel that trade associations are adequately representing retailer issues to state and federal regulators. Retailers are also worried about RFID’s potential to become a privacy concern.

A climate of distrust also exists among consumers. According to some studies, 90% of the American public cares strongly about privacy. Further, most feel that they have lost control over the privacy of their own personal information.

Clearly, the challenges many organizations face in protecting sensitive customer data arise from familiar territory. And internal obstacles have, unsurprisingly, prevented many companies from achieving their goals. To combat this reality, we offer the following recommendations:

Assign organizational responsibility, and support it from the top. The privacy of consumer-specific data is a boardroom concern, not merely an IT governance issue. Failure to ensure the privacy of this data creates tremendous fiduciary risks;

Develop a technical and process road map for compliance to industry standards, particularly the PCI DSS standard (www.visa.com);

Only keep data that is necessary to meet operational objectives, and only hold onto it as long as necessary;

Follow the standards in regard to what data should and should not be kept;

All members of the ERI should convey their commitment to consumer privacy via every channel (stores, Internet, catalog); and lastly,

Train employees about the company’s policies with regard to consumer privacy.

Now is the time for chains to address the organizational and technical issues surrounding the effective use and security of consumer- specific information. Companies that effectively use this information to drive customer value, and ensure privacy and integrity, will be rewarded with increased customer loyalty and improved earnings. Failure to secure consumer-specific data will result in brand erosion and crippling scrutiny from regulatory agencies and financial networks.