That could work any number of ways. Companies could require customers to download digital certificates that would give them secure access to their account information. Or customers could log on to websites using smart cards or USB thumb drives that hold digital identification. And there's the long-awaited promise of biometric technologies that would let customers log on with a fingertip. Prices are coming down enough that it's possible to imagine a day when every new computer comes with this type of hardware; thumb scanners now cost less than $100.
In the meantime, it might be enough to advocate that your company begin digitally signing all outgoing e-mails. You might be forced to do so: Some security-savvy customers are already trashing all e-mails from businesses that aren't digitally signed.A Stitch in TimeCSOs who don't protect customers and employees from identity theft may face a more onerous task: damage control. Just ask Bob Brand, security director for Cox Enterprises, who found himself in the unenviable position of trailblazing the role of the CSO in preventing and responding to the crime.
It started four years ago when some of the 80,000 employees of Cox Enterprises, an Atlanta-based media conglomerate, began getting notices from collection agencies about overdue store credit card accounts. The credit had been issued at Best Buy, Circuit City and Federated stores in the Atlanta area, but many employees were based in Ohio and Texas and had never even been to Atlanta. Gradually, through word of mouth, affected employees realized that it must be an internal problem. An investigation revealed that personal information about some employees had leaked through contractors working on a project.
Brand admits that Cox could have prevented the problem. "What happened with us happened with a lot of companies: We grew fast," he says. "You put the system in place and then you have to play catch up with some of the administrative issues."
And if it were partially his fault, the solution was also partially his. As security director, he took charge of helping victims restore their credit. "It wasn't pleasant," he says. Dispatchers didn't understand how to take down a report of identity theft because the issues cross state and even country lines. When the perpetrators were eventually convicted, Brand shared the victims' disappointment at the sentences
Brand discovered at the business level what John N. Stewart had discovered on a personal level: It's still a whole lot easier to keep identity theft from happening in the first place than to repair the damage after the fact.
"This crime can be just devastating," Brand says. "It's bad business not to protect to the best of our ability an individual's personal information. Why would you want to do business with a company that does not protect your information?"