Down to Business: Back to Security Basics

Enterprises continue to lose, misplace and mishandle sensitive data . The Justice Department and other organizations that should know better are still posting people's Social Security numbers on their Web sites. ABN Amro Mortgage lost (and weeks later found) a backup tape containing personal data on 2 million customers. Ford reports that a computer with data on thousands of employees was stolen from a company facility. A Marriott time-share unit says a backup tape containing personal and financial information on more than 200,000 employees and customers is missing. And so on.

Define and Enforce

Expensive intrusion-prevention, global authentication and information-management systems have their place in the secure enterprise, but they won't keep your sensitive data from walking out the door. Let's go back to Security 101: creating a formal policy on accessing, distributing, storing and transporting such data--who does what and how. Employees must be trained. And then drilled. If data protection is indeed a board-level priority, everyone in the organization must be made aware of that fact, with clear consequences for those who don't follow the rules.

Meantime, enterprises must truly be held accountable for failing to protect personal data. The pundits will tell you that this is mostly a regulatory challenge: Set a national directive on how organizations must safeguard personal information and then audit everyone into submission--à la HIPAA and Sarbanes-Oxley.

Here's another thought: Punish the handful of wrongdoers and bunglers, instead of tying up the masses with more red tape.Consumer-notification laws in California and other states have forced many of the recent public confessions of data loss and theft. But contrary to my assertion in an earlier column, the threat of public embarrassment isn't a big enough stick. It's still too easy for companies like ChoicePoint, ABN Amro and Marriott to apologize, vow future vigilance and hope for short memories. And such public mea culpas can actually tip off the miscreants that there's more value than they'd imagined in those tapes that fell off the truck.

Identify and Punish

Jim Harper of the Cato Institute argues for a more direct approach: Punish only those enterprises whose carelessness inflicts personal damages, levying fines commensurate with those damages. For instance, every $1,000 in estimated personal damages from data theft or loss costs the organization that's responsible $10,000. "Was a data-rich computer stolen and used for target practice on a backyard shooting range, or was its trove of information used in hundreds or thousands of frauds?" Harper writes on the think tank's Web site.

The challenge here is in assessing and proving damages. Legal red tape can be just as hobbling as the regulatory variety. Let's hope the specter of intense litigation is a powerful enough incentive for enterprises to get their data security acts together before it goes that far. If not, we'll see them in court--not just in public asking for forgiveness.

Rob Preston is editor in chief of Network Computing. Write to him at [email protected].0