Evan Schuman's StorefrontBacktalk

A major analyst firm will soon report that most retailers still do not have a formal incident response plan for consumer data security. The most likely reason: such a plan would tell retailers things they don’t want to hear.

Despite a veritable avalanche of negative publicity for companies this year that got caught with improperly-handled consumer information, preliminary findings from the Retail Systems Alert Group show that most retailers do not have anything formal to deal with protecting confidential consumer details.

One of the authors of that report, Steve Rowen, who also serves as the senior editor for the group’s Extended Retail Industry Journal publication, said there are many possible excuses for the absence, but it needs to change.

“It’s a little unnerving. Most retailers are talking a great game about securing customer data but, for whatever reason, whether it’s budgetary or the difficulty of an internal sell, they are not doing what they should be doing about it,” Rowen said. “There’s a disconnect between line of business and IT on this particular matter. When we have these conversations, most people say, ‘Well, we want to stay out of the headlines.’ From the research we’re doing, it doesn’t appear as though the proper measures are being taken to do so. It seems to be getting a lot of lip service and not a lot of action.”

Rowen cites several reasons, including cost (“there the lack of an apparent ROI in security data”) and a retail IT desire wait as long as possible. Many retailers told Rowen “We’re simply going to react once there’s a reason to react.”

Listen to Rowen and others discuss this during last week’s StorefrontBacktalk’s Week In Review.

A much more likely?although discomforting?scenario is the ostrich strategy. That’s where senior retail execs bury their heads in the sands of meetings, hoping they’ll be invisible to security threats.

Why would they retail IT execs do that? They know that any reasonable data security and privacy policy would set stringent restrictions on how data can be used, how long it can be stored and how many people can have access to it. The longer such a policy is delayed, the longer the data can be used in whatever way IT and Marketing feel like using it.

This is not to suggest a deliberate conscious decision, but more of a convenient avoidance for as long as physically possible.

Greg Buzek is the president of retail consulting firm IHL and he equates the retail data privacy approach for avoiding a physician visit.

“It’s kind of like going to the doctor. If you’re fat, you don’t want to go to the doctor because you’re afraid of what the doctor is going to say or the labs are going to say, even though you’re the very person who should be going to the doctor,” Buzek said. “That kind of effect occurs here when it comes to retail data security. ‘Man, if we go into this and we really dig into this, are we ready to find out what we will find out?'”

Some of this avoidance can be seen internally, when the warning calls of technical managers are consistently, repeatedly and inexplicably ignored. “Whether it’s an IT employee or someone in network engineering, they’ll tell you that they see the value, that they have certainly been shouting warning calls within their organization, but that the warning is falling on deaf ears,” Rowen said.

Another reason for the security problem is that the amount of data being gathered today is far greater than had ever been anticipated by the designers of the security systems being used today.

“A truism in retail is that the only thing that grows faster than the proliferation of systems is the amount of data that is being collected, stored and manipulated throughout the chain. It’s hard to get a handle on where all of that data is,” Buzek said. “It gets taken off a variety of different systems and stored in things like Excel sheets and those Excel sheets are all over the place. This mass retailing effect over the last 10 years simply has grown these businesses much farther than security could handle. The proliferation of data and the proliferation of employees and how many people are touching the data and Internet to the stores and everybody having Internet at their desks and access to all these systems, all of that has simply gone way past what the security process is.”

Rowen agrees that the sophistication of today’s data collections has fallen far short of the capabilities of today’s data management systems. To state the obvious, IT can’t protect data it can’t find.

“The amount of data being collected is unfathomable. The real problem is ‘Where is it?'” Rowen said. “I think that an awful lot of times, retailers are caught not really knowing what their own systems are, whether their motivation for not attacking this is a fear-based thing or a cost-based thing or a communication-based thing, it doesn’t change the fact that there is a breakdown and a high level of siloed storage of this type of data.”

The data problem becomes part of a vicious cycle of a growing retail segment, with mega-chains like Wal-Mart forcing the decisions of other retailers.

“When you have data that grows exponentially and staffing that doesn’t grow or even shrinks, it causes quite a problem on the security front. That’s effect of a Wal-Mart taking over so much of a marketplace,” Buzek said. “Everybody else is reacting to that and many are reacting by cost-cutting. When you cost cut, one of the first things that goes is security.”

It seems that many retail execs need powerful fear-based reasons for setting strict security and privacy policies. OK, here are a few. A company today doesn’t even have to get attacked by a criminal hacker to be devastated.

As the Veteran’s Administration and others have recently learned, all that’s necessary is for an employee to take files home and be burglarized or perhaps take some disks and a laptop to the airport and lose the company property there. Whether the cause is criminal versus careless, spying versus sloppy or blackmail versus bonehead, the publicity from a reach can cripple a retailer’s reputation. And the media is in love with high-profile data problems. That’s Fear-Based Reason One.

Here’s Fear-Based Reason Two: competitive differentiator. In the same way that a handful of retail chains are using customer service as a differentiator to battle larger chains, it’s only a matter of time before a major chain will position themselves as the consumer protector. They’ll have a privacy policy and do commercials and news releases whenever they wipe out consumer data. With paranoia as their ally, they’ll make their rival’s lack of policy into a lack of caring. It may sound crazy, but is it any crazier than a retailer focusing on customer service? After all, most retailers see themselves working for the consumer goods manufacturers instead of the consumers. They see themselves as distributors of products and they make money off of product placement.

Having strict data control policies is not merely the right thing to do, it’s also the safe thing to do.