Lets Demand Names in
Data Fumbles”> Connecticut recently announced it will sue Accenture for negligence after a backup tape with confidential information of Connecticut residents and agencies was stolen from a car belonging to an intern working for the CIO of Ohio.
Sound like a disconnected trail?
Specifically, Attorney General Richard Blumenthal said in a Sept. 19 press release that his office is suing the IT consultancy and outsourcer due to “illegal negligence, unauthorized use of state property and breach of contract”—not because the tape was stolen, given that it was out of Accentures hands, but because the Connecticut information had been moved without permission from a Connecticut computer and transferred to an Ohio computer and thus wound up on an Ohio backup tape. The tape was stolen from the interns car back in June, with the result being the loss and potential exposure of 58 state taxpayers and hundreds of purchasing cards and state bank accounts worth millions of dollars.
Accenture has admitted that its employee or employees didnt follow the companys privacy and security policies. Quite simply, the firm didnt have Connecticuts permission to share the information, but nonetheless allowed it to be copied onto the Ohio tape.
Thats well and good—Accenture is singing its mea culpa, as it should. The firm is also promising to persist in “impress[ing] on [employees] the importance of following our policies.” Why bludgeoning employees over the head with security policies they apparently ignore will work post-breach when it didnt pre-breach is a mystery to me, but who knows, perhaps Accenture will succeed in working out more effective mind control than the many companies whose employees run around with laptops dangling out of car trunks.
Click here to read more about the TJX data breach.
And kudos to Connecticut, as well. This is how these endless data breach stories should work but so often do not: A vendor screws up, leading to a security breach that exposes sensitive information. Then somebody somewhere down the line demands to know why it happened, whos responsible, and what they intend to do about ameliorating security procedures and/or lack of adherence to those policies. Then—and heres the piece thats usually missing—they go so far as to publicly out the irresponsible party and even press charges. And thus justice is served, we all know which companies cant even follow their own security policies, we avoid them like the plague and slowly we rise from the muck and evolve to a more secure world, at least in theory.
Its easy to compare last weeks data breach at the Gap unfavorably with this Connecticut story. On Sept. 28, the clothing retailer announced that a laptop with the personal information of some 800,000 job applicants had been stolen from the offices of a third-party vendor that Gap declined to identify.
A colleague, Executive Editor Michael Hickins, demanded accountability in a recent blog posting, asking why the Gap is protecting the vendor by refusing, thus far, to identify it. “If customers wont hold their vendors feet to the fire for such activity, when will this kind of breach ever cease?” he asked.
That unnamed vendor should indeed be taken to task. The Gap is now in the process of contacting an enormous number of people in the United States and Canada whose information may have been compromised, and its providing credit reporting services to those affected for up to a year, at what surely must be a significant cost—particularly galling, given that the vendor broke the terms of an agreement that the information that wound up stolen be encrypted.
Page 2: Lets Demand Names in Data Fumbles
Lets Demand Names in
Data Fumbles”>
Of course, we cant expect immediate accountability and retribution. The Gap only disclosed this breach last week, after all, and its now got its hands full just notifying the affected job applicants, investigating what happened and taking steps to ensure it doesnt happen again. Those are all top priorities.
But when the dust settles, I fervently hope for a few things: First, I hope the Gap publicly discloses the vendor responsible for the shoddy handling of sensitive data that led to this unnecessary debacle. Not that public shaming is a guaranteed punishment or disincentive to further bungling, mind you. As RSnake—aka hacker Robert Hansen—noted in a posting Oct. 3, theres “no evidence whatsoever” that TJX, for example, suffered following its own massive data breach. “If you look at the TJMaxx 1 year stock chart not only did they recover from the huge security breach in Feb, but theyre actually up!” he wrote. “Clearly, the consumers and the investment community has decided to overlook their issues. Strange.”
Perhaps consumers are willing to overlook TJXs security glitches. They dont think twice when handing over a credit card in a store thats inadvertently allowed their information to be handed over to thieves, evidently. But its another matter entirely when youre talking about an organization entrusting its sensitive information to a third party. Public shaming at the corporate level will carry much more weight when it comes down to sitting over the conference room table to talk about a vendors track record with security breaches.
So yes, public outing in the case of the Gaps vendor is one hope. Another hope is that the chain of culpability in the Ohio case reaches far and wide enough. After all, it was acceptable at some level, officially or not, that the Ohio CIOs office was sending a backup tape home with a different person—read, interns—every night.
Emerging Chaos blogger Adam had some great takeaways on this: First, build your projects with new data, instead of reusing templates that can have leftover data still clinging to them, such as what apparently happened with Connecticut data left over in a template for an Ohio project. Second, Outsourcers “are likely to cut corners in ways they dont think youll catch,” he wrote. Third, supervise interns.
And as far as overall response to data breaches goes, Id say a good takeaway is lets hold everybody responsible, reaching as far along the chain of culpability as possible.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.