Jeffery Deaver - The Broken Window

The look Sellitto shot Rhyme said, It takes all kinds.

The first of the two men who joined them in Andrew Sterling’s office was slender, middle-aged, with an unrevealing face. He resembled a retired cop. The other, younger and cautious, was pure corporate junior exec. He looked like the blond brother on that sitcom, Frazier .

Regarding the first, Sachs was near the mark; he hadn’t been blue but was a former FBI agent and was now head of SSD’s security, Tom O’Day. The other was Mark Whitcomb, the assistant head of the company’s Compliance Department.

Sterling explained, “Tom and his security boys make sure people on the outside don’t do anything bad to us. Mark’s department makes sure we don’t do anything bad to the general public. We navigate a minefield. I’m sure that the research you did on SSD showed you we’re subject to hundreds of state and federal laws on privacy-the Graham-Leach-Bliley Act about misuse of personal information and pretexting, the Fair Credit Reporting Act, the Health Insurance Portability and Accountability Act, the Drivers Privacy Protection Act. A lot of state laws too. The Compliance Department makes sure we know what the rules are and stay within the lines.”

Good, she thought. These two would be perfect to spread the word about the 522 investigation and encourage the killer to sniff out the trap on the NYPD server.

Doodling on a yellow pad, Mark Whitcomb said, “We want to make sure that when Michael Moore makes a movie about data purveyors we’re not center stage.”

“Don’t even joke,” Sterling said, laughing, though with genuine concern evident in his face. Then he asked Sachs, “Can I share with them what you told me?”

“Sure, please.”

Sterling gave a succinct and clear account. He’d retained everything she’d told him, even down to the specific brands of the clues.

Whitcomb frowned as he listened. O’Day took it all in, unsmiling and silent. Sachs was convinced that FBI reserve was not learned behavior but originated in the womb.

Sterling said firmly, “So. That’s the problem we’re facing. If there is any way SSD is involved I want to know about it, and I want solutions. We’ve identified four possible sources of the risk. Hackers, intruders, employees and clients. Your thoughts?”

O’Day, the former agent, said to Sachs, “Well, let’s deal with hackers first. We have the best firewalls in the business. Better than Microsoft and Sun. We use ICS out of Boston for Internet security. I can tell you we’re a duck in an arcade game-every hacker in the world would like to crack us. And nobody’s been able to do it since we moved to New York five years ago. We’ve had a few people get into our administrative servers for ten, fifteen minutes. But not a single breach of innerCircle, and that’s what your UNSUB would have to get into to find the information he needed for these crimes. And he couldn’t get in through a single breach; he’d have to hit at least three or four separate servers.”

Sterling added, “As for an outside intruder, that’d be impossible too. We have the same physical perimeter protections used by the National Security Agency. We have fifteen full-time security guards and twenty part-time. Besides, no visitor could get near the innerCircle servers. We log everybody and don’t let anyone roam freely, even customers.”

Sachs and Pulaski had been escorted to the sky lobby by one of those guards-a humorless young man whose vigilance wasn’t diminished one bit by the fact they were police.

O’Day added, “We had one incident about three years ago. But nothing since.” He glanced at Sterling. “The reporter.”

The CEO nodded. “Some hotshot journalist from one of the metro papers. He was doing an article on identity theft and decided we were the devil incarnate. Axciom and Choicepoint had the good sense not to let him into their headquarters. I believe in free press, so I talked to him… He went to the restroom and claimed he got lost. He came back here, cheerful as could be. But something didn’t seem right. Our security people went through his briefcase and found a camera. On it were pictures of trade-secret-protected business plans and even pass codes.”

O’Day said, “The reporter not only lost his job but was prosecuted under criminal trespass statutes. He served six months in state prison. And, as far as I know, he hasn’t had a steady job as a journalist since.”

Sterling lowered his head slightly and said to Sachs, “We take security very, very seriously.”

A young man appeared in the doorway. At first she thought it was Martin, the assistant, but she realized that was only because of the similarity in build and the black suit. “Andrew, I’m sorry to interrupt.”

“Ah, Jeremy.”

So this was the second assistant. He looked at Pulaski’s uniform, then at Sachs. Then, as with Martin, when he realized he wasn’t being introduced he ignored everyone in the room except his boss.

“Carpenter,” Sterling said. “I need to see him today.”

“Yes, Andrew.”

After he was gone, Sachs asked, “Employees? Is there anyone you’ve had disciplinary problems with?”

Sterling said, “We run extensive background checks on our people. I won’t allow hiring anybody who’s had any convictions other than traffic violations. And background checks are one of our specialties. But even if an employee wanted to get into innerCircle it would be impossible for him to steal any data. Mark, tell her about the pens.”

“Sure, Andrew.” To Sachs he said, “We have concrete firewalls.”

“I’m not a technical person,” Sachs said.

Whitcomb laughed. “No, no, it’s very low -tech. Literally concrete. As in walls and floors. We divide up the data when we receive them and store them in physically separate places. You’ll understand better if I tell you how SSD operates. We start with the premise that data is our main asset. If somebody was to duplicate innerCircle we’d be out of business in a week. So number one-‘protect our asset,’ as we say here. Now, where does all this data come from? From thousands of sources: credit card companies, banks, government-records offices, retail stores, online operations, court clerks, DMV departments, hospitals, insurance companies. We consider each event that creates data a quote transaction, which could be a call to an eight hundred number, registering a car, a health insurance claim, filing a lawsuit, a birth, wedding, purchase, merchandise return, a complaint… In your business, a transaction could be a rape, a burglary, a murder-any crime. Also, the opening of a case file, selecting a juror, a trial, a conviction.”

Whitcomb continued, “Any time data about a transaction comes to SSD it goes first to the Intake Center, where it’s evaluated. For security we have a data masking policy-separating the person’s name and replacing it with a code.”

“Social Security number?”

A flicker of emotion crossed Sterling’s face. “Ah, no. Those were created solely for government retirement accounts. Ages ago. It was a fluke that they became identification. Inaccurate, easy to steal or buy. Dangerous-like keeping a loaded gun unlocked around the house. Our code is a sixteen-digit number. Ninety-eight percent of adult Americans have SSD codes. Now, every child whose birth is registered-anywhere in North America-automatically gets a code.”

“Why sixteen digits?” Pulaski asked.

“Gives us room for expansion,” Sterling said. “We never have to worry about running out of numbers. We can assign nearly one quintillion codes. The earth will run out of living space before SSD runs out of numbers. The codes make our system much more secure and it’s far faster to process data than using a name or Social. Also, using a code neutralizes the human element and takes the prejudice out of the equation. Psychologically we have opinions about Adolf or Britney or Shaquilla or Diego before we even meet them, simply because of their name. A number eliminates that bias. And improves efficiency. Please, go on, Mark.”