Ask Dr. Gigabyte

Ask Dr. G.

Mama Gigabytes favorite son Dr. Gigabyte is ready, willing, and able to help your company prevent cyber lowlifes from accessing proprietary information. But have the major movers and shakers taken advantage of his indisputably vastnot to mention freestores of knowledge? N-o-o-o-o! The result? Corporate fiascos and the letter below. Take heed now!

Dear Dr. G.: I received a pen with the ChoicePoint logo at a trade show last year. Should I be ashamed to use it?
Sincere in Cincinnati

Dear Sincere: A pen? How tacky. I would think maybe a Bluetooth-enabled virtual keyboard would make a much nicer tchotchke. In fact, Dr. G. is in need of such a device. If you have one, please send it on to Dr. G. for evaluation.

ChoicePoint . . . hmmm. The nations premier source of data is making quite a name for itself these days. A Nigerian national just was sentenced to five-and-a-half years in prison for illegally obtaining personal information from ChoicePoint some four years ago. Then earlier this year, we found at least 145,000 customer profiles had been fraudulently obtained from ChoicePoint by criminals posing as legitimate businesses. Just in recent weeks, a lead story on MSNBC reported ChoicePoint data files may be riddled with errors, omissions, and wrong data. This is some data company. I think it must be using the tried-and-true keep all our data in shoeboxes schema.

Back to the question. Should Sincere avoid using the

ChoicePoint pen? Duh!

There actually are at least two different issues here: protecting consumer data and identity theft. Notice I said consumer data. ChoicePoint did not lose customer dataits customers are any one of thousands of companies and government agencies that want to know more about their clients, customers, or employees. The immediate assumption when we hear about data theft is hackers! Of course, that conclusion usually is wrong. The weak link is and always will be humans. ChoicePoint willingly gave up its data to people posing as legitimate businesses.

So, to preserve the integrity and security of sensitive data, we need a top-down corporate strategy. Data security is not just an IT issue. In fact, electronic security is only one small piece of the picture, even though it is the piece in the limelight. What would have happened if the latest round of data loss from ChoicePoint had occurred because some 17-year-old propeller head hacked a database? Heads would have rolled, starting from the top. It apparently is acceptable to have a flawed business model where criminals can pose as customers and snatch your data, but I guarantee you, it is not acceptable to have a flawed electronic security model.

The electronic risk is potential hacking of sensitive databases themselves. It is a given if we are going to conduct business online, there must be some sort of data connections between our port 80 window to the world and the data we want to protect. Data can and should be encrypted, but anyone who can hack the box probably can get access to login information or encryption schemes. The best security is intelligent system architecture. Keep the data at least three physical boxes away from the world. It apparently is very easy to gain access to Windows servers using one of the multitudes of buffer attacks. The trick is to bounce data access through some middleware on another box and then on to the database. If unauthorized parties can get through your firewall and compromise your outward-facing servers, at least make sure they cant go beyond that level.

The second issue Dr. G. targets here is identity theft. What is it? If someone steals your credit-card number and buys 15 television sets, is that identity theft? This actually happened to Dr. G. The thieves stole Mrs. G.s purse and immediately went to a national department store chain where they attempted to purchase 15 TVs. Unfortunately, the quantity put the card over limit, so they kept putting TVs back until the transaction cleared. The alert store clerk never asked for ID nor checked the signature for a match nor even became suspicious of this behavior. Of course, this little fiasco didnt cost Dr. G. anything but a few phone calls. The retailer ate the fraudulent charge.
But what about pure identity theft? Suppose someone wants to become me by assuming my name, my Social Security number, and my credit history. There are two obvious ways around this little problem. Dr. G. uses method number one: Simply refuse to pay certain credit-card bills. That way, your credit history is very unattractive and thus not fair game for theft. Method number two also is very good. Change your name to one that would make a felon uncomfortable. If criminals dont feel good about their new identity, they arent going to use it. Lee Harvey Oswald is a good choice.

Readers are invited to send their questions to Dr. Gigabyte at gigabyte@tdmag.com for response in this column. Letters are for purposes of exploring insurance IT issues only and may or may not be contributed by any particular individual.