Cashing In on Data ProtectionBy Debra Donston | Posted 2007-01-18 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
Opinion: In light of the disturbing TJX data theft, maybe the only way to really protect yourself is to adopt a cash-only mentality.
When I was a kid, my family did two things on Saturdays without fail: We cleaned the house to strains of marching music (my father was career Army), and we went to the bank.
At the bank, my parents deposited their paychecks, keeping just enough cash to make it through the week. When that money ran out, they didn't buy anything else. Simple.
As for bills, my parents used a folder system. No, not the kind of folders in Windowsthe only computers I knew about then were the ones that wore tennis shoes. They used a paper two-pocket folder: As bills came in, they went in the left-side pocket of the folder. As the bills were paidevery week, with a check for eachthe stub went into the right-side pocket of the folder.
Every month, my parents would sit at the kitchen table and balance the checkbook using the paper statement generated and mailed by the bankan agonizing process for my logically minded father, who wasn't satisfied until he got the statement and the checkbook to within a dollar difference. (I learned at a pretty young age not to interrupt this process.)
My father also eschewed credit cards, saying, "If you can't pay for it in cash, you can't afford it." Simple.
My father never saw debit cards become an acceptable form of payment at every place from Tiffany's to Taco Bell, but my mom continues to go to the bank every Saturday. She's never had a debit card, and probably never will.
How quaint, I've often thought in recent years.
Today, I rarely use cash, instead whipping out my debit card for even the smallest of purchases. I pay many bills online, and I "balance" the family checkbook by making sure the amount that shows up when I check my accounts online is reasonably close to what it says in my checkbook. As for credit cards, well, let's not go there.
Have you seen that commercial where the guy who uses cash, as opposed to a debit card, brings a well-oiled retail operation to a screeching halt? In response to that ad, my 10-year-old daughter said, "Does it really take that long to use money?"
The fact that she has to ask that question speaks volumes about today's cash flowor lack thereof. Indeed, when she and my other daughter were younger, I made it a point to use actual money to make purchases (a.) so they would know what money looked like and what each bill and coin was worth and (b.) so they wouldn't think that this magic plastic card allowed us to get whatever we wanted, whenever we wanted, with no repercussions. (It was harder for me than it was for my parents to say that money didn't grow on trees because, for all my kids knew, it did!)
It's not just meI've heard teachers say that it's getting harder and harder to teach kids to do things like add and subtract money because the kids just don't have extended exposure to it.
Next Page: Why the TJX security breach is different.
The old(er) I get, the more I think my parents were right about most of the things they did. And, with the recent announcement that TJX computer systems had been robbed of untold amounts of private customer information, I know they were right about dealing with cash.
TJX, which operates the T.J. Maxx and Marshalls chains, among other stores, revealed that the computer systems that process credit, debit and return transactions had been breached and customer data stolen.
We're hearing about it now, but the actual hack occurred in December. As I understand it, anyone who has shopped at any of TJX's stores in the last four years is at risk (a number of people that TJX officials have been quoted as saying is "substantially less than millions"how comforting).
The TJX incident is different from many others we've heard about in the last couple years in that data was maliciously and pointedly stolen, rather than inadvertently lost or happened upon.
In the case of the Veterans Administration, for example, a VA employee's laptop was stolen. The private information of millions of U.S. veterans was stored on the laptop, but the thief apparently didn't know that and wasn't after the info in the first place. (And, he or she probably couldn't believe that someone would be so stupid as to store that kind and amount of data on a device that could walk off the VA premises.)
But the TJX incident is just like all the others in that the victims of the crimepotentially you, me and anyone who has shopped at T.J. Maxx or Chez Marshalls, as we call it in these partshave to clean up any mess that results because of it.
Oh, there are plenty of how-to's and best practices out there that will tell you how to protect yourself from a data theft and/or how to fix things after such a theft occurs. But the onus is always on the victim. YOU need to check your credit report for any untoward activity; YOU need to check your bank accounts to make sure it was really you who debited that $2 for a Dunkin Donuts coffee; YOU need to be on guard for any institution asking for more personal data than is absolutely necessary for the transaction at hand; and so on and so on.
All of this takes time and know-how. And it's getting really frustrating to have to run through this process every time a new breach is reported.
How about if the institutions that are more than happy to take our money also take carereal careof our personal data? How about banks and credit card companies keeping watch so that their customers don't have to (or don't have to so closely)? How about the legal system giving victims of identity theft ongoing support as they work to clean up their good names? How about the government passing effective legislation that will hold institutions criminally liable for not protecting the personally identifying information in their care?
For now, it seems that the only way to really protect yourself is to adopt a cash-only mentality. Kids, meet the twenty-dollar bill.
Deb Donston can be reached at firstname.lastname@example.org.