Data is a valuable commodity, not just for companies but for customers as well. When data is lost or stolen, the financial and public relations impact to companies should make everyone realize just how important it is to protect customer data. "Protecting data is a bargain," says Martha Rogers, Ph.D., and a founding partner of Peppers & Rogers Group. "First, data is the best way you have of getting more business from customers in the future. Second, if you haven't protected and cleansed that data then you don't have access to the insight it provides. Finally, if you protect customers' privacy, you'll be of a higher value to them."
A number of data breaches have made headlines recently, affecting everyone from retail customers to students to public employees. In each case, carelessness or lack of foresight led to data being compromised and resulted in negative publicity. Each offers a lesson for what not to do.
In January 2007 customers filed a class-action suit against TJX, the parent company of TJ Max, Marshalls, and a number of other stores. The suit followed the company's disclosure that hackers compromised as many as 100 million customer accounts, including credit card information. In a settlement announced last year TJX agreed to provide three years of credit-monitoring service for 450,000 customers, and absorb the cost of replacing some customers' driver's licenses. TJX also agreed to cut the price of every item in its stores 15 percent for one day in early 2009.
Retail data breaches impact greater numbers of people, but government agencies have made headlines in the past few years because of misplaced or stolen laptops containing citizens' or employees' information. The Maryland Department of the Environment recently announced that 1,300 social security numbers were compromised when two laptops were stolen from a state office. That incident followed high-profile cases in Connecticut and New York. In all cases, the states offered identity-theft protection to those affected, and pledged to improve security policies.
Hannaford Brothers, a grocery chain in New England, discovered a data breach in March 2008 caused by hackers installing malware in its servers. The software intercepted credit card numbers during checkout and sent the information overseas. As many as 4.2 million credit card numbers were compromised as a result. In response, the chain is investing millions in new IT protections to put what the company's CEO termed "military- and industrial-strength" protections in place.
Express Scripts, a prescription insurer, announced in November that some of its clients received letters threatening to release their customer information. This followed a prior extortion letter the company received, containing information on 75 customers including their names, dates of birth, social security numbers, and prescription information. The company handles more than 500 million prescriptions a year, and announced a $1 million reward for information leading to the arrest of the thieves. Customers lashed out against the company online, asking why they weren't told sooner about the breach.
The biggest offenders when it comes to protecting data are universities. The Privacy Rights Clearinghouse, which tracks data breaches, reports that 20 percent of incidents in 2008 were at universities. The University of Florida announced last year that its information on dental school patients was compromised after it discovered malware on a server during an update. The data was unencrypted and contained information on 333,000 people dating as far back as 1990. The school notified every person affected that their information could be compromised, and agreed to cover the cost of identity theft protection to prevent lawsuits.