An interesting editorial in today's InformationWeek mailing concerning
the topic of lax data security.
InformationWeek Daily Newsletter
Tuesday, March 28, 2006
Listen to a podcast version of this newsletter:
1. Editor's Note: Data Security: Out To Lunch, Er, Dinner
It was just last week that InformationWeek published the
latest exhaustive analysis of what's emerging as the IT story
of the first decade of this century: complete corporate and
government ineptitude when it comes to managing sensitive
It didn't take long for another company--Fidelity Investments--to
get a black eye for mishandling a laptop containing personal
information on 196,000 current and former employees of
Hewlett-Packard. Lest you think some poor unsuspecting Fidelity
employee was robbed of the laptop at gunpoint, or had their home
forcibly broken into and the laptop stolen, think again.
The employee in question left the laptop in a rental car while
having a three-hour dinner with colleagues, according to a story
in the Wall Street Journal [subscription required] that included
details from a police report. At some point in the evening, the
vehicle's keys were given to a colleague to retrieve an item from
the vehicle ("Here, take my keys, don't worry about the 200,000
customer names sitting unprotected in the car..."). The colleague,
it seems, left the vehicle unlocked, and the laptop went missing.
It was just one of 65 laptops reported stolen from restaurant
parking lots in Palo Alto, Calif., in the last 15 months.
A Fidelity spokesperson said the company takes information
security "very seriously" (can't you tell?) and that company
policy wasn't followed. Such mealy mouthed excuses grow
increasingly tired with each of the 130-plus data breaches since
early 2005. Because companies can't seem to institute policies or
adequate technical safeguards, here's a few suggestions for
ensuring your company doesn't let incompetent third parties or
its own employees mishandle its data:
* Oftentimes, it's an outside data handler that's the cause of
the problem. In this case, the data handler forced HP to deal
with any and all issues affecting the 196,000 current and former
employees. One can only imagine the potential for lost
productivity at HP as employees figure out if their identity has
been stolen. That alone is enough to fire Fidelity, just as any
company that's the victim in such a case should consider doing if
a third party loses their data. While you're at it, fire
knuckleheaded employees that traipse around with reams of data
about their customers. If corporate policy doesn't explicitly
forbid such behavior, fire the corporate policy department.
* Companies should demand documented policies, procedures, and
safeguards from any vendor handling sensitive data on their
behalf. Ongoing audits should be used to verify compliance.
Failure to maintain compliance should result in stiff financial
penalties up to and including termination of a business
* Do away, once and for all, with the practice of storing
sensitive or private data on laptop computers, which by their
very definition are intended to be transported and are therefore
vulnerable to theft. There may be a completely valid reason that
one person needs to have personal data on 196,000 customers on
their laptop, but I doubt it.
HP was just one of three incidents last week (see the
comprehensive list since 2005 here
and more gory details here),
and more may be in the offing.
Our friends in the federal government--not exactly a bastion of
personal data protection--are at it again.
The Government Accountability Office says the IRS' IT security
weaknesses "increase the risk that sensitive financial and taxpayer
data will be inadequately protected against disclosure, modification,
or loss, possibly without detection." Oh boy.
I've shared my recommendations on what companies need to do,
mostly by putting the screws to their vendors, to protect
themselves and their employee and customer data. What do you
think needs to happen next? Please weigh in at my blog entry.
[log in to unmask]
Frank Swasey | http://www.uvm.edu/~fcs
Sr Systems Administrator | Always remember: You are UNIQUE,
University of Vermont | just like everyone else.
"I am not young enough to know everything." - Oscar Wilde (1854-1900)