Mare: Ron, last week we talked about TJ Maxx and how hackers had broken in and stolen millions of consumers’ credit card information back in 2007.
Ron: Yes, we did. What about it?
Mare: Well, since then, we’ve seen lots of scary headlines about this or that company experiencing data breaches. It seems like I am getting monthly notifications from businesses telling me that they may have accidentally disclosed my personal financial information. In fact, I just got one from my bank last week. I am getting really mad about my data constantly being compromised!
Ron: Funny, I never have. I guess you’re not dealing with the right companies, huh?
Mare: Actually, Citigroup was forced to reveal that a recent hack of its network exposed the financial data of more than 360,000 customers. And if they aren’t the right kind of company, then I don’t know who is.
Ron: Okay, I get your point: even legitimate companies get hacked. Your frustration is an example of why companies who don’t take steps to secure their data are really rolling the dice with their brand and their customers’ trust.
Mare: So I was wondering, how can all this be okay? Isn’t there some governing body or entity that can prevent this from happening? I feel like companies who lose my personal financial data should get more than just a slap on the wrist. I not only want them to get bad press, I also want someone, somewhere, to slap them around!
Ron: Sheesh, remind me not to get on your bad side, Mare. But seriously though, there ARE serious consequences for failing to secure private information. There are laws that force companies to comply with security regulations. Some security mandates are created by the federal government through legislation, such as HIPAA, GLBA, and SOX. Others are created by state governments, like California’s SB1386, which governs personal data breach disclosure. And still others are created and enforced by industries through standards like PCI-DSS.
Mare: Um, I feel like you just opened up a can of alphabet soup and sprayed it at me. What the heck are all those acronyms?
Ron: Okay, you asked, so here goes: The Health Insurance Portability and Accountability Act, or HIPAA, governs healthcare and health data holders, GLBA or the Gramm-Leach-Bliley Act, requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. SOX is an abbreviation for Sarbanes-Oxley, legislation enacted in response to the high-profile Enron and WorldCom financial scandals to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. The company you brought up last week, TJ Maxx, and any person or company that accepts, processes, or issues credit cards are required to comply with PCI DSS, or the Payment Card Industry Data Security Standard.
Mare: What does PCI DSS involve? What do you have to do to be in compliance?
Ron: There are 12 PCI requirements, which you can read more about on-line. The requirements range from things like installing and maintaining a firewall configuration to protect data, to restricting physical access to cardholder data, to not storing specific pieces of data once a credit card transaction has been processed. And non-compliance can lead to serious financial penalties for companies, like $5,000 to $50,000 per month that they are out of compliance, or up to $500,000 for egregious violations. They could even face unlimited liability for fraudulent transactions. Or, in the worst-case scenario, they could even lose their ability to process credit cards altogether. Imagine how crippling that would be to a retailer!
Ron: Um, Mare? Did I lose you?
Mare: No, I was just imagining how much money I’d save every month if I couldn’t use my credit card at certain retailers.
Ron: Well, then, I'm sure they’d have to file for bankruptcy too.
Mare: So, can implementing NetApp data integrity and confidentiality technology help companies comply with PCI DSS?
Ron: That’s a good question. As I said before, there are 12 requirements in PCI DSS, and not all of them can be addressed with NetApp technology. Some have to do with internal company processes, such as the requirement to regularly test security systems. Others have to do with company policies, such as the requirement to maintain a policy that addresses information security. However, NetApp can help companies address a range of PCI compliance requirements, such as PCI requirement 3.4, to render sensitive cardholder data unreadable anywhere it is stored, or PCI requirement 3.5, to protect encryption keys against both disclosure and misuse. This diagram below shows a lot of the other pieces that every organization should have in place to help prevent and mitigate a cyberattack. Like we’ve been saying all along, encryption alone is not enough in a security strategy.
Mare: So would it be fair to say that any business that has access to credit card information, from the biggest behemoth to the tiniest bagel shop on the corner, should think about protecting their data?
Ron: Absolutely. Both behemoth retailers and tiny bagel shops alike have to comply with PCI DSS, if they accept credit cards. Luckily, the bagel shop probably uses a credit card terminal that doesn’t store anything on it, so they don’t need to do much more than make sure that the customer gets their card back. But for any company that uses computers to process credit cards, the risks of not protecting data far exceed the cost and the time it takes to implement security measures. By the time your business is on the front page of a newspaper, it’s way, way, way too late. At that point, the amount of goodwill lost and brand damage done is just incalculable, not to mention the hefty fines that will have to be paid.
Mare: Thanks, Ron! Can we talk about HIPAA next week?
Ron: We can talk about whatever you want to talk about,Mare. Bring it on!