Bottom-Up Compliance

The features in this issue offer some excellent advice on how IT should approach compliance and guard customer information. The top-down, policy-based approach makes sense for organizations of all sizes. But as important as regulatory compliance is, it doesn't cover every avenue of potential data loss, so make sure you complete the job. There's a good bit of bottom-up education needed too.

For instance, a close associate of mine likes to tell a story of working in retail (can't say the name of the store, but it rhymes with Danana Depublic). The store prides itself on customer service, so it's not uncommon for regular customers to call and request new items be set aside. In one particular store, if the requested item was out of stock, sales associates wrote down the item details along with the customer's name, phone number and credit-card information. These slips of paper were then put in an unlocked drawer until the next shipment of goods came in. Talk about a disaster waiting to happen.

It seems that such compromises in the interest of customer service are more common than I would have thought. As I told this story to Network Computing publisher John Siefert, he related a similar story. John also worked in retail while he was in college, at another store that prides itself on customer service (rhymes with Bordstroms). Seems John had more than a few customers' credit-card numbers written in his planner.

Let's face it, though the disclosure of the loss of massive amounts of personal data--or, more usually, the misplacement of it--makes great headlines, the most likely source of actual monetary loss is minor mistakes made by well-intentioned employees at virtually any level of a company.While compliance with specific regulations certainly requires a good bit more than simple common sense, keeping data safe usually demands exactly that. Common-sense rules and procedures and education at all levels are the best prescription for protecting private data. But just as important is listening to those who serve customers, because you can bet that in either case described above, simply saying "you can't do that" isn't good enough. Customers--both in business and in IT--demand more. Simply enforcing a list of what can't be done--particularly when IT's rules conflict with fundamental business conduct--is the surest way to marginalize IT's value to the company.

Art Wittmann is editor in chief of Network Computing. Write to him at [email protected].