IT Confidential: A Checklist For Protecting Personal Data

When will it end? Apparently, not until we learn the lessons of data protection. I'm referring to the continuing incidents of personal data loss: hacked data, stolen data, pretexted data, data thrown away in Dumpsters, data that falls off the back of delivery trucks, and data inadvertently--or advertently--published on Web sites where everyone and his brother can find it.

These incidents are becoming laughably commonplace, and the most recent is a real howler. On June 10, along with a $200 radar detector, a "computer backup device" was stolen out of the car of a college intern working for a state agency in Ohio. In a press release June 15, Gov. Ted Strickland said the device contained 338,634 files in 24,333 folders, which included the names and Social Security numbers of all 64,467 people employed by the state. The device also was found to contain electronic funds transfer data for school districts and local governments, as well as data on state welfare recipients and on people who hadn't cashed tax-refund or lottery checks.

I've put together the most salient lessons to be learned from this incident, and I've organized them as a checklist; feel free to tear out this page of the magazine, or print the list from the Web site, and post it prominently in your organization.

Don't bring sensitive data home. The state of Ohio's nightly data backup policy was two-pronged: One copy stayed in the network administrator's office, a second copy was to be stored off-site. According to reports, the off-site part evolved into the backup data going home with one of the IT people, which eventually was delegated to one of the interns. You know that old saying--don't bring your work home with you? It applies here.

Don't leave a storage device containing sensitive personal data in your car. The same goes for carrying it in your back pocket on the subway, asking the person behind you in line to hold it while you go to the bathroom, checking it into a locker at the bus terminal, or leaving it on the stool next to you in a bar.

Don't delegate responsibility for sensitive data to a 22-year-old college intern. "On its face, with what we know today, this seems like a questionable decision," the Columbus Dispatch quoted a spokesman for the Ohio Department of Administrative Services. I'm all for internships. However, when it comes to data security, look for someone with a little more skin in the game.

Make sure your chief privacy officer knows his or her job, and is actually doing it. Gov. Strickland said: "The Chief Privacy Officer at the Office of Information Technology will be responsible for coordinating the implementation of improved data security measures." That qualifies as closing the barn door after the horses are gone.

Encrypt, encrypt, encrypt! By middle school, most kids today know their way around a keyboard and a mouse, so don't assume that just because "specialized knowledge and equipment" are needed to read data off backup tapes, crooks can't figure it out--especially if the files on those tapes aren't encrypted, which these weren't.

One last point. Gov. Strickland hired a local computer security company called Interhack to make recommendations regarding encryption and other policies. Is it really wise to hire a security company with the word "hack" in its name? I don't know, I'm just asking.

Is it really wise to tick off a computer security company? It's just a joke, guys, don't take it personally. Send me an industry tip or I'll take it personally, to [email protected], or phone 516-562-5326.

---

To discuss this column with other readers, please visit John Soat's forum.

To find out more about John Soat, please visit his page.