Read Bennett Gold LLP's privacy policies and practices regarding this web site.
LINK TO: Bennett Gold LLP's Privacy Policies and Practices. E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by Bennett Gold LLP, Chartered Accountants


SPECIAL NOTE TO ALL VISITORS:
Effective December 31, 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering articles from the period 1999 to 2012.


NOWHERE TO HIDE

Source: Forbes.com

Posted on September 17, 2007

      If you give a company your name and address, how many copies of this data do you think will exist in databases around the world a mere 12 months later?

      Easily a thousand, estimates Jeff Jonas, who holds the titles of distinguished engineer and chief scientist at the IBM Entity Analytic Solutions group. A million copies is also not out of the question, he says. The same is true for your far more private financial data, too. And the more copies out there, the more likely your financial data could be pilfered by cybercriminals.

      Jonas is among the top U.S. experts developing techniques to protect data and detecting digital malfeasance. Many of the countless copies of your records that exist on networks are entirely legitimate - many companies keep rolling backups of sensitive data, making extra copies of data at the end of every week or every month, and preserving that data for years at a time. Credit card information, for instance, is routinely copied, distributed and backed up by nearly every business that accepts plastic.

      Keeping financial data safe, consequently, is more like herding sheep than guarding the crown jewels. That's helped put this year on track to become the most costly in history for data breaches. Among them: TJX Companies, which includes retailers T.J. Maxx and Marshalls, reported in January a data breach that compromised more than 45 million credit card numbers over 18 months.

      According to TJX's internal calculations, those intrusions cost the company $256 million in lost revenue - a figure that could climb to as much as $4.5 billion as lawsuits over the breach are resolved, or $100 per record, according to security audit firm, IPLock. Given that same cost per record - a number roughly agreed on by most security analysts - data breaches this year at Fidelity National Information Services and Monster.com could cost around $230 million and $130 million, respectively.

      Jonas is trying to build systems that help companies use data about their customers to do savvy marketing without adding to the worldwide sprawl of personal information on the Web. He spoke with Forbes.com about just how many copies of your credit card information are floating around in the private sector, why so many of us give away private information, and how hard it is to give the slip to the Salvation Army.

      Forbes.com: How does our most private data, like credit card or medical information, get distributed?

      Jeff Jonas: For the most part it doesn't, but there are some exceptions. Medical prescriptions, for instance, are aggregated in databases that make sure you're not getting two medicines that interact badly. That's a necessary flow of private info that saves lives.

      But then there are also breaches from carelessness or criminal behavior. And that gets difficult given all the copies of the data that a company makes internally. Any time you make another copy of data, you increase the risk. It doubles your efforts for protection.

      How many internal copies do companies make of your sensitive data?

      The bigger the size of an enterprise, the more copies they need. When they collect the data in the sales entry system, that's designed to process orders. But they may have a distribution and fulfillment system that makes sure they deliver the order to you. So they copy the data into that. And then they'll have a data warehouse that they use to pull data together across their whole enterprise. Then they back it all up in daily and weekly rolling systems. With just four systems and a rolling backup strategy, you can end up with more than a million total copies. I don't want to do the math here, but I've worked it out in my blog.

      Every time you make a copy, you have to protect it, and when you have copies on these tapes that have lots of mobility, you risk these tapes falling off the back of a truck. That's how some breaches occur. You're insane if you keep your data unencrypted on tapes, but many enterprises still do that.

      The other electronic copies are online, not to the world, but to the company's networks. And there you have the risk of someone inside inappropriately extracting information from them or someone from the outside hacking their way in and running away with the farm.

      After recent data breaches like TJ Maxx, Certegy and Monster.com, are companies paying more attention to preventing breaches?

      Many companies start paying serious attention to security only after something bad has happened. They only do the due diligence then, and their stock price slowly recovers.

      Are consumers demanding better protection of their private data?

      Consumers trade it in all the time. They're just looking for the organization that can deliver the fastest, cheapest products. I used to be under the delusion that a consumer would choose to transact with organizations that show a higher level of privacy protection. I don't think that's true anymore. Consumers will take a bit of risk for convenience. Most consumers have never had their identity stolen. It's like violence in other parts of the world: It doesn't hit home.

      Even I don't necessarily prefer privacy to convenience. When I moved, for instance, I apparently still had one phone bill to pay. Lo and behold, and my phone was never turned off at my last house. I had tried to keep my new address a secret, so I never filed a change of address form. So the phone company gave the charge to a collection agency, and it went on to my credit report. I was testing the system to see if you could keep your address a secret, and I got punished. So the lesson, I guess, is that I'd rather have everybody know.

      What are other sources of big leaks of data people would rather keep private?

      Most of the data that many people describe as private is actually public data. Public data has the highest velocity. People are surprised that names, addresses, dates of birth, and for a long time, social security numbers are all public. Even your mother's maiden name. For all these kinds of data, you have to think about how it gets into motion.

      Here's a funny story: When I last moved, I decided to try and keep my address a secret as long as possible. Turns out this is much harder than I thought. TTT The Salvation Army found me just two weeks after I'd moved, and the junk mail started flowing right behind that. When you move, you have to tell your cable service or the DMV that you've moved, and then you give up that data. The first public place where my new address data leaked was probably in the property ownership records.

      So the Salvation Army is checking these data sources?

      Data aggregator services like Lexis-Nexis or Acxiom acquire these public data sets from public record sources and provide it to other organizations. Different aggregators have different focuses. Some aggregators specialize in background checks and credentialing, some specialize in marketing, and other specialize in gathering unstructured data. That may include newspapers, blogs, even MySpace. What's public is public, and people forget that.

      In the old days, if you wanted to look up public data, it would be listed in paper files like the phonebooks at the library. Then phonebooks moved onto CD. Now it's on the Internet. So data that's always been public is getting more and more accessible.

      What's so scary about public data being out there?

      I know someone who's in a custody dispute, and their public data in this case turned out to be their MySpace page. And that data - the information they wrote themselves and the silly things that their friends say about who they are - is now being used against her in court.

      People's expectations of privacy are changing. In the old days, everyone in a small town knew everything about each other, but you could always escape that town and go to another town. You used to be able to reinvent yourself. That freedom is eroding.




CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.


ALERT
ARCHIVES
Final Entries
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
2000
1999


LINK TO: Bennett Gold Chartered Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Against
Privacy Breaches.

Get WebTrust
Working For
Your Site.