• United States
Executive Editor

Crime and punishment

News Analysis
Sep 13, 20048 mins
Enterprise ApplicationsFraudSecurity

Corporations pay the price when they don't adequately protect customer data.

Barnes & agreed in April to pay a $60,000 fine after a flaw exposed sensitive customer data on its Web site. The New York State Attorney General’s office, which imposed the fine, says a design vulnerability in the online bookseller’s Web site permitted unauthorized access to consumers’ accounts and personal information.

The bookseller corrected the flaw before any serious damage was done. BJ’s Wholesale Club, however, wasn’t so fortunate. The tab for the Natick, Mass., company’s system breach, which it reported in March, continues to mount. In its quarterly report filed in August, BJ’s disclosed it is facing $16 million in fraud-related claims after the theft of some of its customers’ credit and debit card information.

Computer security breaches are a recurring problem for companies, particularly those that conduct business online. Based on results of its annual survey of e-commerce crime, security company CyberSource estimates online crooks made away with 1.7%, or $1.6 billion, of 2003 U.S. business-to-consumer e-commerce revenue.

The toll on consumers whose financial information is stolen is huge. The Federal Trade Commission (FTC) says almost 10 million Americans were victims of identity theft in 2003. These consumer victims reported $5 billion in out-of-pocket expenses. At the same time, identity theft losses to businesses and financial institutions totaled nearly $48 billion, according to the agency.

Companies that suffer a system breach might find themselves on the wrong side of the law. There are hundreds of privacy laws from federal, state, local and international sources. Government enforcement of such laws can come from federal agencies such as the FTC, and state attorney general offices. Consumers, too, can take matters into their own hands when their privacy is breached, through class-action lawsuits such as those that dogged Microsoft, TriWest Healthcare Alliance and Eli Lilly.

Of course, revenue isn’t the only thing at stake. A company’s corporate reputation is on the line if it doesn’t adequately secure customer information.

“There’s no bigger responsibility as a financial institution than to safeguard customers’ information,” says Leonard Rowe, corporate senior vice president and director of e-business development at Associated Bank in Green Bay, Wis. “It’s right up there with maintaining the money customers entrust to us. We, as an industry, have everything at risk if we don’t protect our customers.”

Online banking offers convenience, but it also heightens security challenges. To make sure users doing banking business online are who they say they are, Associated Bank recently added an extra layer of technology to its infrastructure. The bank subscribes to a service from Authentify that uses voice prints to verify a customer’s identity.

If a customer wants to set up online access to an existing account, the Authentify service places a phone call to the customer – either during or immediately following the Internet session, depending on the customer’s Internet setup – and asks for a verbal acknowledgement that the customer wishes to establish online access. Authentify then compares the speaker’s acknowledgement to a voice print on file to verify identity.

There are a few advantages to using the Authentify service, Rowe says. It’s faster and more secure than making a customer wait to receive a PIN in the mail before activating a new banking service. The Authentify service also establishes an audit trail if fraud is committed. From a technology standpoint, the service is inexpensive to implement and not intrusive, Rowe says. “The telephone network already exists, plus a voice print is the least-intrusive biometric technology for customers,” he says.

Baker Hill – a service provider that administers online loan applications for banks – likewise went the extra mile to secure its users’ information. The Carmel, Ind., company installed a Web-application firewall from Teros that studies what an application is doing and blocks suspicious behavior. For example, if someone tried to inject SQL commands to obtain hundreds of customer account numbers, the Teros appliance would stop the transaction.

The Teros appliance is different from a typical firewall, which is focused on protecting against network-layer attacks and doesn’t closely examine traffic destined for Web servers, says Eric Beasley, senior network administrator at Baker Hill. The Teros appliance un-encrypts and inspects the traffic to make sure it meets acceptable application behavior. “That ability to do deep packet inspection, to inspect traffic at the application layer, is a big help,” he says.

Assistance required

Safely handling sensitive customer data is about more than just installing security products. Companies should supplement their security technology with investments in security audits and security training, according to this year’s Computer Crime and Security Survey. The annual survey is conducted by the Computer Security Institute (CSI) and the San Francisco FBI’s Computer Intrusion Squad.

Security audits are widely used, according to the CSI/FBI survey. Among 494 respondents, 82% indicate that their organizations conduct security audits. Survey respondents say that training is lagging. On average, respondents from all sectors do not believe that their organization invests enough in security awareness.

Seeking outside help is important, says Larry Ponemon, whose Ponemon Institute think tank in Tucson, Ariz., researches privacy, data protection and information security policies. “Information security and privacy really lend themselves to third-party verification,” Ponemon says.

Ponemon is affiliated with the International Association of Privacy Professionals, which this fall will begin offering certification for privacy professionals. There are also several professional training programs in information protection, including from the International Information Systems Certification Consortium’s Certified Information System Security Professional and SANS Institute’s family of Global Information Assurance Certifications.

Baker Hill’s Beasley regularly taps external sources for help in securing the service provider’s systems. For example, every year Baker Hill uses Ernst & Young’s SysTrust service to review its application security policies. It also subscribes to a hosted security scanning service for ongoing vulnerability checks.

Barnes & will be doing more such engagements. Its settlement with the New York State Attorney General’s office requires the company to establish an information security program to protect personal information; establish management oversight and employee training programs; and hire an external auditor to monitor compliance with the security program.

A lot of companies are getting involved in privacy risk management, but the majority are not doing enough, Ponemon says. Companies that do a great job protecting consumer privacy, such as Procter & Gamble and E-Loan, realize that it can be a competitive advantage, he says. But the reality is most companies are motivated by fear of a public scandal.

The fear is founded. Consumers are increasingly savvy about information protection, and they’ll take their business elsewhere if there’s a concern that private data isn’t secured, Ponemon says. “A loss of privacy trust is loss of business.”

Online merchants pay for Web vulnerabilities

The Federal Trade Commission and states such as New York are getting tough on companies that promise Web site security and don’t deliver.

Company: MTS and Tower Direct

Charges: The FTC charged Tower with allowing a security flaw on the Tower Records Web site that exposed customers’ personal information to other Web users.

April 2004 settlement: Tower is barred from misrepresenting the security of its customers’ personal information; required to implement an appropriate security program; and required to have its Web site security audited every two years by a qualified third-party security professional for ten years.

Company: Barnes &

Charges: The New York State Attorney General’s office charged Barnes & with allowing a design vulnerability on its Web site that permitted unauthorized access to consumers’ accounts and personal information.

April 2004 settlement: Barnes & is required to establish an information security program to protect personal information; establish management oversight and employee training programs; hire an external auditor to monitor compliance with the security program; and pay $60,000 in costs and penalties.  

Company: Victoria’s Secret

Charges: The New York State Attorney General’s office charged Victoria’s Secret with allowing the personal information of its customers to be available through the company Web site.

October 2003 settlement: Victoria’s Secret is required to establish and maintain an information security program to protect personal information; establish management oversight and employee training programs; hire an external auditor to annually monitor compliance with the security program; provide refunds or credits to all affected New York consumers; pay $50,000 in costs and penalties.

Company: Guess, Inc.

Charges: The FTC charged the apparel maker with exposing consumers’ personal information, including credit card numbers, to commonly known attacks; not taking reasonable or appropriate measures to prevent the security flaws; and misrepresenting the security of its customers’ personal information.

June 2003 settlement: Guess is required to implement a comprehensive information security program for and its other Web sites.

Company: American Civil Liberties Union

Charges: The New York State Attorney General’s office charged the organization with allowing personal information of consumers who purchased items from the ACLU’s online store to be accessible through a search mechanism on the Web site.

January 2003 settlement: ACLU is required to strengthen its internal standards relating to privacy protection, training, and monitoring; undergo annual, independent compliance reviews over the next five years and make the findings of those reviews available to the Attorney General’s office; pay $10,000 to the state.