Did your company lose data last year?
How would you know? It seems that many data breaches aren't reported to the public, much less employees. Even in the case where there are regulations that mandate a data loss be posted, sometimes it isn't. In the case of medical data, the Department of Health and Human Services has a threshold that says if the loss hasn't caused "a significant risk of financial, reputational, or other harm to individual" then it doesn't have to be reported.
As a data professional, I think this is a mistake. If companies don't have to notify people, they won't bother to make investments in security. They'll allow risks, issues, and lapses in security to linger on. And they'll put pressure on employees to continue to follow poor security practices without disclosing them.
I don't want more regulation, more rules, or more government getting in the way of companies pursuing their businesses. However I think we can solve this in a simple way: report every breach of security. Make it all public, disclose what happened with a standard form about what happened and how much data was lost. Let's not make it any more complicated than it needs to be.
Pursue transparency in security, and we'll all be better off. If customers care, you can justify the investment in better security. If not, continue the way things are.
Steve Jones
The Voice of the DBA Podcasts
- Windows Media Podcast - 14.2MB WMV
- iPod Video Podcast - 12.3MB MP4
- MP3 Audio Podcast - 2.9MB MP3
The podcast feeds are available at sqlservercentral.mevio.com. Comments are definitely appreciated and wanted, and you can get feeds from there. Overall RSS Feed:
or now on iTunes!
Today's podcast features music by Everyday Jones. No relation, but I stumbled on to them and really like the music. Support this great duo at www.everydayjones.com.
You can also follow Steve Jones on Twitter:
