Down To Business: Time To Get Tough On Security Slackers - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
News
Commentary
5/26/2006
12:30 PM
Rob Preston
Rob Preston
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Down To Business: Time To Get Tough On Security Slackers

The Veterans Affairs Department and their ilk aren't victims. They're enablers and must be held accountable.

There comes a time when a problem spirals so out of control that you're willing to entertain just about any solution to get it under control. That time has arrived with data security.

On the table for more than a year has been an array of regulatory, legal, and market-based approaches for keeping organizations from losing, misplacing, exposing, and otherwise failing to protect people's personal data. Among the proposals: Hold every organization to minimum security standards. Require them to notify customers immediately when a key system has been breached. Levy heavy fines and even jail sentences on those who fumble customer data, not just on those who steal it. Experiment with nonregulatory solutions, like insurance policies and third-party monitoring and ratings. Then there are the free-market die-hards, who insist on doing nothing, as consumers will punish those who play fast and loose with their data.

For most market-oriented solutions to work, however, there must be competitive leverage. We can choose not to do business with Ford or Marriott if we're not confident they'll protect our data, but no one competes with the Veterans Affairs Department, which disclosed last week that a laptop containing names, Social Security numbers, and birth dates of some 26.5 million veterans was stolen from the home of an agency analyst. Where are the VA's customers going to take their business in protest?

Meantime, lots of for-profit enterprises carry (and mishandle) data on people who aren't even their customers. For instance, most of the thousands of people affected a year ago by a breach at ChoicePoint, which aggregates and sells reams of consumer and business data, had never even heard of that company.

I have long argued that when it comes to modifying organizational misbehavior, regulations should be the last resort. After last week's VA debacle, that last resort is looking like the only option.

So how should we proceed? Forget the Sarbanes-Oxley scattershot approach. Forcing every company and government enterprise to pass regular security checkpoints would tie up the masses in red tape because a relative few can't get their acts together.

More productive would be national legislation, patterned on a California law, requiring companies to report data loss in a timely manner, as it would target only the offenders. (The VA secretary claims he didn't even know about the agency's debacle until two weeks after it happened, so internal policies must be improved as well.) Critics argue that such notification laws unfairly punish the victims of data theft. But enterprises that lose backup tapes, are lax with physical and digital security, or let their employees tote around highly sensitive data are hardly victims. They're enablers.

In addition, punish the offenders--the serial slackers as well as the identity thieves and corporate espionage artists. It was revealed last week that the VA had failed a federal security audit four out of the last five years, and that in 2004 the inspector general recommended that the agency take 16 security steps, none of which was fully implemented. Perhaps if the VA secretary faced personal fines or jail time for that foot dragging, those security measures would have been put into practice long ago.

We've all lost patience with the post facto commitment to information security. The VA secretary last week vowed a "relentless investigation" of the agency's security policies. We're also told that the analyst was placed on leave for taking the laptop home in violation of VA policy, but why was it technically feasible for him to download and transport that data in the first place?

In a statement, the VA pointed out that "it is possible" that those who stole the laptop remain unaware of the information it contains. It's also possible that they know exactly what they have and are busy ripping off millions of people's identities and disrupting their lives--all while the bureaucrats trip over themselves to "strengthen safeguards," point veterans to free credit reports, and spend at least $100 million in taxpayer money to cover their asses.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of IT & Cybersecurity Operations 2020
The State of IT & Cybersecurity Operations 2020
Download this report from InformationWeek, in partnership with Dark Reading, to learn more about how today's IT operations teams work with cybersecurity operations, what technologies they are using, and how they communicate and share responsibility--or create risk by failing to do so. Get it now!
Slideshows
IT Careers: 10 Industries with Job Openings Right Now
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/27/2020
Commentary
How 5G Rollout May Benefit Businesses More than Consumers
Joao-Pierre S. Ruth, Senior Writer,  5/21/2020
News
IT Leadership in Education: Getting Online School Right
Jessica Davis, Senior Editor, Enterprise Apps,  5/20/2020
Register for InformationWeek Newsletters
Video
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll