Data security needs attention

Star Advertiser - Dec 22, 2010

The digital age has meant that information can be exchanged much more freely than ever before. The flip side of this coin is that anything that is free tends to be devalued. Information is stolen, and the only ones bearing the burden of that loss are the victims of the data breach, not the ones who let their guard down.Figuring out how to correct that imbalance will be the job of the state Legislature, which is beginning to grapple with the vulnerabilities exposed by the latest breach at the University of Hawaii.State Sen. Mike Gabbard, who now chairs the Committee on Energy and Environment, is poised to present a set of reforms based in part on a report he commissioned from the nonprofit Liberty Coalition, a watchdog organization that advocates policies favoring individual privacy.The coalition uncovered the most recent UH episode in October, when the information of some 40,000 students and graduates was compromised. Its report chronicled five separate UH breaches, as well as cases at various Hawaii public and private entities dating back five years. That litany of complaints, as well as the stark statistic that up to a third of Hawaii residents have suffered data loss, should be enough to make leaders sit up and take notice.Some of the remedies listed in the report may be problematic to impose at a time of fiscal weakness -- such as the creation of a new trust fund to pay damages to breach victims. But other proposed ideas could help hold public and private organizations and agencies accountable for keeping inadequate watch over personal data.» The state should require any breach to be followed by notification to victims providing pertinent details about the data loss. There is already a notification law, on the books since 2007, but meaningful information -- such as the type of data that was stolen and the duration of the information exposure -- has not been required. Instead, companies and public agencies have tended to issue generic notices that do little to clarify the degree of concern that is warranted.» The law should mandate any organizations culpable for a data breach to conduct an independent audit to confirm its implementation of industry security standards and its fulfillment of promises made after an episode. For example, in November 2007 UH adopted a security policy requiring strict procedures to be in place governing access to personal information. Based on what happened nearly three years later, there wasn't enough follow-through.» The legislative auditor should evaluate the implementation of its suggestions made in December 2007, including a survey of the comparable regulations adopted in other states.Some of the report's proposals bear discussion, such as attaching liability and penalties to public and private entities that allow data breaches. Certainly liability is nothing that state agencies willingly embrace, but there needs to be some way to bring pressure to bear on them so that they will invest in the security improvements that are necessary in an era of easy access to information.Senators have pledged to conduct an informational briefing next month on the issue, and that's encouraging. Officials would consider securing the front door to offices and buildings a no-brainer; data files should be kept under lock and key with the same kind of vigilance.