Down To Business: Time To Get Tough On Security Slackers - InformationWeek
12:30 PM
Rob Preston
Rob Preston
Connect Directly

Down To Business: Time To Get Tough On Security Slackers

The Veterans Affairs Department and their ilk aren't victims. They're enablers and must be held accountable.

There comes a time when a problem spirals so out of control that you're willing to entertain just about any solution to get it under control. That time has arrived with data security.

On the table for more than a year has been an array of regulatory, legal, and market-based approaches for keeping organizations from losing, misplacing, exposing, and otherwise failing to protect people's personal data. Among the proposals: Hold every organization to minimum security standards. Require them to notify customers immediately when a key system has been breached. Levy heavy fines and even jail sentences on those who fumble customer data, not just on those who steal it. Experiment with nonregulatory solutions, like insurance policies and third-party monitoring and ratings. Then there are the free-market die-hards, who insist on doing nothing, as consumers will punish those who play fast and loose with their data.

For most market-oriented solutions to work, however, there must be competitive leverage. We can choose not to do business with Ford or Marriott if we're not confident they'll protect our data, but no one competes with the Veterans Affairs Department, which disclosed last week that a laptop containing names, Social Security numbers, and birth dates of some 26.5 million veterans was stolen from the home of an agency analyst. Where are the VA's customers going to take their business in protest?

Meantime, lots of for-profit enterprises carry (and mishandle) data on people who aren't even their customers. For instance, most of the thousands of people affected a year ago by a breach at ChoicePoint, which aggregates and sells reams of consumer and business data, had never even heard of that company.

I have long argued that when it comes to modifying organizational misbehavior, regulations should be the last resort. After last week's VA debacle, that last resort is looking like the only option.

So how should we proceed? Forget the Sarbanes-Oxley scattershot approach. Forcing every company and government enterprise to pass regular security checkpoints would tie up the masses in red tape because a relative few can't get their acts together.

More productive would be national legislation, patterned on a California law, requiring companies to report data loss in a timely manner, as it would target only the offenders. (The VA secretary claims he didn't even know about the agency's debacle until two weeks after it happened, so internal policies must be improved as well.) Critics argue that such notification laws unfairly punish the victims of data theft. But enterprises that lose backup tapes, are lax with physical and digital security, or let their employees tote around highly sensitive data are hardly victims. They're enablers.

In addition, punish the offenders--the serial slackers as well as the identity thieves and corporate espionage artists. It was revealed last week that the VA had failed a federal security audit four out of the last five years, and that in 2004 the inspector general recommended that the agency take 16 security steps, none of which was fully implemented. Perhaps if the VA secretary faced personal fines or jail time for that foot dragging, those security measures would have been put into practice long ago.

We've all lost patience with the post facto commitment to information security. The VA secretary last week vowed a "relentless investigation" of the agency's security policies. We're also told that the analyst was placed on leave for taking the laptop home in violation of VA policy, but why was it technically feasible for him to download and transport that data in the first place?

In a statement, the VA pointed out that "it is possible" that those who stole the laptop remain unaware of the information it contains. It's also possible that they know exactly what they have and are busy ripping off millions of people's identities and disrupting their lives--all while the bureaucrats trip over themselves to "strengthen safeguards," point veterans to free credit reports, and spend at least $100 million in taxpayer money to cover their asses.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll