A couple of weeks ago I received a letter from the Honda Motor Company and on a whim (I almost always throw letters from car companies away, assuming that they just want to sell me extended warranties), I opened it to read. Much to my surprise, it was a notification that an unauthorized access to my profile on the owner link site had occurred. Data that had been filched included my car’s VIN and user-ID -which happens to be my ‘private’ e-mail address. Not-to-worry, advised the letter, “your password was not included and no other sensitive information was contained on that list “.

Interestingly, the Honda breach happened about the same time as the Gawker breach, which triggered responses from other sites like Yahoo and LinkedIn. A little closer to our retail home, Walgreens reported a similar breach of a list of customer e-mail addresses, as did McDonalds. Walgreens, like Honda, comforted its customers that no other personal information was at risk.

Direct risk, they mean. The indirect risk lurks in the shadows. E-mail lists are used by spammers and phishers to launch broad campaigns to obtain more useful information. For example, I’ve apparently won 100’s of millions from various overseas lotteries, and a small army of exiled billionaires are just dying to deposit money into my personal accounts — I just have to provide a few details about my bank accounts (does ANYONE fall for this stuff?). The more insidious use of e-mail lists is that bad guys scan the Internet for occurrences of the addresses and probe for other information that can be used, such as credit card or social security numbers. Since consumers tend to be lax about such things as passwords, the indirect risks associated with the inappropriate uses of ANY customer information are big.

And that’s a problem. Retailers and consumers are busy establishing digitally enabling two-way communications via the Internet either using the web or via smart mobile apps, and in spite of everything that has occurred in the last decade, there’s a pervasive sanguinity about the security of the Internet. The short answer is, there is none, and so that leaves it up to the two parties involved in the digital dialogue to take appropriate measures.

But is that happening? In a conversation aired on PBS on December 13, two experts on Internet security, James Lewis of the Center for Strategic and International Studies and Larry Clinton of the Internet Security Alliance, were interviewed by News Hour reporter Jeffrey Brown.

Here’s an excerpt from the interview (emphasis added):

JEFFREY BROWN: How vulnerable is the system and where do you see the main problems?

JAMES LEWIS: The main problem is that we’re using 1970s technology, or, at best, 1990s technology, and it just isn’t appropriate anymore for a global infrastructure. And there are some things, like this Gawker website, that we’re just never going to be able to fix. Passwords are very difficult to make secure, maybe impossible. So if you’re depending on a password, chances are you’re going to be in trouble. And I know that might frighten people, but that’s the reality.

JEFFREY BROWN: Reason for being frightened? What do you see?

LARRY CLINTON: Well, there is reason for being frightened. We have an insecure system that was designed to be open, not to be secure. And we’re expanding that system with all sorts of new devices, handheld devices, smartphones, et cetera. So, the system is becoming generally less secure…. we need to get much deeper with the problem. Enterprises need to be much more involved in overall cyber-security. One of the least publicized facts in this field is that we know tons about how to secure these systems…

JEFFREY BROWN: We do?

LARRY CLINTON: We Do…Well, enterprises need to have a risk management plan. Most don’t. They need to have somebody in charge of the plan. Most don’t. We need to be beginning to fund the investment in cyber-security equal to the upside that we do invest. Most businesses are happy to invest in online marketing and all the advantages for cyber-security. They are not investing in the cyber-security defensive structures that they need to be putting in place, many of which are highly effective. There are standards, practices, technologies that could protect many of these sites. They’re simply not investing in them

What to Do?

In RSR’s 2010 study on Data Security and Privacy (Building Trust and Growing the Brand: The Role of Privacy & Security in Retail, February 2010), we proposed a maturity model for the conjoined challenges on data security and consumer privacy, loosely based on the CMMI capability maturity model, and we suggested that retailers develop a roadmap to graduate through the maturity levels. We stand by that recommendation. Here are the four layers of the model that RSR suggests:

ACCOUNTABILITY HAS NOT BEEN DEFINED: The company leadership recognizes the need to act; a general assessment of the risk has occurred and has been communicated to management; ad hoc approaches are typical; processes and policies are undefined; accountability isn’t clear;

IT IS ACCOUNTABLE: There is a general awareness of the need to act; regular management communication to the business; reliance is on IT expertise;

BUSINESS LEADERS ARE ACCOUNTABLE: The company is committed and management regularly communicates that commitment to the business; processes, policies, and procedures are defined; opportunities for automation that regularly test policies are being pursued; business process owners are identified;

THE BUSINESS IS EMPOWERED: A roadmap has been developed to communicate plans; processes are repeatable, best practices based, and tested; automated management & monitoring of controls are fully implemented; business process owners have authority/accountability.

At last week’s NRF extravaganza in New York, Bob Russo, General Manager of the PCI Council made the analogy that compliance is like putting a deadbolt on your front door, but security is in using it. Bob of course was talking about PCI compliance and payment data security, but the analogy applies more generally. As the industry moves enthusiastically towards integration of new digital channels such as smart mobile and social media, companies need to design the right deadbolt, install it, and use it. Otherwise, retailers could be riding for a big fall — and consumers will hold them accountable.