In reaction to these numerous privacy breaches, currently, there are multiple versions of the Data and Cybersecurity Protection Act being considered on Capitol Hill. The public wants Congress to do something about this situation, and Congress will likely do something. The problem for us is that Congress is just as likely to make the problem worse rather than better.
There's an old adage that you should not watch two things being made: sausage and laws. Indeed, watching the various arguments being made and language proposed for legislation on this topic is not only disappointing, but the process is tortuous.
There is no silver bullet to solve this problem of wandering data. If the problem were easy to solve, then it would have been solved already. The real problem is that business processes are involved — along with end-users. However, components for mitigation do exist and can be put together to provide some due diligence. The first component is obvious — a clearly defined and articulated policy that is well socialized within your enterprise.
Other components to mitigation of this problem include ERM (enterprise rights management), a preventive control similar to digital rights management (DRM) for consumer content. ERM products are emerging, such as Microsoft's Rights Management Services and Titus Labs' products. While these products are effective for controlling documents in Microsoft Office formats and exchanges through Microsoft Exchange, that is obviously not the total environment for which protection is needed.
Encryption of data at rest on mobile devices, with policy enforcement set and enforced by the enterprise, is also required — as is data elimination. Encryption of data at rest on non-mobile assets should already be in use today.
And while encryption of data in transit is already standard practice, "in transit" needs to include not only transmission security, but encryption of stored data that is physically moved.
All of these components exist today, but they are, in fact, standalone. There is little cross-platform support, and no unified management or reporting capability. So in the short-term, we are probably stuck with sausages — in the form of legislation and products.
30 Seconds on...
Unto the breach
According to the Privacy Rights Clearinghouse, there have been 115 privacy breaches reported in the first six months of 2006. Of those, 47 involved laptops being lost/stolen or data going or being sent to an unauthorized location.
The other incidents, Tim Mather points out, involved online privacy breaches, hacking incidents, or insider exploits. In those 47 incidents, privacy information of more than 32 million persons in the United States was compromised.
Mather adds that policy alone is insufficient in stopping breaches, assuming that your enterprise actually has a clearly articulated policy about where data can be used, under what circumstances, and with what protection.
Shame on you
As privacy breaches become commonplace, the public and public interest groups will not just shame companies into compliance, but continue to advocate for more/better legislation, and undoubtedly turn to litigation, says Mather.