Editor’s Note: Data (In)Security

I often check the clickthough rates of our daily e-newsletter of aggregated and orignal content, ROI Report, to gauge what our audience of cross-channel retailers are interested in and concerned about. Lately, the clickthrough rates for articles about hackers and scammers targeting retailers and shoppers are through the roof.

Unfortunately, there's been no shortage of these articles in recent weeks:

• A data breach at third-party marketing services firm Epsilon in April exposed the email addresses and names of customers at Best Buy, Brookstone, HSN, Kroger, Target and Walgreens.
• Sony announced in April that the personal information of 70 million PlayStation Network customers — including names, addresses, email addresses, birthdays, PlayStation Network and Qriocity passwords, usernames, and online user handles — was obtained illegally by an "unauthorized person." The data was accessed between April 17 and April 19, according to Sony.
• Michaels Stores discovered it was the target of a debit card scam when it was contacted by banking and law enforcement authorities in May after customers reported fraudulent transactions on their accounts, according to the company's website. As of press time, Michaels says less than 100 people have reported fraudulent transactions to their personal accounts.

The Michaels' thefts follow similar cases last summer involving Aldi, a grocery store chain, and Hancock Fabrics, a cross-channel retailer of apparel and home decor fabrics. Both of those cases involved customer reports of debit card fraud.

More Debit and Credit Card 
Data Breaches
So, what's going on here? Are these kinds of crimes becoming more common and serious? It appears that they're becoming more popular. Year-to-date, debit and credit cards account for 20 percent of all consumer data breaches, up from 11 percent during the same period last year, according to the Identity Theft Resource Center. Debit card fraud losses incurred by banks reached a record $788 million in 2008, according to the latest estimates from the American Bankers Association. This is due mostly to stolen and counterfeit debit cards.

So, What's a Retailer Supposed to do?
The Online Trust Alliance has released what it's calling the "Security by Design" framework to help retailers combat the growing risk of fraud and/or data breaches. The framework is composed of the following five steps:

1. Create a cross-functional security team headed by a chief security officer (or equivalent) as a single point of authority with security accountability.
2. Map the data work flows within your organization and with your outside vendors to identify points of vulnerability. Examine how you handle data, from collection and storage to transmission, usage and destruction. Define who, how and why someone should have access to your data.
3. Include security review milestones in the product development process, from concept development to functional specification development to design, testing and launch.
4. Audit your network infrastructure, mapping both internal- and external-facing sites and all points of connection. Implement processes to monitor your network and data assets to detect unauthorized access or unusual patterns of activity.
5. Develop an incident response plan and team. Include predefined action items and communication strategies that can be easily executed should a breach occur.

Remember, it's better to be safe than sorry.