YOU ARE HERE: LAT HomeCollections

If firms like Target won't protect privacy, make 'em pay

Companies leave customer information vulnerable to hackers because better safeguards would cost them money. Fines for data breaches could change their attitude.

January 10, 2014|David Lazarus

Businesses have the tools and know-how to keep our personal information safe.

They just don't do it.

"It's expensive," said Nick Mancini, a partner at Tech Consultants, a Woodland Hills information technology firm.

And that, in a nutshell, is why big companies that should know better routinely issue red-faced notices that they've been hacked and that customers' confidential info is on the loose.

Target took it on the chin again Friday when it revealed that up to 110 million customers — not just the 40 million it originally reported — may have had their names, addresses, credit and debit card numbers and other information stolen.

"I know that it is frustrating for our guests to learn that this information was taken, and we are truly sorry they are having to endure this," said Gregg Steinhafel, Target's chief executive. "I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team."

Well, that's heartening, even though the company seems to be having a difficult time with both the understanding and the sharing parts of that.

The Target hack underlines the vulnerability of consumer data at a time when businesses large and small are doing their darnedest to amass as much of our info as possible.

Knowing a lot about customers enables companies to tailor their marketing pitches to people's specific tastes. It also provides a treasure trove of digital goodies that can be sold to other businesses and marketing firms.

So it's no wonder that almost all transactions these days include not just your name and credit or debit card number, but also requests for your email address or other contact info.

That information is subsequently triangulated with other info available from so-called data brokers. The upshot is that highly revealing dossiers on your life and personal habits can be compiled by corporate interests — and, in turn, made available to hackers.

Think the National Security Agency is nosy for peeking at your email or eavesdropping on phone calls? The World Privacy Forum, an advocacy group, testified in Congress last month that data brokers are providing marketers with lists of people with chronic diseases such as AIDS and of women who have been raped.

Other lists include people with known addictions to drugs or alcohol, the locations of domestic violence shelters and the home addresses of police officers.

"Highly sensitive data are the frayed and ugly ends of the bell curve of lists, far from the center," said Pam Dixon, executive director of the World Privacy Forum. "This is where lawmakers can work to remove unsafe, unfair and overall just deplorable lists from circulation."

I have some other advice for lawmakers. I'll get to that in a moment.

First, let's dispense with the notion — promulgated by many in the business world — that customer data is basically safe, so you shouldn't worry. It's not. And you should worry.

More than 662 million consumer records have been exposed to theft in more than 4,150 known security breaches since 2005, according to the Privacy Rights Clearinghouse in San Diego.

Businesses also would have people think that they're bending over backward to keep a lid on customers' personal information. Nearly all corporate privacy policies include some variation on the phrase "we take privacy seriously."

If that were true, though, they'd actually take privacy seriously, which would mean using all resources at their disposal to make good on their pledge.

The tools are there. Technology is available to encrypt data, making it unintelligible to anyone lacking an encryption key.

Powerful firewalls can be erected around corporate databases, and so-called virtual private networks can be built that allow a company to move data from one location to another without being exposed to digital predators lurking on the Internet.

There are reasons that such remedies aren't employed, or are used haphazardly, by many large companies such as Target. One is the cost. All this cybersecurity typically comes with a price tag in the millions of dollars.

Another reason is convenience. The more information security that a business deploys, the harder it is for employees and partners to access the data needed to do their jobs.

It's not that workers would be locked out of their companies' computer systems. They'd just have to use more keystrokes and enter more passwords to get what they want.

But such steps can slow things down, and efficiency experts say delays of this sort can be deadly in today's gotta-have-it-now economy.

"Companies try to find a balance between security and convenience," said Mancini at Tech Consultants. "You can lock down a network, but that can make it less usable to the people who need it."

To which most consumers would probably say: Tough patooties.

Los Angeles Times Articles