RETURN ON TECHNOLOGY: Is securing data worth the cost at your company?

You know, I love my business brethren. I really do. I admire their tenacity, their courage, their competitiveness. But I have to admit that we are a penny-pinching bunch, and sometimes it impinges on our ethics in ways that are a little embarrassing.

An article in a Wall Street Journal blog (www.blogs.wsj.com) points out an example. Technology professionals have long groused that, while their employers talk about securing data properly, there’s rarely enough money to do the job well. Security is expensive, and computer technology is a cost at most companies, not an investment. I’ve seen many IT departments starved for staff and equipment, although, when the systems are down, the company itself freezes like a mammoth caught in a tar pit.

This parsimony has led to many data leaks from companies that should know better, something I delight in pointing out every Christmas when I write my yearly “big technology snafu” column. The most prized leakage of all is account information about customers, particularly Social Security numbers and credit card numbers, both of which in sufficient numbers can potentially be turned into enough illgotten cash to dwarf the revenue of the company that leaked them.

But the Wall Street Journal blog points out that, although such large-scale “whoopsies” are increasing, companies are doing almost nothing to keep them from happening. As the article notes, aside from the reluctance to spend money on depreciating assets, there’s the subconscious awareness that it isn’t the company’s data that’s being lost. It’s yours. If somebody maxes your gold card after the number is thrown to the winds, the merchant who let it get away doesn’t care, because it doesn’t have to pay anything. You and the credit card company have to fight it out.

Dubious ethics? Sure. But shrewd business. It’s all but impossible to sue a company that lets your personal information get away, and there are no criminal penalties just for inadvertent release. State law often requires that a company report the loss of sensitive data, but the fine is often less than the cost of securing the data in the first place.

In addition, companies benefit from having personal data they can crunch to pull out marketing nuggets, so it’s valuable to them beyond your initial purchases. It’s also handy to have in a durable account that identifies you every time you return. I’ve used Amazon’s one-click ordering many times, and I have to say I’m pleased that I don’t need to keep reentering my data. The site even greets me by name when I visit and helpfully suggests more things to buy.

So who “owns” your data, you or the site owner? It’s a question a lot of people have asked, and the answer depends on circumstances. The law is patchwork and blurry. Data ownership is usually spelled out in a company’s privacy policy, but it’s often kept intentionally so dense that it’s hard to read, so nobody ever bothers.

There are also state and federal laws that govern what can be done with certain kinds of data. Companies have to be careful what data they sell to outsiders, but they can normally use the data internally for whatever purpose they like. It’s even possible to fight over small pieces of your data. For example, you might own comments you leave on a site, but the fact that you purchased something from that site that is potentially embarrassing is not necessarily protected.

There appears to be a trend toward cleansing data that’s not needed. Ruby Tuesday, for example, clears the sensitive stuff after every transaction, so there’s nothing to leak out. But Amazon isn’t going to do that, because its one-click convenience is a major competitive advantage, so much so that Amazon has sued many companies who have dared to implement some variation on it. One possibility is to give the user a choice of whether the data is kept or not. Another is to keep most of the vitals on a cookie that never leaves your computer, but that causes problems if you’re using a public computer at work or at the library, because the cookie stays with the hard drive and may not be deleted.

I know people who won’t buy online for this very reason, and I sympathize even while I disagree. But the hard truth is that I’m leaving myself vulnerable to identity theft almost every time I buy online, and I just have to swallow that. There’s no way I can be sure my information won’t escape, and there is precious little I can do to the negligent company that leaves the cage unlocked. Thus is life in the modern era, I suppose. I don’t like it, but the lure of convenience is too strong for me.