computerwoche.de

Archiv

Swindle: Data protection inadequate

06.03.2006
As a federal trade commissioner between 1997 and 2005, Orson Swindle was involved in the launch of the Federal Trade Commission's National Do Not Call Registry and participated in policy deliberations about information security and privacy. Now senior policy adviser and chairman at the Center for Information Policy Leadership -- a privacy think tank whose members include The Proctor & Gamble Co., Eli Lily & Co. and Microsoft Corp. -- Swindle talked with Computerworld last week about some of the privacy challenges facing corporate America.

What's driving the privacy agenda today? In the past year, we've heard about some hundred-plus disclosed security breaches, about hacking, lost laptops, lost files, disclosures of account numbers and even computers falling off the back of delivery trucks. This inadequate protection of sensitive data is just unacceptable. We have got to collectively do a much better job at it. There's no security initiative, there's no new law, there's no new technology that's going to solve this problem altogether.

What does this mean for businesses? The biggest concern for business is just being aware that if you handle information, you've got an obligation to protect it. The Federal Trade Commission with a couple of decisions last year plainly stated that. Both were brought against companies not for a promise not kept but for simply being in the business of collecting and using information that is sensitive and not taking sufficient precautions to protect that information.

What sort of precedent does ChoicePoint's US$15 million FTC fine set? That case is quite a bit different. In the ChoicePoint case, there were lots of things that were violated -- in particular, the Fair Credit Reporting Act. That carries monetary penalties that can be substantial and, in this case, obviously were. If nothing else, it certainly should be getting people's attention. Talk about a two-by-four between the eyes.

What is the overall effect of these breaches? We know that millions of people have had their information exposed, bank accounts depleted, and have had to go through the trauma of getting their credit ratings squared away. Then there's the firm that failed to provide adequate security through negligence or inadequate measures. Ask ChoicePoint how much it cost them not having it done adequately. It's causing consumers to lose confidence in using information technology. That may be the biggest loss of all.

How is this steering the privacy debate in Congress? There's the emotional hue and cry affecting members of Congress and state legislatures to "do something." Unfortunately, we will see some onerous legislation that might allow some political figure to declare victory and walk away. But legislation alone is not going to solve this problem.