Computerworld Philippines :: CIO Roundtables Security

Peer Perspective. IT Leadership. Business Results

“The Right to Privacy”

By the Computerworld Philippines Staff
December 1, 2007

Keeping customer data private and secure is a challenge that any company, regardless of industry, has to address. While various technologies have long been available to protect vital customer data, companies that currently have or are headed towards having an Internet-based business component are exposed to an entirely new set of threats to their data.

At Computerworld Philippines’ 10th monthly CIO Roundtable, five technology chiefs from various institutions expounded on how maintaining customer data privacy does not simply involve investing in appropriate technology but also developing a comprehensive data privacy strategy that involves issues like education and training, policies and procedures, and enforcement and compliance.

The event was sponsored by HP Philippines and held at the Tower Club, and featured Dustin Andaya, marketing director of Islandrose.net, Lito Averia, chief technology officer of the Philippine Stock Exchange, Richard Bragado, IT manager of Southeast Asian Airlines, Edgardo Lim, vice president for information systems services of Generali Pilipinas, and Susan Perez, senior vice president for the management information systems division at Air Philippines Corp.

Highlights from the discussion follow:

CWP: In your line of business, what types of customer data do you keep private?

Edgardo Lim: Our business has certain unique needs, since we cater to clients in financial services, and there are certain regulations involved like the AMLA (Anti-Money Laundering Act) that we have to observe. The information that we need to protect typically includes financial data such as credit information, bank account information, PIN numbers, sources of income, the income itself, and contact information. One of the reasons why we are not online is the sensitivity of the information we deal with. While it may be easier to sell insurance online, the majority of potential clients would not be comfortable giving out this information over the Internet.

Lito Averia: At the (Philippine Stock) Exchange, our focus is more on protecting confidential corporate information. The users of our system are mainly broker firms and we do publish their names, addresses, and telephone numbers on the website so that their customers can get in touch with them. Since we deal extensively with the public, a lot of the information in our system is actually within the public domain. For listed companies like PAL (Philippine Airlines), San Miguel, PLDT and the like, much of the information that they submit to us are made generally available on our website. We actually have an obligation to disclose to the public certain information, for instance, we are required, as listed companies are required, to publish their financial statements or their annual reports. On the other hand, an example of the confidential corporate information that we protect, would be the 201 information of employees—this falls under another class of information not made generally available to the public.

Susan Perez: Aside from what Bong (Edgardo Lim) has mentioned earlier about the customer data, I think that what we need to keep private is information about the airline reservations in our system—the reservations record of passengers. Even though our system is not yet online, we have always been restricted from divulging this kind of information.

Richard Bragado: Part of our agreement with our customers is to really keep everything confidential. The only things that we may actually give out are indices to transactional records, which normally, we give out to partners. Let’s say you have an inter-line arrangement with another airline, you give out a reference to that transactional record but not the record itself; that’s how we keep information private. Of course, protection is another thing but keeping information private is another side of it. No data is actually given to anyone except for partners. So, basically, the policy there is nothing is made public.

Dustin Andaya: The information our business deals in tends to be very private since we deal with the personal messages of our clients. So what do we keep? Of course, the normal billing information, for instance, for credit cards; which is pretty valuable information since disclosure to unauthorized persons can lead to credit card fraud. We don’t keep a record of the actual credit card numbers, however. We have outsourced to our payment gateway so we only see the first four and last four digits of credit card numbers, which is good as it insulates our staff from even the slightest temptation to commit fraud. The ones that we do have are a lot of information about the billing addresses, the sending addresses, and, I think more importantly, the private messages- so people have to trust us with their messages. This can be a problem since we have a lot of people calling our office, asking if their wives or husbands ordered, when the delivery was made, and other transaction details. But there are certain procedures that we have put in place to ensure client privacy. I have instructed my staff to keep this information private- only the sender can inquire of his order, not even the recipient, because a lot of people order also for recipients that they do not know and a lot of people order for recipients that are second recipients.

CHALLENGES

CWP: What are today’s challenges in maintaining customer data privacy? Are the customer date privacy challenges of a typical organization similar to those faced by a company that does business via the Internet?

