Is Your Chain's Security Structure Creating Security Holes?

Security is now being handled at quite a few different places within the typical chain. Much of this is logical, but the typical chain is handling a wide range of very different security needs. Worried about someone planting a bomb in the lobby of a regional headquarters building? Building security. How about someone trying to break into your payroll systems? Corporate IT.

Shoplifters? Loss Prevention, at the store and regional level. What if it's a Trojan Horse in your POS systems (or a skimmer in your PINPads or a remote access backdoor), all requiring a PCI compliance specialist? IT again, but the PCI area. Perhaps your chain has a pharmacy operation, in which case Health Insurance Portability and Accountability Act (HIPAA) rules kick in and someone trained in those guidelines needs to get involved.

Here's the problem: What happens when a crime happens that crosses multiple jurisdictions? Is critical data falling through the cracks merely possible or an almost certainty? As Kmart (and its Sears parent) have now discovered, the answer is it's pretty much a certainty. With Kmart, the situation began when an armed robber demanded that the store safe be opened and he cleared it out, taking with him that day's data backup. To be specific, an unencrypted, non-password-protected backup of that the most sensitive pharmacy customer details (and other data), setting off all kinds of HIPAA alarms.

That was bad enough. The bureaucracy-disconnect kicked in shortly later, when corporate took over the case and handled it (sort of) within federal HIPAA guidelines. What slipped through the cracks? The local police who were desperately hunting the armed robbery suspect. Sears/Kmart somehow didn't tell the police about the disk being taken (only mentioning some $6,000 in cash), depriving investigators of information about a piece of physical evidence that the suspect either had or had to dispose of.

How did the police eventually learn of it? They heard about it only when Sears put out a HIPAA-mandated news release more than a month later and a reporter called police asking for a case status. And even then, police had to chase down Sears and Kmart officials, who eventually confirmed to police that they had withheld evidence and were less than forthright when answering what was in the safe. Police considered obstruction charges, but ultimately concluded that they couldn't prove that Kmart's people deliberately lied or misled.

In hindsight, this case looks bad, but it also appears that Sears and Kmart officials pretty much followed their rules. No one had anticipated someone stealing data via an armed robbery. (Indeed, it appears that the thief hadn't intended on grabbing data.) But as crimes morph and change, there needs to be more coordination and data-sharing within chains' various security units. The next time, the police may not be so forgiving.