EDITORIAL: Data Insecurity: Nation Needs Better Standards, Laws to Protect Personal Information
Posted on: Monday, 26 June 2006, 12:00 CDT
By The Columbus Dispatch, Ohio
Jun. 26--If an organization negligently fails to protect people's personal data, it is just as culpable as the thief who took it. But current laws don't recognize that.
Ohio University, plagued by one security lapse after another, likely is ruing that day in 2002 when it ignored a student who hacked into the school's computer systems to make a point.
Jeremy Valeda was trying to prove to the Student Senate that OU's computer systems were not secure enough to handle online student voting. He easily fetched Social Security numbers, grades and tuition information of the Senate board members.
School officials punished Valeda, but they failed to plug holes in the network. Former Provost Stephen Kopp made computer security an issue in 2003, but that went nowhere after he left OU.
Meanwhile, much of the budget surplus for the Computer and Network Services department went to employee perks, including healthclub memberships.
OU President Roderick McDavis is expressing the proper amount of anger and contrition over the fact that hackers were able to steal 173,000 Social Security numbers and 60,000 detailed medical records of students and alumni.
OU accordingly has taken responsibility. Last week, it suspended two employees in charge of information technology. Also, a technology-consulting firm completed an audit to determine how hackers got into the systems.
But other organizations unfortunately aren't so concerned. Lax record storage and misuse of Social Security numbers are too common these days. The Identity Theft Resource Center estimated that in 2005, the information of 56.2 million Americans was compromised in more than 100 incidents, setting those people up for identity theft.
Federal or state law should require nonprofit organizations, data brokers, government agencies and businesses to tighten security and assist the people they've left vulnerable.
Retailers have more incentive to be careful and voluntarily take steps to help customers sort out identity thefts, if they hope to keep them as customers.
But free-market pressure doesn't work on data brokers, which are companies that compile and sell people's personal information.
Nor does it apply with much force to nonprofit groups.
Existing federal and state data-protection laws dance around the liability issue. Laws either apply to specific industries, such as health-care providers and financial institutions, or address only the storage and disposal of credit reports obtained by organizations and businesses.
Many states force companies with security breaches to alert the people who are affected, so they can flag their credit and begin to make repairs.
But victims basically are on their own.
To fix that huge loophole in this Information Age, the nation needs to adopt best-practices standards for all businesses, organizations and institutions that collect, store and dispose of records, however they were obtained and in whatever form they exist. The standards should address what information is kept, how long it is kept, where it is stored, what type of network protections are enough to ensure reasonable security and how records are disposed of.
Nothing will stop all thieves, but at least businesses and organizations need to demonstrate that they tried. With written standards, businesses can't simply say, "Oops!" when a lapse occurs.
A law that would place sufficient penalties, such as fines, on groups that failed to help Americans protect their identities would bring better security to computer systems. Without such laws, identity-theft victims might begin turning to this nation's expensive and unproductive litigation system in an attempt to seek some compensation for their losses.
-----
Copyright (c) 2006, The Columbus Dispatch, Ohio
Distributed by Knight Ridder/Tribune Business News.
For reprints, email tmsreprints@permissionsgroup.com, call 800-374-7985 or 847-635-6550, send a fax to 847-635-6968, or write to The Permissions Group Inc., 1247 Milwaukee Ave., Suite 303, Glenview, IL 60025, USA.
Source: The Columbus Dispatch, Ohio
Related Articles
- New XiloCore X700 Business Recovery System Delivers Highest Degree of Secure Data Available to SMBs
- Secure Computing Positioned As "Top Player" in Radicati Group's Corporate Web Security Market Quadrant
- NSAT Selects Secure Computing Gateway Solution
- NSAT Selects Secure Computing's Secure Web and Secure Firewall for Its Integrated Network Management Services Facility
- Secure Computing Announces New TrustedSource Alliance: Makes TrustedSource World-Class Reputation System Available to Partners
- Secure Computing and Cymtec Systems Partner to Reinforce Internet Security
- Secure Computing Unveils S.W.A.T.: (Secure Web 2.0 Anti-Threat) Initiative
- Secure Computing Fortifies Industry-Leading URL Filtering Solution With Next-Gen Reputation System
- Secure Computing Announces SafeWord PremierAccess 4.0 Designed to Fit Popular Microsoft Windows Environments
- Secure Computing Launches SafeWord SecureWire Identity and Access Management Appliance; SecureWire Manages All Internal and External Access Points on a Single Appliance While Reducing Costs
 |
 |
User Comments (0)
RSS Feeds