Read Compliance Week for 17 April 2007 – Battling the Wide World of Data Breaches – and be astonished that those who are responsible for such grievous breaches of basic data security aren’t just taken out and …..
If you want a regular dose of horror, get the RSS feed from the Attrition.org website. It seems clear to me that there are large numbers of organizations out there who truly, genuinely, don’t give a hoot about the security of their employee and customer personally identifiable information.
I mean, if the extent of the repercussions facing TJX don’t frighten CEOs and board directors – 18 class-action lawsuits (so far), 30 states conducting attorney-general investigations, a US$5 million pre-tax charge in Q4 of 2006, and the statement that: “beyond this charge, we do not have information to reasonably estimate losses we may incur arising from the computer intrusion” (and TJX does deserve it, allowing hackers to access credit card data from some 45.7 million customers) – then nothing will get their attention. After all, TJX is not the first example of gross incompetence on this scale, and it’s not as though the US doesn’t already have a battery of privacy and personal breach legislation on the books.
It’s also not as though best practice standards (eg ISO27001) don’t already exist; nor is it unobvious that laptops simply should not be loaded with personal data, not ever.
I think the only thing remaining is for everyone – customers, suppliers, partners – to simply cease dealing with organizations like TJX. Subscribe to Attrition.org and boycott those organizations that won’t get their act together.