September 22, 2006

Financial Liability

As much as I hate increased regulation insofar as computing is concerned, I think it's high time that firms and governmental agencies who collect sensitive personal and financial data should be held strictly liable for the loss or compromise of that data. It seems obvious that the companies and agencies involved aren't going to deal with it any other way.

For instance, within the last 5 years, the Commerce Department alone has lost over 1100 laptops. This doesn't count that wonderfully aggregious loss on the part of the Veteran Affairs Department in May, nor does it account for laptops acknowledged to have contained sensitive files lost by the Agriculture, Defense, Education, Energy, Health and Human Services, and Transportation Departments. And this is just the government which, while worse than the private sector in terms of oversight, is probably accounting for less than half of the data leaks.

Look, this isn't rocket science. Institute a policy where sensitive data can't leave the office unencrypted and include auditing and enforcement. Set up a secure server and a VPN for those who regularly need to get sensitive data from abroad... but whatever you do, quit letting employees put spreadsheets of thousands of incredibly sensitive records on their laptops and dragging them home.

Now, it should be noted that I'd also question the oversight and viability of any organization where the average is over 230 laptops are either stolen or lost every year. By the Commerce Department's estimates, there were roughly 30,000 laptops in use by the department over the last 5 years. By the numbers, just over 1 out of every 30 laptops appropriated to the Commerce Department was either lost or stolen. Hopefully other departments and organizations have slightly better mechanisms in place... but just in case the government and private industry haven't got the security of the customer first in their mind (*gasp* such a supposition), let's make them liable for these breaches of security.

Posted by Vengeful Cynic at September 22, 2006 09:37 AM | TrackBack