Make Data Losers Pay

September 4th, 2011 by Harrumpher Leave a reply »

It’s anxiety-making easy to find stories of lost and stolen personal data and intellectual property.

OK, boys and girls, one of the latest high-tech clumsiness was a repeat of an Apple employee losing the proprietary prototype of the next generation iPhone, maybe in a bar. This happened to Apple before.

Then there was the BP employee on a business trip who lost a laptop holding a spreadsheet with personal data from 13,000 oil-spill claimants. A wrap-up article includes citations of NJ BC/BS stolen laptop with data from 300,000 customers, another was the GAP losing 800,000 job applicants’ data, a hacker grabbing key SS and financial data from 226,000 customers of the Davidson Companies, and the Veterans Administration’s stolen laptop with data from 26.5 million current and past U.S. military members.

We all know how government agencies, retailers, financial institutions and even utilities demand personal data to get services and goods.They assure us both that they won’t sell our stuff — emails, phones, addresses, Social Security numbers, bank accounts ID and on and one — but we have to reveal all and (ta da) trust them.

It’s increasingly plain that we should not trust them. They have neither the technology systems nor the training in place to keep our data safe. They first rely on nothing or password systems that millions of kids among others could hack. They allow absurd amounts of complete data sets out at a time on single hard drives. Far too many move thousands or millions of sets of actionable data onto laptop hard drives, which every bozo and bozoette in the company can leave with for whatever honorable or nefarious purpose, or lose on an airplane, in a cab or at a bar. And they do.

lockedlapNearly all of the many, many cases of data exposure are human errors, both of the employees who lose the computers and other objects, and the systems people and managers who set up the safeguards. Their heads should roll. The companies and agencies should pay heavy enough fines and open disgrace that they change their ways. Applying magical thinking to data security is totally inadequate.

Think this is like using the term accident to account for inattentive or reckless driving that brings maiming or death. Sure the cops, prosecutors and judges can identify (there but for fortune…), but that is wrong, often fatally wrong, thinking. Some missteps definitely deserve punishment and prevention.

The humanity defense is not a solid one here. Nor is it in most places used. Consider how to apply, “It’s only human to…” Yeah, it’s human to take your eyes off the road, to lose things in a restaurant or bar when you’ve been drinking, to walk off an airplane totally forgetting expensive and essential goods, and for that matter, to lie, cheat, steal, rape or any of a large number of crimes and offenses you think you might get away with when no one’s paying close attention.

Actually many of our laws specifically call out human frailties. Because something valuable is not being guarded at a moment doesn’t make it up for grabs, for example.

For the deterrent factor, clamping down criminally and civilly on the schmo who puts large numbers of us at risk for direct stealing or ID theft should start immediately. One strike and you’re out. It should also cost the company a lot more than one-year subscriptions to credit-card watching services.

Yet because they’re good at protecting themselves, if not you, the managers will be harder. The facts are that lazy or dull-witted IT types and corporate managers who make security policy are culpable. Allowing huge chunks of key data affecting thousands or millions of human beings to flow out of control is asinine.

I suspect that much of the laptop-based losses fall back on that old employees-are-lazy syndrome that affects so many so-so managers. The conceit starts with a belief that if only those shiftless employees would put in anywhere near the effort and production that the sainted managers did, the company would be at least twice as wealthy. Even when measurable productivity soars beyond other countries’ and financial troubles can easily be traced to short-term management thinking, that’s the pretense. It’s delusional and destructive.

A common corollary is that employees will only do a decent amount of work if they always have to be on. Going to a distant customer or for a conference? Well then, be sure the carry a laptop with all possible applications and data you might conceivably need. Work in the airport. Work on the airplane. Work in the hotel. Work over dinner. Work. Work. Work.

The filthy secret is that what is human is overload. That leads to inefficiency of thought and output. That leads to fatigue and concomitant errors. That leads to oversights and mistakes as we try to pretend that there is no end to our multi-tasking abilities. Top being tired with a couple of drinks and, now did you leave that damned laptop in the booth?!

For managers:

  • Security policies don’t work well enough and need to be more thoroughly thought out and tested.
  • No sensitive data should leave the building without a lot better reason than it just might come in handy while you’re traveling.
  • Encryption, password and other software-based security has to be harder, even it’s inconvenient for employees short term.
  • Any data breach has to be analyzed to death, from management and IT aspects as well as the obvious employee possession ones.
  • Databases that travel should be neutered, that is separated from Social Security number and the like so that a lost or stolen hard drive is useless to others; they can be merged when the employee returns, to reflect any changes.
  • Those responsible for putting customers at risk need punishment fitting their involved incompetence.

Sorry, kiddies, it’s only human doesn’t cut…whether you’re drunk driving, drunk laptop toting, or half thinking security policies and procedures.

Share
Advertisement

Leave a Reply