PC Data Security BlogFresh perspectives on laptop security, encryption, and risk management. |
|
||||||||||
|
|
What will it take to get businesses to care about your privacy?9:54 am on September 12, 2008 | By Meghan Whelan | In data breach, information security, risk management, security policy | No Comments
In a recent blog post on WSJ.com, Why All the Data Breaches? Businesses Just Don’t Care, Bruce Schneier, chief security technology officer at BT Group, weighed in on the staggering number of data breaches we’ve seen this year. “For the most part a company doesn’t lose its data, they lose your data,” Schneier said. The victims of the breach, Schneier went on to say in his interview, “are often powerless to punish the business that exposed the record because they can’t link the fraud to a cause.” Indeed, the legal precedents in this type of case support Schneier’s statement. In recent years, several class action suits have been brought against companies who lost consumer data. According to The New York Law Journal, in Randolph v. ING Life Insurance & Annuity Co., plaintiffs brought a consumer class action in District of Columbia federal court for invasion of privacy, gross negligence and negligence against ING following an announcement of the theft of an employee laptop from that employee’s home containing the personal information of 13,000 government workers and retirees. In Guin v. Brazos Higher Education Service Corporation Inc., plaintiff brought a negligence suit against Brazos after it announced the theft of a laptop containing personal information for 550,000 customers. Both judgments ruled in favor of the defendant, citing that the plaintiff “proved no actual damages and, thus, no ‘recognized injury.’” But is this enough reason for companies to simply ignore the security protocols that protect consumer data? And do you really think consumers experienced no “recognized injury” knowing their social security numbers and private information were in the hands of criminals? Anyone who has ever been the victim of identity theft will probably tell you, it’s not something you just “move on” from. The effects can last for years. “Schneier says that what is happening in the tech-security world is a market failure similar in nature to what has happened with global warming: There is a problem that everyone is contributing to, but individual businesses don’t have a reason to do anything about it,” according to the WSJ.com article. In the comments on this post, reader Steve Muck suggests “a better approach is the adoption of national technology standards applied to IT systems and networks designed to safeguard PII. This approach recognizes that human error will always be problematic so why not leverage technology to reduce the likelihood of human error associated with PII handling. As an example and following the Federal Government lead, require encryption of all data used by industry. This action alone will signifcantly reduce the risk of harm.” And another reader adds, “It is one thing to impose criminal and civil penalties on businesses, but what do you do with the federal government?” Indeed. What about the breach at the Veterans Administration that exposed the personal information millions of American veterans? There is an ongoing case against the VA that could change the precedent. With claims of $1,000 per veteran (or $26.5 billion,) a settlement in favor of the plaintiffs might very well inspire government–and businesses–to “care.”
Security News Brief: 08-26-089:23 am on August 26, 2008 | By Meghan Whelan | In data breach, identity theft, information security, risk management | No Comments
The Big Security Stall8:45 am on August 15, 2008 | By Meghan Whelan | In laptop security, risk management, security policy | No Comments
The PC Data Security Blog offers the opportunity for professionals to post on topics important to those within the IT Security community. This week, Rob Weber, Product Specialist at Beachhead Solutions, brings us this post. Has your company or organization secured its laptop and desktop data yet? Maybe they have and now they can rest easy. If they have not secured the data yet, the number of reasons and excuses is mind-boggling. Security isn’t sexy, doesn’t increase the productivity of employees, and can be a drain on those charged with implementing the solution. Nobody wants to own the security solution or take on the work it involves, yet it is a necessary evil. Thus it becomes an internal battle in many organizations between the economic buyer / product champion and the IT staff that must implement the solution. The product champion pushes for their chosen solution and the IT staff puts up barriers to the encroachment of their ‘turf’. Why does IT balk? The following reasons are commonly heard: - IT had little or no say in the selection of the solution Whether these reasons are spoken or implied, the solution is blocked using one or more of the following ploys: - Utopian product requirements are put in place to block any worthwhile solution What could happen to change this behavior? It hasn’t happened yet, but it will soon . . . a real data loss followed by a real penalty charged to the offending company or organization. As soon as this happens, the world will change. A security solution will be pushed through at many organizations due to fear and anxiety. The fact that the solution is not sexy, not properly staffed, or simply annoying won’t matter anymore. Those will be smaller pain points on the path to fulfilling a company necessity. CEOs will get involved and make it uncomfortable for anyone standing in the way or delaying a solution. Why? It will be embarrassing to be caught with unsecured data, but more importantly, it may prove to be the end of the company or organization if real penalties are applied.
« Previous Page |
 Subscribe in a reader
Categories:
Archives:
Links: |
|
Powered by WordPress. Theme designed by Web Hosting at Lunarpages. |
