7 “NIDO ABIERTO EN LAS ONDAS” PROPUESTA DE INTERVENCIÓN EN UNA
ANEXO 5. TABLA DE LOS RECURSOS PARA DAÑO CEREBRAL.
At the same time, it’s certainly true that corporations have access to very personal and sensitive customer information, including Social Security numbers, credit card information, and purchase history. And while most businesses adhere to the laws in place to protect their customers’privacy, there are some who break laws regarding personal data. And that is where the real issue with the sensitive information contained in corporate databases lies. It’s not in corporations crossing the bounds of privacy; it is in cybercriminals who want to raid these databases to extract the valuable data from them.
Certainly, corporations pay a public relations andfinancial price when their databases are compromised or sensitive information is breached. For instance, Sprint was recently taken to task when an employee allegedly shared via Facebook photos of a couple having sex. The employee had apparently uploaded the photos from a traded-in phone. Sharing its customer’s private photos or data is not in Sprint’s best interests. A story about the incident, “Lawsuit Says Sprint Worker Put Customer Sex Photos on Facebook,”
appeared in theLos Angeles Timesand spread across the Internet.
Sprint issued the following statement: “Protecting customer pri- vacy is of the utmost importance to Sprint. We take these matters very seriously. We intend to fully investigate this matter.”
Target was also involved in a serious financial and security breach when thieves stole millions of credit card numbers by hacking into the retailer’s payment system. Ultimately, Target took a charge of $61 million for the incident.
Big data can create tremendous returns for businesses and at the same time a phenomenal experience for their customers: a true win-win. At the same time, businesses don’t always invest in the appropriate safeguards to protect the sensitive customer data they have (credit card numbers, Social Security numbers, their birth- days, and more) if they don’t have to. But this state of affairs has to change. For one thing, businesses must shift their perspective.
They need to develop a better understanding of the magnitude of the social contract they have entered into with customers when theyfill their databases with sensitive and private consumer data. Businesses must have more respect for the data they have on customers and place more value on protecting that data. They must also have a better awareness of what the cybercriminals around the globe are capable of.
Todd Davis, chairman and CEO of Lifelock, a company that helps consumers protect their personal data, said the realization that more must be done to handle this problem is growing. He proposed three key steps to handling this problem of database security.
Thefirst step to improving data security is consumer awareness. Davis’s company, Lifelock, was built to educate consumers and protect them from the dangers of identity theft. Consumers need to understand their options when their personal data is breached, Davis said.
“Even if you’re part of a data breach, we’ve got your back. You’re not going to be out a bunch of time and money,” Davis said.
With this message, Lifelock has grown for 35 consecutive quarters; it has more than 3 million customers, and generated $369.7 million in revenue in 2013. Davis believes that the more consumers are aware of database security issues, the more busi- nesses will do to protect consumers.
Which brings us to the second step necessary to improve data security: enterprises must pay heightened attention to the protec- tion of their customer databases.“There are best practices,”Davis said, but he pointed out that many companies are simply not taking basic steps to protect their consumer data. In 2011, Verizon and the U.S. Secret Service Agency conducted a study and issued their Data Breach Investigation Report, which found that 89 percent of the companies that experienced a data breach in 2010 were not in compliance with the Payment Card Industry Data Security Standard.
Adrian Lane, an analyst with security consultingfirm Securosis, outlined two basic ways that businesses can secure customer data.
First, they can secure the database that stores the data by patching and securely configuring the database, allowing only select employees access, and even placing the database behind afirewall. Second, they can protect the data and then they can encrypt data elements; or they can mask the data, by, for instance, replacing a real person’s name with a pseudonym in the database; or they can
“tokenize”the data by, for example, blocking out complete credit card or Social Security numbers and giving employees access to the last four digits only.
But Lifelock’s Davis said even increased vigilance by enterprises won’t be enough to completely protect consumer data. “If cyber- criminals want in bad enough, they can get in,” Davis said.
The third step is giving legislation and law enforcement more teeth when it comes to cybercrime. Legislation must increase requirements for businesses regarding notification of data breaches and security requirements, and there must be stiffer penalties for companies that don’t meet minimum standards of security.
Additionally, Davis said, the penalties must be increased for cybercrime. As it stands now, a bank robber who walks into a bank and steals $5,000, which is about the average take for such crimes, is highly likely to be caught and typically faces a mandatory sentence of five years. It’s a much different situation for a cyber- criminal.“If you go to the same institution, commit identity theft, and withdraw money from my savings account, you have a less than 1 percent chance of getting caught, and there’s not mandatory sentencing,”Davis said. “First-time offenders have a good chance of getting parole. That’s crazy. We don’t have the right deterrents in place.”
Ultimately it’s all about the culture of an organization and the focus on treating data responsibly. LinkedIn is an example of a company that has“Member First”as a core tenet, and it literally lives and breathes this concept in everything it does. Every employee is required to get trained on its tenets, its privacy policies, and the data use policies. It also maintains a cross-functional Trust Council that
meets monthly to help ensure that the company is living up to its promises. As LinkedIn says about its policies,“We always aim for clarity, consistency, and member control.”By training all employees on these concepts and monitoring for compliance, they have taken a leadership position in treating data responsibly that other compa- nies could emulate.