DO you know where your customers' data is tonight? And what you're doing with it?
Data privacy woes are rampant. Every week, we hear about another debacle or encroachment on what should be a private sphere. And regular folks are getting angrier by the day.
IT, albeit reluctantly, is at the heart of the problem. But IT must also insist on being part of the solution.
Missteps are increasingly easier to make. One reason is the offshoring trend. Last year, for example, a medical transcriptionist in Pakistan threatened to release U.S. patients' data if his demands for higher payments weren't met. The U.S.-based company that farmed out the work later told the San Francisco Chronicle that its business had been hit hard by fallout from the disclosure - perhaps a fitting outcome.
Although it's not clear how much private data is now being sent overseas, there's no doubt that the amount is growing. And companies that don't exert the strongest controls over the information they send offshore are opening themselves up not just to financial trouble but also to a massive and well-deserved backlash.
IT departments can't control a transcriptionist making demands halfway around the world. But they can avoid preventable stupidity.
As The Washington Post reported in February, it's astonishingly easy to do a search on Google and other popular search engines and find Social Security numbers and other data that companies, universities and even government agencies have put on unprotected servers. Google isn't responsible for preventing these lapses; the careless data managers are.
Plugging such holes is simple compared with fixing some other security risks. "Phishing" attacks - where unsuspecting consumers fork over credit card numbers and other personal information on bogus Web sites that look like the real thing -- are all too common. Companies can't stop the creation of rogue sites, but they can communicate better with customers about how to avoid being victims.
A chorus of complaints met last year's California law mandating disclosure to consumers of serious breaches of corporate databases. But I maintain that the law did businesses a favour by forcing them to work harder to keep data secure and encouraging them to set up crisis plans in the event that hackers get through their firewalls.
It's routine to assume that garnering more data is better. The ability to store everything under the sun is growing along with disk space. If your company sells widgets that end up in consumers' homes and you plan to put radio frequency identification tags on these goods to help make the supply chain more efficient, that's great. But you should be planning now to make sure the tags stop working when they leave the store, because people like me will shout from the rooftops if you don't.
No matter how much data you collect, IT staffs should convince CIOs - who in turn should convince CEOs - that it's far better to build more protection into databases early than to attempt to bolt it on later. And they should convince them to support stronger pro-privacy laws while they're at it.
I can promise this: As identity theft soars, personal medical histories escape and cause all kinds of trouble, and privacy violations become more and more horrific, the public will start demanding some scalps.
Dan Gillmor is technology columnist at the San Jose Mercury News. Contact him at dgillmor@sjmercury.com.
