In the late ’90s, the blatant criminality of corporate executives at Enron, Tyco International and WorldCom outraged shareholders. People around the world lost money, but it was U.S. investors whose critical mass of indignation led to the Public Company Accounting Reform and Investor Protection Act of 2002, or Sarbanes-Oxley.
That law sets new standards of behaviour for directors, managers and accounting firms at publicly traded corporations doing business in the United States and calls for heavy fines and jail time for executives who fail in their duty to shareholders.
Even though the frauds that led to SOX had nothing to do with computer security, the legislation has had a direct impact on the management of IT networks because it requires corporate executives to assume responsibility for the accuracy of their financial statements.
That accuracy depends on the security and integrity of the company’s computer systems.
In more innocent times, there was no detailed examination of an organization’s internal information technology processes.
The IT department was seen as a “black box” that produced either accurate results or nothing at all. But those days of magic behind closed doors are long gone.
IT managers now have to show that they can produce verifiable results using well understood and widely accepted processes and controls.
How long can government IT administrators avoid the same level of scrutiny?
Every week, if not every day, brings fresh news about public sector data breaches, particularly in the United States.
Not long ago, for example, an Internal Revenue Service laptop computer with the names, Social Security numbers, birthdays and fingerprints of almost 300 employees and prospective employees was lost while being shipped to a departmental event. The laptop itself was secured by two passwords, but the data it contained was not encrypted.
In a more serious case, the U.S. federal government has been forced to pay for credit monitoring after confidential information about millions of former service personnel went missing in the theft of a Department of Veterans Affairs computer. For some reason, a data analyst took the names, Social Security numbers and birthdates of between 17 million and 25 million veterans home on a laptop. Almost three weeks elapsed before Veterans Affairs began notifying people that their credit might be in jeopardy. The department eventually paid about $14 million to notify veterans that their identities had been compromised, but that was just a small down payment on a bill that will certainly run to the hundreds of millions. A U.S. Senate committee has already voted $160 million in emergency funding.
At least one senior executive has resigned, and some have been reassigned, in the wake of this security breach, but it is hard to believe politicians will be satisfied. Why should they? And why should taxpayers and citizens be satisfied with expensive, time-consuming clean-up efforts that may or may not be effective?
Several weeks after that, information about 13,000 District of Columbia employees and retirees was stolen from ING U.S. Financial Services. Because the company had no idea what was on the missing laptop, stolen on a Monday, it did not begin notifying employees and retirees that their unencrypted Social Security numbers and other personal information was in the hands of a thief until the following Friday. (Two unencrypted ING laptops with information about 8,500 Florida hospital workers were stolen in December but they were not notified for months.)
Governments in the United States and Canada have not been at all reluctant to impose tight regulations and strict penalties on the private sector to ensure that citizens’ data is well protected.
In Canada, under PIPEDA, the Personal Information Protection and Information Privacy Act, fines for breaches or non-compliance can be as high as $100,000.
The politicians who voted for intense scrutiny for the private sector did so on behalf of consumers and shareholders. When will they mandate some form of sanction to protect citizens and taxpayers?
To date, there has been little focused outrage about data breaches. Many victims have insufficient information about a specific incident to relate it to their own credit difficulties. They may lack the knowledge to express their anger to the right audience. Perhaps most importantly, the criminals who might make use of their stolen identities can be extremely patient, waiting many months before opening credit card and bank accounts to make purchases and transactions in others’ names.
If public sector data breaches bring an increase in identity theft here, the result could be demands for SOX-like legislation for government operations, legislation that dictates not just the “what” but the “how,” with severe penalties for organizations and individuals that fail to measure up. After all, why should shareholders and consumers have protection that citizens and taxpayers do not? They’re the same people.
Richard Bray ( firstname.lastname@example.org ) is an Ottawa-based freelance journalist specializing in technology and security issues.
Learn about Emergency responders