News
Commentary
5/26/2006
12:30 PM
Rob Preston
Rob Preston
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Down To Business: Time To Get Tough On Security Slackers

The Veterans Affairs Department and their ilk aren't victims. They're enablers and must be held accountable.

There comes a time when a problem spirals so out of control that you're willing to entertain just about any solution to get it under control. That time has arrived with data security.

On the table for more than a year has been an array of regulatory, legal, and market-based approaches for keeping organizations from losing, misplacing, exposing, and otherwise failing to protect people's personal data. Among the proposals: Hold every organization to minimum security standards. Require them to notify customers immediately when a key system has been breached. Levy heavy fines and even jail sentences on those who fumble customer data, not just on those who steal it. Experiment with nonregulatory solutions, like insurance policies and third-party monitoring and ratings. Then there are the free-market die-hards, who insist on doing nothing, as consumers will punish those who play fast and loose with their data.

For most market-oriented solutions to work, however, there must be competitive leverage. We can choose not to do business with Ford or Marriott if we're not confident they'll protect our data, but no one competes with the Veterans Affairs Department, which disclosed last week that a laptop containing names, Social Security numbers, and birth dates of some 26.5 million veterans was stolen from the home of an agency analyst. Where are the VA's customers going to take their business in protest?

Meantime, lots of for-profit enterprises carry (and mishandle) data on people who aren't even their customers. For instance, most of the thousands of people affected a year ago by a breach at ChoicePoint, which aggregates and sells reams of consumer and business data, had never even heard of that company.

I have long argued that when it comes to modifying organizational misbehavior, regulations should be the last resort. After last week's VA debacle, that last resort is looking like the only option.

So how should we proceed? Forget the Sarbanes-Oxley scattershot approach. Forcing every company and government enterprise to pass regular security checkpoints would tie up the masses in red tape because a relative few can't get their acts together.

More productive would be national legislation, patterned on a California law, requiring companies to report data loss in a timely manner, as it would target only the offenders. (The VA secretary claims he didn't even know about the agency's debacle until two weeks after it happened, so internal policies must be improved as well.) Critics argue that such notification laws unfairly punish the victims of data theft. But enterprises that lose backup tapes, are lax with physical and digital security, or let their employees tote around highly sensitive data are hardly victims. They're enablers.

In addition, punish the offenders--the serial slackers as well as the identity thieves and corporate espionage artists. It was revealed last week that the VA had failed a federal security audit four out of the last five years, and that in 2004 the inspector general recommended that the agency take 16 security steps, none of which was fully implemented. Perhaps if the VA secretary faced personal fines or jail time for that foot dragging, those security measures would have been put into practice long ago.

We've all lost patience with the post facto commitment to information security. The VA secretary last week vowed a "relentless investigation" of the agency's security policies. We're also told that the analyst was placed on leave for taking the laptop home in violation of VA policy, but why was it technically feasible for him to download and transport that data in the first place?

In a statement, the VA pointed out that "it is possible" that those who stole the laptop remain unaware of the information it contains. It's also possible that they know exactly what they have and are busy ripping off millions of people's identities and disrupting their lives--all while the bureaucrats trip over themselves to "strengthen safeguards," point veterans to free credit reports, and spend at least $100 million in taxpayer money to cover their asses.

Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
The weekly wrap-up of the top stories from InformationWeek.com this week.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.