Here we go again . . . here is an article from ZDNet … NY Bank ‘loses’ 4.5M unencrypted customer records.
And talk about timing – as I was reading that article, Jennifer Stoddart , Privacy Commissioner of Canada, was on BNN TV talking about data loss. She was to the point and articulate and I really enjoyed listening to her. (NOTE: they are fast over at BNN.ca but the clip hasn’t been posted online yet as I write this. But it will be later – check it out!)
At the heart of it all was unencrypted data lost over and over again in the same fashion, for the same reasons. The example she gave was of data downloaded to a notebook pc and then the computer would be stolen out of the car it was left in. It seemed to me that MS. Stoddart said something about hearing this story over and over again. (I’ve seen computers with confidential corporate data on the hard drives stolen right out offices). When asked why companies didn’t apply appropriate security to their data, she replied that it was based on cost. As an example she told us about TJX and how investigation has determined that it had been decided by the TJX executives to not implement tighter security prior to the incident because it would cost too much and would affect their profit. Or words to that effect. It’s all about risk management, TJX gambled – and lost. (Don’t get me wrong, I shop at one of their stores and I really enjoy it – they have some great stuff that you can’t get anywhere else. And by the way, I never use my credit card.)
But I’ve been there too and I quote…”Keeping all data on protected servers is just not in the budget! It’s just too inconvenient to not be able to take my data home (or to a conference or a vacation or where-ever) and work on it. I burn everything to CD’s – it’s my backup in case the IT department misplaces it (or) I delete it by accident!”
Is this a good case for ‘cloud computing’? If data lives somewhere other than a local hard-drive is it safer? What about 8Gb USB memory sticks? Should the IT departments fill up USB ports with epoxy as part of their standard desktop configurations? The bank mentioned in the ZDNet article lost their data back-up tape – should they ship their tapes with armed-guards like they do with money?
I used to read this site all of the time but I got tired of seeing the same things over and over . . . but I still wander by once in awhile just in case my name might be on one of data breaches they report on.