The features in this issue offer some excellent advice on how IT should approach compliance and guard customer information. The top-down, policy-based approach makes sense for organizations of all sizes. But as important as regulatory compliance is, it doesn't cover every avenue of potential data loss, so make sure you complete the job. There's a good bit of bottom-up education needed too.
For instance, a close associate of mine likes to tell a story of working in retail (can't say the name of the store, but it rhymes with Danana Depublic). The store prides itself on customer service, so it's not uncommon for regular customers to call and request new items be set aside. In one particular store, if the requested item was out of stock, sales associates wrote down the item details along with the customer's name, phone number and credit-card information. These slips of paper were then put in an unlocked drawer until the next shipment of goods came in. Talk about a disaster waiting to happen.
It seems that such compromises in the interest of customer service are more common than I would have thought. As I told this story to Network Computing publisher John Siefert, he related a similar story. John also worked in retail while he was in college, at another store that prides itself on customer service (rhymes with Bordstroms). Seems John had more than a few customers' credit-card numbers written in his planner.
Let's face it, though the disclosure of the loss of massive amounts of personal data--or, more usually, the misplacement of it--makes great headlines, the most likely source of actual monetary loss is minor mistakes made by well-intentioned employees at virtually any level of a company.