Down To Business: Time To Get Tough On Security Slackers
The Veterans Affairs Department and their ilk aren't victims. They're enablers and must be held accountable.
There comes a time when a problem spirals so out of control that you're willing to entertain just about any solution to get it under control. That time has arrived with data security.
On the table for more than a year has been an array of regulatory, legal, and market-based approaches for keeping organizations from losing, misplacing, exposing, and otherwise failing to protect people's personal data. Among the proposals: Hold every organization to minimum security standards. Require them to notify customers immediately when a key system has been breached. Levy heavy fines and even jail sentences on those who fumble customer data, not just on those who steal it. Experiment with nonregulatory solutions, like insurance policies and third-party monitoring and ratings. Then there are the free-market die-hards, who insist on doing nothing, as consumers will punish those who play fast and loose with their data.
Meantime, lots of for-profit enterprises carry (and mishandle) data on people who aren't even their customers. For instance, most of the thousands of people affected a year ago by a breach at ChoicePoint, which aggregates and sells reams of consumer and business data, had never even heard of that company.
I have long argued that when it comes to modifying organizational misbehavior, regulations should be the last resort. After last week's VA debacle, that last resort is looking like the only option.
So how should we proceed? Forget the Sarbanes-Oxley scattershot approach. Forcing every company and government enterprise to pass regular security checkpoints would tie up the masses in red tape because a relative few can't get their acts together.
More productive would be national legislation, patterned on a California law, requiring companies to report data loss in a timely manner, as it would target only the offenders. (The VA secretary claims he didn't even know about the agency's debacle until two weeks after it happened, so internal policies must be improved as well.) Critics argue that such notification laws unfairly punish the victims of data theft. But enterprises that lose backup tapes, are lax with physical and digital security, or let their employees tote around highly sensitive data are hardly victims. They're enablers.
In addition, punish the offenders--the serial slackers as well as the identity thieves and corporate espionage artists. It was revealed last week that the VA had failed a federal security audit four out of the last five years, and that in 2004 the inspector general recommended that the agency take 16 security steps, none of which was fully implemented. Perhaps if the VA secretary faced personal fines or jail time for that foot dragging, those security measures would have been put into practice long ago.
We've all lost patience with the post facto commitment to information security. The VA secretary last week vowed a "relentless investigation" of the agency's security policies. We're also told that the analyst was placed on leave for taking the laptop home in violation of VA policy, but why was it technically feasible for him to download and transport that data in the first place?
In a statement, the VA pointed out that "it is possible" that those who stole the laptop remain unaware of the information it contains. It's also possible that they know exactly what they have and are busy ripping off millions of people's identities and disrupting their lives--all while the bureaucrats trip over themselves to "strengthen safeguards," point veterans to free credit reports, and spend at least $100 million in taxpayer money to cover their asses.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.
InformationWeek Tech Digest, Nov. 10, 2014Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?