Don't confuse the economy with data privacy

This week, the Massachusetts Office of Consumer Affairs and Regulations pushed back the deadline to comply with a new state law mandating encryption of sensitive consumer data. The law, passed in September 2008, was supposed to take effect on January 1, 2008. Instead, the deadline will now be pushed back to May 1.

Why the change? The extension was driven by the current economic crisis in order to give companies a bit more leeway.

OK, I read the papers and see what's going on. Yes, the economy is a mess and it ain't gonna get much better between now and May. While I understand why my state government blinked, I don't like the precedent this sets at all. May I point out that:

1. There were over 300 publicly disclosed breaches last year, according to the Privacy Rights Clearinghouse. These breaches exposed private data of more than 150 million people.

2. The number of malicious code variants is exploding. According to the latest version of the Symantec Internet Security Threat Report, the company identified approximately 74,000 malicious code threats in the second half of 2006, 212,000 threats in the first half of 2007, and nearly 500,000 threats in the second half of 2007.

3. The British National High-Tech Crime Unit estimates that cybercrime costs $4.7 billion per year.

Hey, I get it. Times are tough so we have to prioritize initiatives and cut back where we can. Fine, but it's important that we realize that cyberspace is a dangerous neighborhood and it isn't getting any better. In fact, this situation will only get worse as more IT and security staffers find that December brings pink slips rather than holiday bonuses.

Note to legislators and IT professionals: Delay IT purchases, cancel new projects, outsource some IT operations, but don't cut corners on IT security. If you do, we are all likely to suffer the consequences.

[nicmart]

How private companies encrypt is no business of the government. The greatest threat to every American is access by government agents to personal data.

[Renegade Knight]

How well private companies succeed in keeping sensative data safe is the business of the government. Those same companies naturally disavow any responsiblity to the folks whos data they are holding.

Take a credit beureau. Are they responsible for outright libel and slander when they spread it? Nope. They leave it to the indiviual they are reporting on to help them fix their own mess, when they are in a better position to know what's going on in a case of identity theft. Heck the best you get is to pay them for the service of making sure their own data is accurate.

[Karl914]

Many aspects of corporate operations (public & private) are already regulated by the government. Financial reporting is one small example.

Control of information that can damage the public trust should be a government priority. Commerce in today's markets are largely dependent upon trust. Look at what happened when banks stopped trusting each other enough to loan money to each other. If businesses cannot trust consumers and consumers cannot trust businesses, then the train goes off the track.

Also, If consumers have to worry about their identities being stolen, or damage to their credit, then the adoption of technology-enabled business processes will be slowed or abandoned. This results in increased costs to businesses and damage to their bottom line.

Running a business is a legal commitment, with responsibilities defined by governmental law. As operations become automated, it is natural that regulation is enacted to protect the public and ensure businesses meet their obligations to the government - which uses the taxes collected to provide services that enable the business to exist.

Granted the American government has not been very trustworthy - especially in the last 8 years - but unless you have a better solution to present...

[Karl914]

Jon,

Two points:

1. Privacy is a business problem more than an IT problem.

Before a company can encrypt sensitive data, they must know where their sensitive data is and have processes in place to inventory and track that data. There is no magic program that searches the network, laptops, cell phones, memory sticks and home computers used by employees of a company to find, encrypt and enforce company policy related to sensitive data.

The majority of businesses have no clue about where sensitive data is stored, processed or transmitted. Stating this as an IT problem sets IT personnel up to take the fall when a breach occurs (and it will).

2. If businesses in MA get a pass because times are tough, they may be waiting a long time before they get better. In the meantime, many disgruntled employees who feel cheated because they either lose or fear losing their jobs have access to sensitive information that would have been encrypted had the law been enforced.

Delaying enforcement gives people with the means and motive the opportunity to cause harm to consumers who did nothing but trust MA businesses with their information.

I guess George Bush's legacy of stupid political decisions that enable businesses to shirk their responsibility to the American people is still alive and well.

[Dalkorian]

Bingo - my guess is that legacy won't die until sometime late in January.

[Louise_V]

Great point - Don't cut costs on IT security! Unfortunately, it sometimes takes $4.7 billion a year to realize how important IT security is.
During difficult economic times, security may be a low priority for some since it seems to hurt the pocket. But what needs to be addressed is that security can be directly associated with economic loss, breaches and good standing.
As difficult as it may be to fathom, there are cost effective ways to maintain security online: http://www.passpack.com

I am a blogger for Passpack and I am always trying to help people understand that there ARE easy ways to completely secure your confidential data online.
In times like this, it's worth it.
Louise

[skswave]

For any consultant, Small business owner, or individual with a concern about encrypted data the easiest solution today to protect your machine in case of Loss is to buy a new dell PC with an encrypted drive. These PCs come with software preintalled that will manage the Seagate Full Disk Encrypting drive. It will not degrade performance as many of the software encryption solutions do. It provides world class protection of the machine in the case of loss. It takes only 2-3 minutes to set-up and it is factory installed. Dell is leading the security market with this solution and offers any business in Mass a simple and easy to deploy solution.

Steven Sprague
CEO
Wave Systems Corp.
Typed on a Dell D630 PC protected by a Seagate FDE drive and Embassy Trusted Drive Manager

[StretchCunningham]

Thats great. But If its so easy how come nobody is using it? Are the federal goverment or state goverments using it? Big companies that have our data? I have not heard of any.

What's the catch. You say it's easy and fast.