Theft was the word of the day on April 29, as business owners, academics and government officials converged on Pope Auditorium for a series of workshops dedicated to keeping information safe.
“Business Data Security and Red Flags Rule Compliance” was broken into two sessions, “Protecting Personal Information—Best Practices for Business” and “Minimizing the Use of Stolen Identity—The Red Flags Rule.”
The conference was sponsored by the Federal Trade Commission (FTC), Center on Law and Information Policy at Fordham Law, New York State Consumer Protection Board and the New York City Department of Consumer Affairs.
Leonard Gordon, director of the FTC’s Northeast region office, noted in an opening address that identity theft is the number one complaint reported to the commission. He estimated that more than 250,000 people are affected annually.
To show what can happen when a business is lax, Deborah Marrone, assistant director of the Northeast region office of the FTC, detailed scenarios that two companies—CVS Caremark and Compgeeks.com—encountered.
Compgeeks’s failure to secure its customer database in 2007 allowed hackers to roam freely in it for six months. Some of CVS Caremark’s pharmacies were caught throwing pill bottles with patient names, addresses, medication and dosages—as well as employment applications and social security numbers—into unlocked dumpsters.
In addition to 20 years of monitoring by the FTC, CVS Caremark was hit with a $2.25 million fine. Just as important, Marrone noted, was the damage to the companies’ reputations.
“If companies want to portray themselves as good corporate citizens, that can be ruined by a data breach that results from poor security practices,” she said.
In a morning session, Scott Lancaster, director of Starwood Hotel Resorts’ information security information group, said there are great reasons for not digitizing records. If done right, however, the benefits generally outweigh the risks.
“There is something to be said for a nice strong lock on a door, knowing that your information is behind the door and not easily accessible to somebody who might compromise a bad control on a firewall,” he said. “Unfortunately, what you’ll find is that documents sitting in a room probably are not very accessible to people working in the field or on the road. You’re also vulnerable to the destruction of the only copies of the data due to fire or water damage.”
Other panelists acknowledged that even the best-laid plans sometimes go awry. James Jaeger, director of cyber defense and forensics for General Dynamics, and Robert Novy, a member of the Secret Service’s Electronic Crimes Task Force, said that in the event of a breach, companies should seek outside help immediately.
“I recognize how really, really hard this is for IT people, system administrators and network managers,” Jaeger said. “They own the network; they feel very possessive about it, and they should. But if you walked up on a murder scene, with an individual laying face down, bleeding with a knife in his back, every one of you know you wouldn’t walk up and pull the knife out. The same thought process has to apply to intrusions.”