Sunday, September 03, 2006

On the poor state of data security

The recent rash of data thefts in government, business, and education alongside AOL's data privacy meltdown demonstrate the lack of effective data privacy protection in the United States.

Two new reports from the Michigan-based Ponemon Institute indicate that the situation is indeed dire. The report commissioned by Vontu indicates that companies may not even know if they have lost data.
81% of respondents report that their organizations have experienced one or more lost or missing laptop computers containing sensitive or confidential business information in the past 12 month period...When asked how long it would take to determine what actual sensitive data was on a lost or stolen laptop, desktop, file server, or mobile device, the most frequent answer was “never”...On average, 64% of respondents admit that their companies have never conducted a data inventory to determine the location of customer or employee information contained in various data stores. |Vontu|
The report commissioned by PortAuthority indicates that many information technology professionals feel that lax managerial practices make it difficult (if not impossible) to secure customer and employee data on corporate networks.
More than 41% of respondents believe their organization is not effective at enforcing compliance with their organizations’ data protection policies and procedures. Many respondents believe that their organizations do not have the right leadership structure or enough resources to properly enforce compliance with required internal control procedures. Another contributing factor appears to be the fragmented use of portable storage technologies such as memory sticks that that allow individuals to completely bypass enterprise-level control systems. |PortAuthority|
Numerous bills have been introduced in Congress this year that would require notification of consumers if their data was stolen including the Notification of Risk to Personal Data Act (HR 1069), the Comprehensive Veterans' Data Protection and Identity Theft Prevention Act of 2006 (HR 5588), Veterans Identity and Credit Security Act of 2006 (HR 5467), the Federal Agency Data Breach Notification Act (HR 5838), the Privacy Rights and OversighT for Electronic and Commercial Transactions Act of 2006 (PROTECT) (S 3713), the [less stringent] Data Accountability and Trust Act (DATA) (HR 3997), the [more stringent] Data Accountability and Trust Act (DATA) (HR 4127), and the Consumer Notification and Financial Data Protection Act of 2005 (HR 3374).

Some privacy advocates feel a state approach is superior to a federal one.
Many of the notification bills in Congress would be weaker than some of the state laws already passed [according to Georgetown Law Professor and privacy expert Daniel Solove]. State laws in California and New York, for example, require notification any time there’s been a breach of unencrypted data and don’t allow companies to decide whether there’s a significant risk. Solove would rather see those state laws stand than see a national breach notification bill pass, he said. Most of the congressional bills are “not very stringent,” he said. “The state innovations here are really good.” |MacWorld|

However, there are reasonable counter-arguments for a systematic federal approach. While requiring notification of data breaches is a step in the right direction, the more difficult task is to establish and enforce standards for managing and controlling data.

Data breach notification laws assume companies are able to detect the loss of personal data in the first place and then determine if lost data contained personally identifiable information. The Ponemon Institute's reports highlight significant deficiencies in current data practices across industry and government.

The more stringent version of the Data Accountability and Trust Act (HR 4127) at least addresses these concerns about preventing data thefts, but recent reports indicate Congress is leaning towards the less comprehensive alternative (HR 3997).

If organizations are unable or unwilling to protect confidential citizen data, they should not be allowed to warehouse the data in the first place.

No comments: