VIRGINIA TAKING CARE OF CUSTOMER DATA DailyProgress.com | Customer care also means caring for data

Customer care also means caring for data

Firms have high stake in guarding personal records of their clients

BY JEFFREY KELLEY / TIMES-DISPATCH STAFF WRITER
February 4,2007

Margaret E. "Lyn" McDermid takes her job extremely seriously. You should be thankful.

As chief information officer at Dominion Resources Inc., she's in charge of putting in place a technology infrastructure, rules and policies on how customer information is managed so your personal records are protected at the state's largest utility company.

"As a major corporation, we have a significant responsibility to all stakeholders to protect informa- tion about them that is within our system," she said. "We take it very seriously, as a matter of obligations, responsibility and good business."

When an organization misplaces personal information on its customers or has that data hacked, the fallout is major.

"I don't want to overblow it, but if you get the reputation in the industry that you don't take care of the customers' data, then other companies aren't going to want to do business with you," said Kevin Pomfret, an attorney at Cantor Arkema in Richmond who specializes in corporate law.

Besides public perception, he said, companies may face financial penalties from a data loss, even if no consumers were harmed because of the leak.

The Federal Trade Commission enforces privacy policies on companies and organizations that collect, use and secure consumers' personal information. The agency can nail those groups financially when leaks occur.

The agency leveled its stiffest fine -- $15 million in civil penalties and settlement -- against a company that accidently sold thousands of consumer records to a criminal group. "This was an unusual case in that most of the time the FTC imposes requirements about improved security practices [and] policies and future audits to ensure compliance," said Dean A. Scharnhorst, an attorney with Williams Mullen specializing in technology law.

In the past several years, many states have begun requiring companies to publicly reveal when they had data losses or breaches.

Thirty-five states have such laws, but Virginia does not. State lawmakers are debating such legislation in the General Assembly.

"There tends to be a growing understanding of this issue that was perhaps not fully understood three or four years ago when [data losses] first happened," Dominion's McDermid said.

Peter Aiken, an information-systems professor at Virginia Commonwealth University and founder of Richmond-based Data Blueprint, said companies need better policies on how customer data are stored and managed, just as they would have guidelines for running other parts of the business.

"Somebody's data is just another asset, like cash," Aiken said. "You would not feel very comfortable in your organization if the chief financial officer didn't have an accounting background."

Still, "even the best of companies with the best of security plans have issues with data being temporarily misplaced," said Sue Houk, director of consumer solutions at ID Analytics Inc., a San Diego firm that helps organizations secure data.

Two laptops stolen in August

For instance, Dominion had two laptop computers stolen in August. The computers contained the names and Social Security numbers of 1,700 workers. The computers still have not been recovered.

"We have no indication that the information was compromised, recovered or used in any fashion," said Karl R. Neddenien, a Dominion spokesman.

The company notified affected employees. He said because of Dominion's tight IT security, it would have been "extremely difficult" to access the data.

Still, "it points out the need to try to think of every contingency and to make sure that all staff and employees are aware of the rules when it comes to keeping [personal] information on computers," he said.

When computer records are leaked, patching up the digital hole isn't a simple fix.

"You can't just go in and say, 'Oh, we're going to slap another firewall in.' It's like slapping a Band-Aid over surgery," said Richard J. Coppins, an information-systems professor at VCU. "If someone gets into your network [by hacking], clearly there was a security flaw in the network."

Sensitive information should be encrypted -- blocked from the eyes of outsiders and those who don't have a code to see it, Houk said. Some companies haven't taken that step.

Many weaknesses in corporate IT systems, Coppins said, are based on the use of passwords. When passwords are difficult to remember, employees tend to write them down and post them.

Second authentication tool

The likelihood of an attack can be reduced -- not prevented -- by relying on not just a password but on a second authentication tool, such as a fingerprint. "More authentication, the more secure you can be," Coppins said.

In coming years, issuers of credit cards -- a major target for crooks -- will enhance security measures, possibly doing away with plastic cards, said Sushil Jajodia, director of the Center for Secure Information Systems at George Mason University.

Additional measures could include biometric fingerprint scanners, he said. Some retailers, including several in Virginia, have already placed fingerprint readers near cash registers.

High-tech security, however, will require companies to pony up more money. Companies will have to weigh the cost of upgrades with the expense associated with losing customers' data, Jajodia said.

But it's not just companies that should be wary of data leaks.

Dominion's McDermid notes that consumers need to be aware of who has their information and how it is being used.

"There's more of a need for all stakeholders in this issue to be alert, be cognizant, be on their toes about how this information is used in the company and shared with others," she said. "Everybody has to do their job."

Contact staff writer Jeffrey Kelley at jkelley@timesdispatch.com or (804) 649-6348.