Core principles of personal data security

From the “Something must be done about this” Department: The problem of companies being sloppy with your personal data was a big issue in 2005 and this year will become even more visible. The last big du’oh in this area came to light on December 27th when Marriott International Inc.’s time-share division admitted that it had no idea where backup tapes containing credit card account information and Social Security numbers of about 206,000 time-share owners, customers, and company employees had gone. And when I say Marriott had no idea, I mean they didn’t know whether the tapes, which went AWOL sometime in mid-November, were stolen or lost! Since then it seems Marriott have got a little nearer to the truth — according to a TechTarget article it now appears that it was an internal loss or internal theft. Of course Marriott isn’t the only company goofing in this way …

According to various reports in the Washington Post and elsewhere there were at least 134 data breaches affecting more than 57 million people (Identity Theft Resource Center) and 10 million cases of identify theft a year, with total losses of $53 billion (PrivacyToday.com>/a>). So, what to do? Fidelis Security Systems has just put forward a proposal in a new white paper (you can get it from their Web site) that recommends that federal legislation on the privacy of personal data should focus on three “core principles”: • Clear, Uniform and Comprehensive Application • Use of Current Best Practices • Vigorous Enforcement and Substantial Penalties The first point is very important as there are too many laws that make corporate compliance not only too complicated but too expensive as well. Whenever hurdles like that exist the result will be companies taking short cuts and making mistakes. This leads directly into the second point: Without laws that are unequivocal and can be applied consistently and systematically it is impossible to eastablish a reasonable set of “best practices” that can be used to verify compliance. Finally, “vigorous enforcement and substantial penalties” can only exist when the first two criteria are met and even then there needs to be the political will to make it happen. The problem is that too many companies see ensuring customer data privacy as an unecessary cost rather than an intrinsic and unescapable component of doing business. With serious federal laws that have teeth and are taken seriously by the government and business an envionment would be created that would make snafus like Marriott’s extremely rare and in the cases where it happened, serious and dangerous for management to ignore.