Stiffer Fines, Safer Data

Opinion: Playing nice just doesn't get corporations to encrypt data, keep personal information off laptops and keep tabs on who has access to what data.

Enterprises that dont protect customers personal information should be hit in their wallets. Maybe then, lax corporate security practices will improve. How these penalties get levied will be subject to debate, but its becoming apparent that something dramatic needs to happen, and money talks.

How much is personal data worth? The Department of Veterans Affairs is facing two class action suits after personal information on 26.5 million veterans was stolen from an employees home.

Plaintiffs of the larger of the two suits said on June 6 the VA "flagrantly disregarded the privacy rights of essentially every man or woman to have worn a United States military uniform" and are seeking $1,000 in damages for each person listed in the stolen database. Add it up, and thats damages of $26.5 billion. Ouch.

/zimages/2/28571.gifThe Secretary of Veterans Affairs announces new security measures following the theft of personal information on 26.5 million veterans. Click here to read more.

The thrust of the suits is to force the VA to handle veterans personal information properly. "The thousand dollars is there because its available and its a hammer," Douglas Rosinski, the plaintiffs attorney in the larger of the two cases, told eWeek.

However, the suits were filed under the U.S. Privacy Act, which applies financial penalties to data breaches for government agencies but doesnt have any impact on the corporate world. We believe that hammer should be available to victims of corporate data loss without penalty caps.

To understand how information security got to this point, lets examine what so far hasnt prodded enterprises to be more secure: an alphabet soup of regulations, bad press from data breaches and the occasional decline of share prices.

The bottom line: Playing nice just doesnt get corporations to encrypt data, keep personal information off laptops and keep tabs on who has access to what data. In addition to the VAs mishap, the YMCA reported that a laptop containing the customer records of approximately 65,000 individuals was stolen sometime in May.

Further, and auditors at Ernst & Young are warning consumers of an incident that may have exposed the personal data of roughly 243,000 customers of the online travel site.

The data breaches never seem to end. The cure could be financial penalties. One such example came in January. The Federal Trade Commission levied $15 million in fines against ChoicePoint, an aggregator of consumer data whose lax procedures exposed the personal information of 163,000 individuals to fraudsters. While that fine is a decent start, it amounts to only half of ChoicePoints net income for the quarter ended March 31.

Perhaps a better benchmark is the $1,000 per person sought in the VA suits. Under that benchmark, ChoicePoint would have been fined $163 million. Thats a penalty that would hurt—and send a message.

Tell us what you think at

eWeeks Editorial Board consists of Jason Brooks, Larry Dignan, Stan Gibson and Scot Petersen.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.