Lets Demand Names in
Data Fumbles"> Connecticut recently announced it will sue Accenture for negligence after a backup tape with confidential information of Connecticut residents and agencies was stolen from a car belonging to an intern working for the CIO of Ohio. Sound like a disconnected trail? Specifically, Attorney General Richard Blumenthal said in a Sept. 19 press release that his office is suing the IT consultancy and outsourcer due to "illegal negligence, unauthorized use of state property and breach of contract"not because the tape was stolen, given that it was out of Accentures hands, but because the Connecticut information had been moved without permission from a Connecticut computer and transferred to an Ohio computer and thus wound up on an Ohio backup tape. The tape was stolen from the interns car back in June, with the result being the loss and potential exposure of 58 state taxpayers and hundreds of purchasing cards and state bank accounts worth millions of dollars.Thats well and goodAccenture is singing its mea culpa, as it should. The firm is also promising to persist in "impress[ing] on [employees] the importance of following our policies." Why bludgeoning employees over the head with security policies they apparently ignore will work post-breach when it didnt pre-breach is a mystery to me, but who knows, perhaps Accenture will succeed in working out more effective mind control than the many companies whose employees run around with laptops dangling out of car trunks. Click here to read more about the TJX data breach. And kudos to Connecticut, as well. This is how these endless data breach stories should work but so often do not: A vendor screws up, leading to a security breach that exposes sensitive information. Then somebody somewhere down the line demands to know why it happened, whos responsible, and what they intend to do about ameliorating security procedures and/or lack of adherence to those policies. Thenand heres the piece thats usually missingthey go so far as to publicly out the irresponsible party and even press charges. And thus justice is served, we all know which companies cant even follow their own security policies, we avoid them like the plague and slowly we rise from the muck and evolve to a more secure world, at least in theory. Its easy to compare last weeks data breach at the Gap unfavorably with this Connecticut story. On Sept. 28, the clothing retailer announced that a laptop with the personal information of some 800,000 job applicants had been stolen from the offices of a third-party vendor that Gap declined to identify. A colleague, Executive Editor Michael Hickins, demanded accountability in a recent blog posting, asking why the Gap is protecting the vendor by refusing, thus far, to identify it. "If customers wont hold their vendors feet to the fire for such activity, when will this kind of breach ever cease?" he asked. That unnamed vendor should indeed be taken to task. The Gap is now in the process of contacting an enormous number of people in the United States and Canada whose information may have been compromised, and its providing credit reporting services to those affected for up to a year, at what surely must be a significant costparticularly galling, given that the vendor broke the terms of an agreement that the information that wound up stolen be encrypted. Page 2: Lets Demand Names in Data Fumbles
Accenture has admitted that its employee or employees didnt follow the companys privacy and security policies. Quite simply, the firm didnt have Connecticuts permission to share the information, but nonetheless allowed it to be copied onto the Ohio tape.