Designer Shoe Warehouse Agrees to Tighten Security
By George Anderson
The discount shoe chain, Designer Shoe Warehouse, has agreed to put in place a more comprehensive security plan to protect customers’ financial information following the discovery
that the records of 1.5 million consumers had been stolen back in March.
An investigation found that hackers had broken into the company’s database and stolen credit, debit and checking account information from consumers in 25 states. Among the consumers
who had their financial information compromised was Federal Trade Commission chairman Deborah Platt Majoras.
A suit filed by the FTC charged DSW with holding onto sensitive information that was no longer needed by the company and storing it in multiple files, thereby increasing the
risk to DSW’s customers.
The chain said in a released statement that it did not agree with the findings of the FTC but that its plan to upgrade security measures, including having its systems audited
by independent experts over the next 20 years, “validates the importance we place on security and brings closure to this matter.”
DSW maintains that it notified customers immediately following the discovery its system had been compromised. The company said losses related to the security breach will be between
$6.5 million to $9.5 million.
The theft case remains open.
Moderator’s Comment: What lessons in security and public/customer relations can be learned from the DSW case? How are best in class companies protecting
consumers’ personal and financial information? –
George Anderson – Moderator
At many retailers, the major executive concerned with security is the Chief Information Officer. The other executives often don’t care, and the CIO has multiple priorities conflicting with tremendous budget pressure. The major privacy “enforcers” are Visa and MasterCard. So if the CIO doesn’t make privacy a priority, it’s unlikely anyone else within the organization will. If government regulation is the answer, then it might be very effective if the law simply rewarded customers whose records are stolen a flat amount, say $10,000 each, in addition to any other damages. Retailers pay attention to money, so a retailer with a million customer financial record database would probably pay attention if he/she understood that the theft risk would cost a minimum of $10 billion. This would raise privacy issues to a higher grade on the IT priority list.
Security and privacy issues abound in today’s retail environment. There is no federal or state requirement for how personal information is handled, stored or kept secure. As a consequence, personal bank, credit card, and even shopping information is often at risk. Most retailers are not savvy about controlling and securing digital data, thus they compromise not only their security, but those of their customers. Worse yet, unless instructed not to by their customers, retailers have the ability (and often do) to sell this information to anyone. Information is power, and retailers should not be expected to secure and protect private personal information. Instead, we need a federal and a state agency to manage this information and take this away from the private sector. We have continually allowed our privacy to be violated because of insufficient security procedures at the retail level. As we move to a more standardized and digitized age, we need to enact higher requirements for privacy protection and enforce tighter security standards.