Trust, but verify

Jonathan Krim, writing in the July 1, 2003, issue of The Washington Post, tells a chilling tale. In his page-one story “Web firms choose profit over privacy,” Krim reports that many commerce sites on the Web are telling their customers that they won't share private information. Then they're doing it anyway by selling or renting their customer lists — the very activities they promised their customers they wouldn't do.

This becomes a security issue when many of these same companies promise you the same privacy when handling your customer information — and then siphon off everything they need to sell your customers' information to third parties.

Now you can see where this intersects with your company's security interests. After all, your list of customers is one of your company’s most valued assets. Those customers, whether retail buyers who buy in lots of one and two or companies that buy by the thousand, are the result of hard work and careful cultivation. Why should someone else be able to simply skim off those customers and sell them to anyone they wish, including your competition?

And yet that's happening. According to Krim, CartManager — a provider of shopping cart services for Web retailers — is doing just that. The way it works is this: An on-line store provides a catalog of its products; when a customer decides to buy, the actual process of handing the transaction moves to CartManager. Then it moves back to the original Web site. If you were a customer, you might never know this, unless you happened to read the fine print in a tiny disclaimer.

The situation is worse if you're in business with a company that's handling your customer information, and you don't know if that information is being skimmed for the benefit of another. Just because your business partner assures you that your customer information is safe, that doesn't mean the partner is telling the truth.

While there are some proactive things you can do, such as making sure that your lawyers put ironclad requirements on the protection of your customer data and add large penalties if the data is compromised in any way, you still have to trust that the partner is performing as they say they will.

Or, in the words of Ronald Reagan, you should "Trust, but verify." This means that you need to be able to audit the records of you partners. Or you may have to scan the marketing ads for offers to sell or rent customer lists that could be yours. How do you know when this happens? Make up a few phony customers, insert them in your list, and wait till they get spam or junk mail. That’s a sign of resold customer lists.

This is not exactly the security stuff of firewalls and intrusion detection, but remember, your single biggest vulnerability is often not you, but your partner. After all, your partner’s incentives to protect your customers are understandably less than yours. But if you're going to use all the technology and best practices at your disposal to secure your information, how can you sit still and let some other company compromise those efforts?

Remember, all the technology in the world won't help security measures if oversight is lax. Keep an eye on your own shop, but train the other one on your partners.