Lim: By way of background, when you discuss information security you talk of three things: awareness, procedures, and technology. If you have a brick and mortar company, it’s mostly about the people. You can talk about many things with respect to personnel procedures- physical security, clear desk policy, etc. So yes, there is a difference between a brick-and-mortar company and an online company because, if you are online, it becomes very complex- messages could be intercepted electronically even if you are observing strict personnel procedures, so you need to have technologies in place.

The practice of outsourcing poses additional difficulties. When you do not control the entire value chain, like with BPOs, you have to make data available to these outsourced service providers for them to process. Difficulties can arise when the information is no longer under your sole control. And even with regard to something as simple as the printing of notices, for example, most companies already outsource. You do not do that internally anymore, especially if you are talking about tens of thousands of premium notices. Even the mailing, somebody else does that for you. When you do document imaging, sometimes you also outsource that and you do not control that, oftentimes it is even done outside your premises, so that could be a challenge. When you are not part of that value chain, it becomes more difficult to manage information. When you have contractual employees, there is also a challenge because you do not exercise the same level of control over them. These are some of the challenges. On the issue of brick-and-mortar versus online, additional problems may arise with online businesses. Even with outsourcing you still have some sort of control over your processes but, with online transactions, you have the additional danger of having your system hacked. In fact there was a study done which cites that the main threat is actually coming from inside an organization.

Averia: Yes, 65% of threats are actually internal.

Andaya: We can probably even say 80%

Lim: But they say this does not necessarily mean that people have become naughtier or whatever, it’s just that we now have the technology to detect such actions, unlike before.

CWP: So this has actually been happening before, we were just not fully aware of the extent?

Lim: Yes, you now have means to detect these activities so you know that they are rising.

Averia: Basically when you talk about data privacy, the issue is securing your data and keeping it private vis-à-vis the protection mechanisms that you put in place. Bong is right, it’s a whole value chain; there are points that you don’t control and that’s were you can be exposed. Of course, companies have the responsibility to keep their data private because once it’s out there it becomes very difficult to control. So it’s really the duty of an organization to protect whatever data that they hold.

Bragado: Really, the challenge is that of creating awareness and assigning responsibilities to your staff and, at the same time building security. Especially in this day and age of computer online transactions, keeping the lines secure, the transactions secure from the different technologies that are coming up.

Averia: It’s not so much protecting what you have now, it’s more of being able to minimize, because like I said, everyday, there are new approaches and new technologies for hacking into systems and getting confidential information.

Perez: We don’t have any online booking yet. PAL just recently introduced that into their system and, eventually, we will have that as well but what we have right now is a system where you can look through our Web site and receive information via email. So the data is not really open to outsiders, it is more within the office and we have a person handling all those. So if any information would leak out, it would more likely be coming from people from the inside. We are not really supposed to give information about when a passenger is booked, if a passenger is booked here, etc. so even though we do not really have online reservations yet, we are not really supposed to give out data like these.

Averia: It is more behavioral than anything else; it’s the social aspect of protecting information.

Andaya: I think the common opinion of everyone here is that it is really the people inside the company that are critical to maintaining data security and privacy. So you really have to hire people that you can trust because there are a lot of security measures that you can take to avoid hackers, in fact you can even hire companies to test-hack your site but the people that are handling, say the orders, it is really left to their discretion so you have to put people there that really know what they are doing and that know the value of the data. I would say it all boils down to people. I think the biggest threat is internal because the password is a very short thing to pass around and once you acquire the password then you have access to a lot of data.

PREVENTIVE TECHNOLOGIES

CWP: How do you address these challenges in your line of business? What hardware and software are you currently using to ensure that customer data are kept private and secure?

Averia: Well, again I’ll refer to the survey finding that 65% of the breaches occur internally; like I said it’s more about behavior than technology. One of the key components when you start a data security program data protection program is, of course, creating security awareness among your own people. Having policies in place is another component of being able to control the behavior of your people. Then of course the third one is really classifying the information into different levels of confidentiality- which ones are public, which ones are private, and who among the end users have privilege to access and create, read, update, and delete this information.

Somebody creates the data, somebody is entitled to just read the data, and somebody has the responsibility to update it. Deletion may not be such a big issue now since with the storage technology we currently have, we can keep more information for a much longer time.

Possibly Related Posts: