Have you ever heard stories about corporate files being stolen that contained salary and benefit information about corporate executives? How about incidents where companies sent CDs that contained their newest product formulas via regular mail? Most of you have not. More likely, you’re familiar with the “granddaddy of all blunders” – Her Majesty's Revenue and Customs (the equivalent of the Internal Revenue Service in the United States) which lost two CDs containing the personal data and financial records of 25 million British citizens – roughly 40% of the country’s total population! Adding insult to injury was not only that the information had been sent via private courier service, or that the fiasco was uncovered nearly a month after it occurred – but that this had been the third serious government security breach in almost three months!
This fiasco, which was unfolding during the week of November 19, steadily grew more embarrassing. At first, the government blamed a junior level employee for not following rules but soon realized that due to cost considerations, the manager in charge had refused to encrypt the data, only password protect it – meaning that information could easily be extracted. Although the British Prime Minister, Gordon Brown, apologized publicly for the debacle, 40% of Britain’s citizens were left to deal with the possibility of identity theft, fraud and other malicious activity that could be conducted with their personal data such as names, dates of birth, bank account numbers, and home addresses. Concern about data privacy in the UK is has reached a crescendo, with the Information Commissioner Office in the UK reporting that 9 out of 10 people are concerned that organizations do not treat their information properly.
While few security breaches ever reach the magnitude of HMRC, lax security standards for customer data is nothing new. Some of the more egregious examples of successful security breaches include TJX Co. The parent company of T.J. Maxx and other retailers announced in March of this year that more than 45 million credit and debit card numbers had been stolen from its IT systems. With this announcement, the company found itself as being one of only two companies (along with CardSystems) to have surpassed more than 40 million stolen customer records. While the United States’ Veterans Affairs Department had briefly lost track of more than 26 million records (due to a misplaced laptop), the scope of this security breach was truly frightening.
After reading about these security breaches it should come as no surprise that Privacy Rights Clearinghouse recently announced that 17 computers containing personal data on more than 1 million people were lost or stolen in the past two months.
When reading article after article about the loss of customer data, I often wonder why I never read about executive or product data being stolen. Think you’ll ever read about Coke or Pepsi having its recipes stolen? I doubt it. However, I have little doubt that it won’t be long before I read about another incident where a company or government agency loses more data about its customers or citizens.
Companies need to determine the scope of security that they are willing to apply to their customer and corporate data. After all, there are many different levels of security, but how much security is enough security? Any security expert will posit that there is always more security that can be applied to any file or data. However, companies need to take a strategic business decision to invest in IT and data security. This involves not only IT Systems, but standard operating procedures so that a junior associate would never be able to gain access, never mind send, highly sensitive information on 25 million customers via courier service.
At this point, you’re probably wondering why I’m writing about security. The answer is that this topic highlights a bigger issue – concern for customer (and citizen) well being. If companies and governments truly cared about their customers and citizens as much as they did about themselves, they would apply the same security measures that they employ for themselves. We rarely hear about sensitive corporate data breaches or security breaches at the Pentagon because companies and governments care more about themselves than they do about their customers and citizens. If customers truly represented a company’s core asset, their information, like corporate secrets, would be treated in the exact same manner. One needs to look no further than the level of security applied to customer data to determine a company’s commitment to its customers.
Organizations that are truly concerned about their customers, will rarely, if ever, encounter successful security intrusions and mishaps that can destroy their lives. If and when they do occur, I have no doubt that these companies would do all it could to keep customers informed and help them through a troubling time.
It is through the small details that organizations can build true customer relationships and deliver great customer experiences. The security that organizations apply to their customers’ information is a great start!