Primary links

Firing over data-loss is not enough

Happy New Year!  Guess what hasn't changed? Another f*up took plaintext data home on a portable drive (ok, it happened 12/1/2009, news came out today).

According to this article over at the San Francisco Chronicle, a Kaiser employee took home an external drive filled with unencrypted data.  You know the drill by now - thieves stole the drive, employee fired, data for 15k patients now in the hands of the bad guys, whether they realize it or not.  It's unfortunate for Kaiser, which usually does do a good job about infosec management, but apparently not quite good enough.

It's 2010, I think it's time for a new law:  Anybody who knowingly transports customer information from a workplace in an unencrypted form should be subject to a minimum of 1 year in prison.

I've helped companies write security policies for years, I've helped try to educate users.  I've done source code audits and told developers that they must encrypt data at rest and in travel.  The BS laws holding executives responsible for data loss are wrong - if I was in a C level role at a large corporation, I don't know if I could sleep at night knowing that some flunkie might take data home, lose it, and I end up taking the fall.

Fear of being fired just is not severe enough. This person needs to spend a year in state prison thinking about their incompetence, and the fear of a similar fate of bunking with drug dealers and murders needs to be spread to spread to the rest of the IT community.

(usb thumbnail courtesy of flickr user lrargerich)