Lets Demand Names in

By Lisa Vaas  |  Posted 2007-10-04 Print this article Print

Data Fumbles"> Connecticut recently announced it will sue Accenture for negligence after a backup tape with confidential information of Connecticut residents and agencies was stolen from a car belonging to an intern working for the CIO of Ohio. Sound like a disconnected trail? Specifically, Attorney General Richard Blumenthal said in a Sept. 19 press release that his office is suing the IT consultancy and outsourcer due to "illegal negligence, unauthorized use of state property and breach of contract"—not because the tape was stolen, given that it was out of Accentures hands, but because the Connecticut information had been moved without permission from a Connecticut computer and transferred to an Ohio computer and thus wound up on an Ohio backup tape. The tape was stolen from the interns car back in June, with the result being the loss and potential exposure of 58 state taxpayers and hundreds of purchasing cards and state bank accounts worth millions of dollars.
Accenture has admitted that its employee or employees didnt follow the companys privacy and security policies. Quite simply, the firm didnt have Connecticuts permission to share the information, but nonetheless allowed it to be copied onto the Ohio tape.
Thats well and good—Accenture is singing its mea culpa, as it should. The firm is also promising to persist in "impress[ing] on [employees] the importance of following our policies." Why bludgeoning employees over the head with security policies they apparently ignore will work post-breach when it didnt pre-breach is a mystery to me, but who knows, perhaps Accenture will succeed in working out more effective mind control than the many companies whose employees run around with laptops dangling out of car trunks. Click here to read more about the TJX data breach. And kudos to Connecticut, as well. This is how these endless data breach stories should work but so often do not: A vendor screws up, leading to a security breach that exposes sensitive information. Then somebody somewhere down the line demands to know why it happened, whos responsible, and what they intend to do about ameliorating security procedures and/or lack of adherence to those policies. Then—and heres the piece thats usually missing—they go so far as to publicly out the irresponsible party and even press charges. And thus justice is served, we all know which companies cant even follow their own security policies, we avoid them like the plague and slowly we rise from the muck and evolve to a more secure world, at least in theory. Its easy to compare last weeks data breach at the Gap unfavorably with this Connecticut story. On Sept. 28, the clothing retailer announced that a laptop with the personal information of some 800,000 job applicants had been stolen from the offices of a third-party vendor that Gap declined to identify. A colleague, Executive Editor Michael Hickins, demanded accountability in a recent blog posting, asking why the Gap is protecting the vendor by refusing, thus far, to identify it. "If customers wont hold their vendors feet to the fire for such activity, when will this kind of breach ever cease?" he asked. That unnamed vendor should indeed be taken to task. The Gap is now in the process of contacting an enormous number of people in the United States and Canada whose information may have been compromised, and its providing credit reporting services to those affected for up to a year, at what surely must be a significant cost—particularly galling, given that the vendor broke the terms of an agreement that the information that wound up stolen be encrypted. Page 2: Lets Demand Names in Data Fumbles

Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel