Is the general public and press more blasé about companies mishandling the personal data of employees than it is about the government mishandling that of its citizens?
Fueling this perhaps loaded question is my observation that the news about a data leak at Chevron went widely unreported, as far as I can tell.
Now, I wasn't expecting Google news to be brimming with thousands of articles, nor did I envision citizens gathering torches and pitchforks and storming the Chevron headquarters. But the relative silence I've observed left me curious.
Consider, after all, the widespread coverage of the recent data leaks by the U.S. Department of Veteran Affairs. Granted, the VA has suffered more than one embarrassing data leak thus far, forcing it into the public spotlight. Arguably, though, that's been a good thing in that it has resulted in action: the VA's information security officer stepped down. The department has pledged to implement encryption technology. And Unisys, the company responsible for VA's latest lost laptop, is offering a $50,000 reward for its return.
Do public multi-national corporations get a reprieve for substandard security that potentially puts its employees at risk of identity theft? How about smaller chain stores like Williams Sonoma, which reportedly suffered a leak of its own?
Notably, with Chevron, Williams Sonoma, and at least in the VA's most recent leak, it was partners that had really dropped the ball. In Chevron's case, the stolen laptop was in the care of an independent public accounting firm auditing the company's employee savings, health and disability plans. For the VA, someone at the aforementioned Unisys erred. And for Williams Sonoma, a Deloitte & Touche employee, who was performing an audit of the furnishings chain, had the laptop stolen from his apartment.
On the one hand, I can understand why there's more public concern over the VA's data leaks. After all, we're supposed to entrust the government to protect us, and we pay for that protection with tax dollars. Plus, holes in government security seem more likely to affect you and me than does a security breach at some company we don't run or work at.
But these kinds of leaks represent a growing trend in the business world. The Ponemon Institute and Vontu have come out with a study pointing out that very fact. As these breaches become more pervasive, the chances of one eventually affecting you or me increases. And that should concern you whether you're the CEO of the company who has to field questions from the press and disgruntled stockholders after your organization is sued by a group of employees whose personal data was swiped; whether you're the head of your company's IT security and you're given walking papers for letting personal data fall into the hands of criminals; or whether you're the VP of sales, or assistant marketing director, or just some poor sucker who got your personal data ripped off.
I think it's inevitable that we'll soon see hefty lawsuit settlements against companies that have negligently exposed their employees SSNs and other personal information. I also think that, eventually, the government is going to intervene and pass some legislation that will pile some hefty fines on companies that don't meet certain standards insofar as guarding that kind of information, a la HIPAA for the medical industry.
In the meantime, though, companies (and governmental agencies) need to get on the ball. I'm talking about stricter policies restricting what kind of data employees can carry around on laptops -- tied to serious consequences for those who don't comply. I'm talking about implementing technology like encryption, which may not be a simple cure-all, but that's a step in the right direction. And I am talking about scrutinizing those SLAs with your partner companies, like Unisys and Deloitte & Touche, and being certain they're taking measures to keep your company out of hot water -- and blog posts like this one.