AOL has joined an ever-growing list of companies that have had to admit that customer names, Web activities, Social Security numbers and other sensitive data they collected and stored was lost, stolen or mistakenly released to the public. In AOL’s case, the company released detailed keyword search data for about 650,000 users. The information comprised a random selection of searches conducted by its customers. Customer names were not attached to the searches, only user IDs. But the identity of one AOL customer was reportedly tracked to her searches.
Not only are such incidents embarrassing, but companies also face lawsuits and fines. The Electronic Frontier Foundation, a privacy rights group, has asked the Federal Trade Commission to launch an investigation into the AOL incident. The FTC earlier this year fined ChoicePoint $15 million for releasing information on 163,000 people to some con artists.
There are good reasons why companies collect as much information as they can on their customers. The better a company knows its customers, the better it can lock up their business by targeting them with products, services and discounts. Conversely, the more information a company collects, the more data there is to lose. “CIOs are between a rock and hard place when it comes to data privacy,” says Larry Ponemon, a leading privacy expert. Chief information officers are responsible for making sure the company can efficiently and effectively tap customer data for sales and marketing purposes. They are also responsible for data quality and data integrity—and all related privacy and security issues.
So what’s a CIO to do? Here are 10 recommendations from privacy advocates and members of the Society for Information Management, a national organization of CIOs:
1. Determine who the data owners are. Various departments may be in charge of collecting and storing the data they use. The first step in protecting data is knowing who controls it.
2. Take a data inventory. You need to know where data is stored. If there is a leak, you have to be able to track back so you can deal with the problem.
3. Enlist the help of others. CIOs should expect the department that owns the data—as well as the legal, compliance and internal audit teams—to help implement privacy safeguards.
4. Purge data you don’t need. Sometimes organizations just collect too much, and a lot of it is of no use. And if there’s no reason to have it around, Ponemon says, why keep it? Companies are already starting to get smarter about this, especially those that deal with consumers. Those companies, says John Stevenson, Sharp Electronics’ former CIO, “are beginning to get a little more wary on where you draw the line as far having enough information.”
5. Review how information is stored. Do you need the whole Social Security number, or will a portion of it be enough for your customer identification purposes?
6. Think about the levels of security you put in place. Intellectual property needs to be guarded closely, but only about 10% of a company’s data needs that level of security, Ponemon says. The challenge is that if CIOs try to secure all information to the highest level, they are going to spread their data protection resources too thin.
7. Look at all available technologies. In addition to encryption, think about content monitoring and filtering tools, which can track outbound traffic, trap sensitive information and prevent it from being sent out.
8. Control end-points to systems. This includes laptops, PDAs and other wireless devices, as well as memory sticks.
9. Think about having the chief information security officer report to the CFO. CIOs with tight budgets may opt not to spend money on extensive privacy protection. The CFO might be in a better position to weigh the financial risks.
10. Share best practices. There’s as much to be learned as there is to teach. And in the end, it’s the job of the CIO to do whatever he or she can do to safeguard customer data. As former Paramount Pictures CIO Ed Trainor points out: “You’ve got a responsibility to protect it.”