On Sunday came the news that the University of Connecticut is notifying 72,000 students, staff, and
faculty that a hacking program was found on a server containing their names, Social Security numbers, date of birth, and other personal information they wouldn't want identity thieves or others to know.

It was just the latest in what is clearly going to become an endless series of such incidents. That 72,000 figure sounds big, but it's small potatoes compared to the 10 biggest incidents, of which the smallest number of affected customers/consumers is 120,000 at another academic institution, Boston College. And these two universities aren't alone; at least four others have reported some form of a breach.

Is our personal information safe nowhere? It seems that way.

Since 9/11, we've heard nothing but reports and forecasts indicating that companies are investing more in security to safeguard their businesses, their infrastructure, and their data. Maybe that's true, but all that investment appears to be for naught because big companies are falling down in the policy/administration/management side of their responsibilities, which is as much a business function as an IT function.

In the aforementioned University of Connecticut case, it boggles the mind to consider that the hacking program was installed in 2003 and discovered in mid-2005 "after a university vendor reported that someone tried to access its server with an illegal password." In other words, the breach was only discovered because another attempted breach occurred.

In all too many of these cases, a basic process or procedure--like auditing--wasn't done with enough rigor to detect something like a rogue program, proving yet again that all the technology in the world, no matter how robust, can't overcome a flawed business process.

Need further proof? Transaction processor CardSystems Solutions Inc.--victim of the granddaddy of customer data losses--was audited and found compliant in June 2004 with a set of industry security requirements but then was no longer in compliance when it was discovered that it was inappropriately storing cardholder data. (That's a finding that hit close to home last week when a taxi company posted charges to my credit card three months after I had used that company during a trip; the company had retained my credit-card information AND posted the charges without my authorization).

Where is all this headed? The Senate is putting forth legislation that could hold CEOs liable for purposely concealing a security breach that involves personal data. But even if we do pass new laws making CEOs personally liable for after-the-fact misrepresentations, I'm afraid that won't be enough to clean up an industry of data collectors that simply lack controls. I can just see some blowhard CEO raising his right hand before Congress and saying, "I had no knowledge that my IT department and the systems they bought weren't capable of securing all that personal data we spend so much time and money to collect. I'm a businessperson, not a technologist." (In all likelihood, this would be one of those same CEOs who previously talked convincingly of his tech savvy to anyone who would listen).

So what do we need? How about a CEO who asks tough questions proactively about the security of all that data being collected, if for no other reason than the fear of being held accountable in the event of failure? How about harsh financial penalties for companies that fail to live up to their stated policies and practices on securing and using/misusing our personal information? How about rigorous, industry-defined processes that dictate the sequence of steps data takes from the point of collection until the point that it goes into long-term storage, followed by regular outside audits to confirm the process is being adhered to every single day. For some other business-driven approaches to the security problem, check out this insightful InformationWeek cover story.

These are just a few ideas, most of which would be less than welcome by those companies collecting all our data, and even less so by the subset of companies and organizations that are losing our data. But since their current practices don't work, it's time to try something that might.