Data Security: Not If, But When

The marketing gods have smiled upon database security start-up Guardium. Around the time the company announced a $6.3 million injection of venture capital funds (including an undisclosed amount from Cisco Systems), two stories of stolen information hit the press.

The big news was the theft of names, addresses and Social Security numbers of 26.5 million U.S. military veterans (see "VA Admins: Hold Your Fire"). The other was the revelation that a server containing personal information on thousands of students and alumni from Ohio University had been penetrated by criminals for at least a year. The lesson is screamingly obvious: Organizations that haven't invested in some sort of data protection better start now.

The challenge is the Herculean task of addressing the risk of information loss. Sensitive data has vanished in every way imaginable--external intrusions by tech-savvy criminals, greedy employees selling customer account information and unencrypted data tapes being misplaced. Then there's ChoicePoint, a data broker fined $15 million by the FTC in January for improperly disclosing financial records of more than 163,000 consumers--the company sold the information to data thieves posing as legitimate businesspeople.

You can buy database-monitoring systems, extrusion-prevention systems and disk-encryption software to seal some leaks, but they're all point solutions with their own weaknesses. And businesses are reluctant to slap significant controls on data because the controls often hamper legitimate, revenue-generating use of information.

There's no easy solution, but by now companies should have plenty of motivation. If bad publicity or multimillion dollar fines aren't enough, how about the sight of Congress demanding the head of the Veterans Affairs chief administrator to appease an outraged public? The problem isn't pretty, but doing nothing about it is downright ugly.