Pack Rat RehabBy Larry Dignan | Posted 2005-05-03 Email Print
Minimize the amount of data you keep, and you reduce the chances that lost or stolen information can come back to haunt you.
So if you're a data pack rat—and Kroll couldn't identify any companies that aren't—where do you start?
According to Stickley, the first step is a data audit. Survey where sensitive personal data is stored; rank it based on whether it's needed or not, and then consider how long the information needs to be stored. Classify public information and personal identifiers and separate them. Find out the security practices of suppliers and partners, and identify points where sensitive information travels via laptops or backup tapes.
And don't forget the decades-old systems that may be hoarding information. Any system—including old paper files—that isn't terminated is capable of being accessed.
"It's a nightmare because few companies have destroyed anything," Stickley says. "It used to be all that information was paper-based in some catacomb somewhere. Now it's on a computer."
David Sun, a consultant at security firm Vance International, says the data audit is a blueprint for a security strategy, but is often ignored. "Most [companies] don't spend the money up front to figure out what not to collect," he says. "In the information age, information is power, but it's also a liability if not managed well."
With the audit complete, the next goal is secure the data and restrict sensitive information through encryption, access privileges and physical security. Visa and MasterCard are requiring merchants in their networks to comply with security practices such as protecting stored data, encrypting cardholder data, restricting physical and data access, and tracking and monitoring all access to information. Deadline: June 30.
Then, the real work begins. Slowly eliminate data. Farber says the task will take years amid a lack of resources and pushback from data hoarders.
According to Farber, a serious push to minimize data by corporate America is likely to require an act of Congress.
Indeed, Sen. Dianne Feinstein (D-Calif.) proposed a data privacy bill on Jan. 24, along with one modeled after a California state law that would require companies nationally to disclose when customer data has been breached. Neither bill has passed, but the Senate Judiciary Committee has held hearings on protecting customer information.
David Prinzing, director of network services at Raley's, a California supermarket chain, agrees regulation would move data minimization along. He has to deal with the California disclosure law, Visa and MasterCard's security requirements and the Health Insurance Portability and Accountability Act, but doesn't see much incentive for companies to minimize the data they keep.
"It's a good idea and there probably are numbers we don't need," Prinzing says. "But it would take a substantial project to figure out what data could be eliminated and change databases."
Prinzing predicts that data minimization could be gradually phased in as data warehouses are replaced. But unless the concept piggybacks on another big project, the returns couldn't be justified.
Deirdre Woods, chief information officer at the University of Pennsylvania's Wharton School, says the biggest return from data minimization is keeping your organization out of the press. "That's really the goal," she says.
According to Woods, the University of Pennsylvania about three years ago made a big push to cut the use of Social Security numbers it absorbs from testing organizations, current and prospective students, and alumni. The university centralized the storage of sensitive data, restricted physical access to authorized personnel, and gave students and alumni unique identifiers that wouldn't reveal a treasure trove of additional information if stolen.
"Data minimization is not a blinding revelation," Brill maintains. "If a CIO doesn't look at it and come up with a plan, someone else will."