Lose a Laptop, Land in Jail?


TJX, owners of TJ Maxx, Marshalls and other familiar retailers, is the poster child (at least in the United States) for data breaches. For about 17 months, criminals freely roamed its cyber hallways, collecting credit card and other sensitive customer data. That story is well known. What isn't is precisely what price the company is paying for its monumental lapse.


It is paying a lot, even beyond the blot on its reputation. Internetnews.com reports that the company has agreed with VISA USA to pay as much as $40.9 million to an "alternative recovery payment program" in exchange for relief from the possibility of some lawsuits. (VISA, the company says, will kick in some of the money it collects.) In addition, 19 lawsuits are pending and investigations are under way by the Federal Trade Commission and 37 Attorneys General. In all, the company faces between $500 million to almost a $1 billion in expenses.


The data theft poster child title in the UK is Her Majesty's Revenue and Customs (HMRC), which lost sensitive information about more than 25 million people. The Information Commissioner, Richard Thomas, and his department have been given the right to spot check security in government departments, says The Register. The Information Commissioner says that he also wants those responsible for allowing security breaches to be made criminally liable.


There are two sides to the data breach punishment story. Perpetrators who are caught, of course, are treated as criminals. The next step is to hold criminally liable those whose carelessness makes theft easier. That would make people think twice before leaving their laptop unattended in a coffee shop or in the front seat of an unlocked car.


So far, only light punishment seems to have been meted out. This autumn, for instance, a backup tape containing information on more than 130,000 current and former Ohio state employees, taxpayers and other citizens was lost. The damage from the incident -- the tape was taken from an intern's car -- was put at more than $3 million. Computerworld reports that the state responded by docking the leader of the team working with the disk about a week's worth of vacation time.


Criminal penalties for laxity don't seem to be a hot topic on the standalone security front. Enterprise IT Planet provides a rundown of some of the proposed laws surrounding data security. The piece outlines three at the national level: H.R. 1685 (The Data Security Act of 2007), H.R. 836 (The Cyber-Security Enhancement and Consumer Data Protection Act of 2007) and H.R. 958 (The Data Accountability and Trust Act). Only H.R. 836 -- at least as far as the brief descriptions provided in the article -- mentions criminal penalties. In this case, however, it's for concealing breaches, not causing them.


There is action in the compliance sector. Security is a big part of Sarbanes-Oxley, Graham-Leach-Bliley, the Health Insurance Portability and Accountability Act (HIPAA) and other regulations. IT and security departments should be aware that these laws pack quite a punch. This MacEnterprise.org piece says criminal penalties for breaking them include fines and up to 20 years in prison.


That's a great reason for IT organizations to pay close attention to how to delete or render unreadable data from drives. The approaches include drive formatting, block overwrite, in-drive secure erase, physical destruction, degaussing and encryption.