When it Comes to Data, Less is Better

Polo Ralph Lauren loses the personal information of 180,000 HSBC North America customers. DSW Shoe Warehouse discovers credit card and check data on 1.4 million transactions has been stolen. Bank of America loses backup tapes with the personal information of 1.2 million federal employees.

Why are these security breaches happening?

The answers generally offered by the leaky keepers of data on customers all sound familiar—software glitches, lax security procedures and criminal activity.

Another reason, never offered: Companies are data pack rats, collecting customer information for years without knowing what data is lying around or whether it even holds business value, say security experts such as Alan Brill, senior managing director at Kroll Ontrack.

The fix: Go on a data diet. Reduce the amount of data you keep around, a process called “data minimization.”

Such minimization won’t end the theft of customer information, but it will limit what data there is to steal (or lose).

Companies often learn the hard way. Polo Ralph Lauren spokeswoman Alex Cohan says the company “had more data on hand than we needed in the point-of-sale system.” The company wouldn’t comment on what data was stored, but credit card magnetic strips contain items such as account numbers, three-digit verification codes and expiration dates.

Now that Polo Ralph Lauren’s system, provided by Micros Systems’ Datavantage unit, has been patched, Cohan says only information needed to complete the sale—namely, credit card number and authorization—is collected.

“No one asks whether a company really needs to keep all this information lying around,” Brill says. “Is there a reasonable business reason to keep it?”

According to Brill, companies need to go on a “data minimization” quest to cut risks. Go through all your processes and purge data that doesn’t serve a business purpose. In a data-minimized world, a retailer, for instance, wouldn’t keep credit card numbers on transactions beyond its return policy. Social Security numbers wouldn’t be collected at all. Addresses for former customers could be purged after, say, three years. Temporary workers and offshore contractors would only see the data necessary to do a task.

So how did companies get in this pickle?

David Farber, a computer science professor at Carnegie Mellon University, says companies got into it slowly with hopes of marketing better or selling their distribution lists. After all, the penalties for collecting driver’s license and Social Security numbers, or any other nugget of customer information, were nil before identity theft became publicized.

“It became easier to keep information than throw it away,” Farber says.

Jim Stickley, chief technology officer at TraceSecurity, knows the drill. His credit union, California Coast Credit Union, gave his Social Security number to an unnamed third party marketing firm that lost it.

“It’s one thing if the bank needs my Social Security number,” Stickley says. “But there’s no marketing justification to giving it out.”

Next page: Pack Rat Rehab