Development & Implementation of Data Protection for Transportation of Personal Customer Information (PCI/PII)





SITUATION 
The company shipped over 10,000 tapes per day from over 1,000 sites containing customer and business data. On more than one occasion some of the tapes were found to be missing, indicating a possible compromise of Personal Information. It was determined that significant and immediate action was required after appearing in the Wall Street Journal for the loss of 3.9 million customer records.
ACTION PLAN 
  • Conducted global feasibility study to mitigate identified risk, including technical and procedural controls after initial loss. Modification of existing processes and utilization of preferred carriers appeared to be the most cost effective approach at the time.
  • Utilized the results of the completed feasibility studies to put together a high-level plan and budget in 72 hours for presentation to the board, after a second loss occurred while using the preferred carrier option. The initial budget approved was $60 million, including funding for the procurement of tape encryption hardware at 25% off list price and contractor resources for the rapid deployment.
  • Negotiated contract with encryption vendor for 50% off list. Also negotiated for on-site support during the installation phase, thus removing the need for contractor resources.
  • Realigned and matrix-managed resources globally to form 250 member strike team.
  • Directed engineering team to explore options to maximize usability with an eye towards reducing cost. Team identified methodology that established a 5:1 ratio between tape drives and encryptors, as opposed to the projected design of 1:1 for high-density sites.
  • Designed operational processes that segregated the duties between three different areas within the IT organization, allowing the workload to be more evenly distributed and eliminating the need to hire additional resources.
  • Developed scorecard to track remediations by site. This was centerpiece of weekly status presentation to Senior Management which clearly showed accountability.
RESULTS 
The scorecard and weekly status reports were a huge success with most site managers requesting to be moved up in the schedule. Our largest issue became one of the vendor being able to ship equipment quickly enough to fulfill these requests. Overall the project was completed in under 9 months at a total cost of $27 million, a net savings of 55% off projections.