It seems like every week now there's a story about another company losing control of digital identity data. The problem, of course, is that when your identity data is lost by some company, the chances that your identity will be stolen go up.
The latest story was about Citigroup losing the records of 3.9 million customers. According to a Reuters report, the data--on tapes--as lost while being transported by UPS to a credit bureau.
Certainly, tapes and data have been getting lost since tape drives were first invented, but the problem hasn't gotten the kind of attention that it does now. With people, and even legislatures, becoming more concerned about identity theft, the pressure is on like never before. Even so, many IT professionals seem unaware of their responsibilities.
The other day I was chatting with an operations manager for a largish data center and mentioned this problem. His reaction was classic "deer in the headlights." He knew that other companies had identity issues, but it never crossed his mind that he had identity data that was at risk without planning and forethought. My conversations have convinced me that my friend is not alone.
Almost every organization collects personally identifying information of some kind. You have it. Do you know where it is?
One of the things you can do to get started on this problem is to conduct a "privacy audit." A privacy audit asks a number of questions about identity data that your organization collects. Here are some you might consider:
- What kinds of identity data are you collecting?
- How is this identity data being collected?
- Why was the identity data collected?
- Were special conditions on its use (internal or external) established at any time?
- Who is the data owner and who are the custodians?
- Who uses the data, why, and how do they usually access it (i.e. remotely, via the Web, from home, etc.)?
- Where is it stored?
- Is any of the data stored on devices that are routinely transported off-site such as a laptop or PDA?
- Are there backups? If so, you need to answer these same questions about the back-ups.
- Is the data shared with partners? Why and how?
- Are there access logs for the data?
- Where are the logs stored?
- Are the logs protected?
- What other security measures (firewalls, intrusion detection systems, and so on) are used to protect the data?
Once you know what data you have and where it is, you come to the hard part--protecting the data. The bad news is that all the technology in the world won't help unless the people who own, manage, and use the data also understand the problem and know their responsibilities.
The Citibank loss is a good case in point. Citibank has announced that it will begin encrypting any data transported offsite to partners. Encryption technology is well understood and has been available to Citibank for years and yet, they haven't been using it. The solution to the problem was a policy change more than a technology change. Similarly, you can put all the protections you want on your data, but if someone downloads it to a laptop and then carries it offsite, your work is all for naught. The moral: don't neglect the non-technical aspects of solutions.
I don't think we've seen the end of this; we're likely to see even more stories of lost data in the months to come. The problem is systematic. When I interviewed Daniel Solove on privacy, he said we've created an "architecture of vulnerability." It's going to be a while before we've fixed the basic problems that have led to this situation. In the meantime, take care that you don't end up in the news.