Wednesday, June 28, 2006

It’s 10:00PM, Do you Know What Your Data is Doing?

Your Data - Your Choice - Your Security

There is almost not a day that goes by that we don’t hear about a Government Agency, Corporation or other entity losing a device with private data. Most, if not all of this data is confidential and should never be on a non-encrypted or non-secure portable disk, however this is the world in which we live. Data Analysts need to take their work home. Business Managers need customer and sales data for planning, forecasting and business modeling. Even on a personal level, we often need to transport files from PC to PC or synchronize data amongst mutliple platforms - laptop, desktop, etc.

Your data is valuable. Your data is in demand. Your private data is everywhere.

From the purchases you made using the “Club Card” at the local supermarket to the last oil change you had done at the SuperCenter, the plane ticket you bought online, and even the last pizza you ordered from the national chain. little pieces of your life are recorded, quantified and analyzed. It’s a process called “Data Mining”. Data Mining is used to establish probability grids and forecasting future events based upon known factors and analyzing trends within the data.

For instance, if you own a coffee shop and you know that customer X buys an average 6 Drinks a week for the last 3 months, but now they are only consuming 1 or 2, wouldn’t you as a business owner want to know why? Maybe Customer X found a new coffee shop or has changed his patterns based upon a new job, commuting route, lifestyle change, or other event. Maybe the change co-incided with a change in staff that didn’t have the same training on making the product in the way the customer was used to.

Likewise, if you managed the local supermarket and knew that your “Club Card” members buy 1000 boxes of a toasty flakes during certain periods of the year and you are forecasting purchasing decisions for products that are perishable you would probably look at the data over time to establish trends and develop a probability scale for the sell-through of an upcoming promotion.

Similarly, health care providers, insurance companies and employers can analyze the usage of drugs to treat disease, alternate treatment options, patient recovery rates, patient satisfaction and other factors to formulate new and streamlined treatment methods, reduce or contain costs.

By anayzing trends in the data and looking at your own business model, you can determine pretty accurately what is going on and make changes to your buying patterns, advertising, promotion, training, product offering or customer service to improve the efficiency and profitability of your operations and retain a loyal customer base.

There are several basic kinds of data and for the purposes of this article we will only touch on a few - Personal, Empirical, Aggregate and Summary Data. Each has its own value both to the person that gives up the data and the person that is using the data.

The most valuable one for all parties is Personal Data. This includes information such as your name, address, credit card, ID number, email address, medical records, receipts, bills, income, expenses, spending habits and other uniquely identifiable data. Personal Data is highly prized by commercial and government eliments because it can be used to increase profitability, streamline operations, quantify habits, establish patterns and make unique predictions about individuals and how they live. With this information you can specifically market to an individual or group and offer a product or program that meets a specific need. The Criminal element loves this data too because it is rich with personally identifiable information and can be used to open fraudulent bank accounts, credit card accounts or use the data in other ways in Idenity Theft schemes.

The second type of data is Empirical Data - this is data that is gained through observation or recording of events without personal involvement of the individual in providing the data. An example of this would be sitting outside of a competitors store and counting the number of individuals entering or leaving with purchases over time or viewing other events as they occur and recording the results.

Combining Personal and/or Empirical Data in a group (or Data Set) we get Aggregate Data or Summary Data. Aggregate Data is simply ALL of the data generally segmented by individuals or groups whereas summary data is generally only a small subset or group of the data rolled-up into summarized form. Aggregate Data is used by data miners to search for specific anomolies within trends, changes in specific groups patterns, quantifying individual customer value, or other data that requires the entire data set to model against. Summary Data is generally only a small subset of the aggregate and is used for planning, simple modeling and other general research.

No matter what business you are in, it is all about the Data. Your Data. Exactly how much of this data you are willing to give is up to you, but some, if not most of it can be gleaned through empirical means and recorded or worse yet, purchased from Data Mining Companies without your expressed consent or knowledge.

Some privacy advocates decry this as an Orwellian threat, however there are some things that you can do to protect yourself and there are substanial laws already on the books and financial industry guidelines to protect individual data.

Government regulations including HIPAA (Health Insurance Portability and Accountability Act) and other Federal, State and Local laws regulate the secure access to ANY individually identifiable data held by Healthcare Professionals, Employers, Banks, Financial Institutions, Brokerage Houses, and just about every other type of entity that stores or uses this data. There are heavy financial penalties and JAIL time involved for breaches of these offenses (or so we are told). Yet NO ONE is holding any person or organization accountable for their rampant stupidity, ignorance of the laws and incompetence.

Visa for example has had the CISP (Cardholder Information Security Program) since June of 2001 that requires that merchants:

  • Build and Maintain a Secure Network

  • Protect Cardholder Data (Including Transmission and Storage Encryption)

  • Maintain a Vulnerability Management Program (Test their networks for intrusion)

  • Implement Strong Access Control Measures (Including Restricing Physical Access To Cardholder Data)

  • Maintain an Information Storage Policy that complies with secure storage and access to customer data.

Newer and more stringent guidelines from Visa and other card processing companies include that NO individually identifiable card numbers are left on unencrypted systems and that individually identifiable data is protected from breaches in security.

So when lost the customer and credit card information for customers that purchased through their website from 2002, 2003, 2004 and 2005 that was stored and left in an automobile on a laptop with a non-encrypted hard drive by an Ernst & Young employee, it was in clear violation of their agreement with Visa. It also was a clear violation of the law. At the very least the data should have been encrypted and protected by strong password security, but evidently it wasn’t.

Again, when Marriott lost the same type of data in January 2006 from customers of its time-share division, they simply gave customers a phone number and web address to “find out more information”. Worse yet, IBM lost an un-encrypted hard drive with the personal data including BANK ACCOUNT information of 180,000 of their clients. Yet no one is holding these companies accountable for serious breaches in security, lapses in judgement and just downright stupidity with regard to their stewardship of client data. Here are a few more Gems from just the last few months:

Enough Already - SECURE YOUR DATA. Secure your Customers Data. This stuff is out there, it is valuable. The devices are disposable but the data isn’t.

Today, iQBio, Inc. is announcing the latest in our secure storage series of products that incorporates AES Encryption and Fingerprint Recognition to secure Portable Data. Introducing the iQBioDrive - a 100GB external hard drive that encrypts and secures your data using your fingerprint. Read about this product and don’t take chances with your data.

No comments: