Wednesday, November 7, 2007

Britain mulling "random" audits to enhance data protection..

Britain's House of Lords recently issued a report on Internet security, urging the Government to examine “as a matter of urgency” that country's laws regarding standards of data protection as they apply to businesses. The report says current laws on the books don't have enough teeth; it says the government should have the authority to conduct “random audits of the security measures in place in businesses and other organisations holding personal data.”

Wow. Imagine the uproar that would erupt here in the United States, if anyone introduced legislation suggesting the government could randomly check to see if businesses are keeping their data safe. Granted, most states have laws that mandate public disclosure in the event of a data breach, and Minnesota has passed a law that makes offending businesses responsible for the cost of remediation. But these laws are designed to address post-breach actions; they don’t enable the government to check prior to any incident.

At what point, however, does the public become so fed up, so wary of doing business with companies that apparently treat data in a seemingly cavalier manner, that Congress passes such a law as recommended by the House of Lords' report?

We must police ourselves to keep secure data controlled. We must ensure that private information remains private, regardless of where it ends up…on or off the network. And we must train our people to continuously implement the policies we’ve developed; technology is a part of that equation, of course, but only part.

If we don’t, we run the risk of falling prey to those who would take advantage of us. And we run the risk of having irate lawmakers, driven by irate constituents, implement new (and onerous) rules that make it far more difficult for us to conduct business. We fail to control the data entrusted to us at our own risk.

No comments: