• E-mail this page
• |  Print this page
• | 
• | 
• | 

A Data Bill Of Rights

The excuses are always the same: It costs too much to notify people, they don't want the bad publicity, or as in the recent Hotels.com breach, a couple of months are needed to figure out what was lost on their auditor's laptop. (Don't these companies back up their systems? Don't they know what their employees have access to?)

Companies that allow employees to flout their security policies--or worse, that fail to enact basic or reasonable safeguards to deter cybercrimes--deserve every speck of bad publicity they get.

If a company is stupid enough to snail mail unencrypted drives containing sensitive data, or apathetic enough to routinely allow employees to bring home laptops stuffed with sensitive data, or unwilling to test their own system security, or commits any of a dozen more breaches of common sense, then a little time spent squirming under the harsh glare of the spotlight might be just the ticket.

Which is why I was glad to see a judge reject UBS Wealth Management USA's transparent attempt to bar reporters yesterday from covering the trial of a disgruntled employee who allegedly brought down two-thirds of its network.

To the credit of UBS Wealth Management (PaineWebber to most of us), it did call in the Secret Service after a forensic team spent a couple of weeks working on the problem and it became obvious that deliberate sabotage was involved. And it's working with law enforcement officials.

But there will be other similar trials where companies with sloppier security procedures will try to prosecute, but from behind a curtain. Judges shouldn't let that happen.

We should also be pressing for more immediate information when these breaches occur, and for companies to do right by all potential victims. In fact, since we're in an age when A) more and more data is being collected by more and more entities--including the government--and shared with God knows who, and B) data theft is accelerating, what we really need are two things:

- A uniform bill of consumer data rights that covers what kinds of data can be collected, who it can be shared with, what permissions are needed, and how long and where this data can be stored. This needs to be written in plain and simple English in readable type, and it needs to be accompanied by a reasonable, standard system in which consumers can quickly redress errors in their data.

- A uniform agreement on best practices for companies and law enforcement to follow in the event of a data breach. When should alerts go out to the cops and customers? What kinds of follow-up services are reasonable? Who gets notified exactly from among a list of stolen data? What are customers owed?

Of course, we need to have some basic levels of security in place, too, but as it has become all too painfully obvious, we aren't there yet. So we'd better get to work fast on figuring out the best way to deal with the increasingly ugly aftermath.

« Apple And Blackberry -- Not What You Think | Main | Daily News Podcast For Wednesday, June 7 »