Data breaches. The

number of reported data breaches involving sensitive private information at

organizations and companies is growing at an alarming pace. I click the refresh button for my RSS news

feed if it doesn’t flash a data breach story at some point during the day. I haven’t had to manually “refresh” much

lately though, have I? There is an

abundance of data security stories not just in the IT trade magazines and on IT

focused web sites, but also in mainstream media outlets. It’s front page news read by millions of

people, many of whom aren’t knowledgeable or concerned with much of the general

happenings of corporate IT. But I feel

compelled to chime in with my two cents anyway, even though there are plenty of stories and opinions already

posted on the topic.

My take is a little different though. I view the reports of data breaches at

government offices, schools, banks and corporations as a good sign. That’s right; I said it’s a good sign there are so many reported

data breaches. It tells me there is

finally a focus on protecting private data.

The truth is, not until Congress passed laws such as Sarbanes-Oxley

and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and states such as California

passed laws requiring full disclosure of data breaches, agencies and

corporations were largely self-governed and lax with data security

practices.

The key to my absurd statement focuses on the word “reports.” You see, data breaches (i.e., the loss of

sensitive private information) have been occurring for many years. It wasn’t until recently that corporations

took the topic seriously and began being forced to disclose security lapses. Thanks to consumer advocacy and watchdog

groups such as the Privacy


Rights Clearinghouse and regulatory laws like HIPAA, senior executives are

being held ultimately responsible for protecting private data and maintaining regulatory

compliance. It is the threat of severe

criminal and civil penalties that is persuading CEOs to dedicate valuable and

scarce resources to securing consumer data.

What else would cause executives to spend money and time on something

that doesn’t directly affect the bottom line?

The data breach reports are significant because companies previously

didn’t place much emphasis on data security.

Blocking hacking attempts and viruses got the most attention, with efforts

mainly focused around keeping hackers on the outside through perimeter defenses

such as hardware firewalls and wireless network encryption. But not much effort went into developing

sound data handling procedures. The

reports of data breaches are both embarrassing and damaging to the responsible

companies, and ensure that more resources will be dedicated to reducing future

incidents. And while some data breaches

are occurring because of hacking attempts and viruses, most reports describe

incidents involving employees losing laptops or portable media devices, or lapses

in judgment.

Change takes time though; especially change involving

business process flow. Many organizations

are still in the very early stages of evaluating and implementing solutions to

mitigate security risks. Common IT-based

solutions involve implementing federated identity-management systems, utilizing

encryption and using thin-client technology to access data stored centrally in

a secure data center. Procedural

solutions include creating access control lists and determining exactly who

needs access to which systems, performing routine self-audits and training

staff to properly dispose of and protect sensitive data (e.g., shredding confidential

documents and knowing not to post private data on insecure web sites).

For example, when I started in healthcare IT in the late ‘90s,

a stroll down hospital hallways revealed computer screens with patient data

clearly visible, computers logged into the network with generic accounts, and

applications that required no authentication.

Fast-forward to 2006 and those same hallways now reveal screen filters

on all monitors, staff using unique login credentials and applications with

either integrated directory services based authentication or a separate application

layer login. Security committees even

exist now with members from various departments who focus on ensuring the

company maintains HIPAA compliancy. How

to secure data has become a focus when discussing upgrading or installing a new

system, not an afterthought.

So again I say the frequent reports of data breaches are a

welcome site. And while it indicates we

still have a long way to go to reduce security risks, it also proves there are

watchful eyes on the companies storing sensitive private information. This will take time, but a quick glance to

past security practices shows just how far we have already come.

As always, let me know your thoughts, and while you’re at it,
check out these recently added resources on TechRepublic.

Why data encryption is no substitute for comprehensive security

Protect
corporate data with these physical security precautions

Insider
Threat Report by Aberdeen Group: Strategies for Data Protection