The past few weeks we saw another flood of news about IS&T security lapses. We had Monster.com reporting that 1 million or more of its customers' had their information stolen, and the same hackers broke into the US Office of Personnel Management's website USAJobs.gov and made off with personnel information on 146K more people. Monster provides technical support to the OPM website. Monster admitted that it has been hacked several times, and only recently reported the fact.
Then there was a report that in the state of Connecticut, there was a "theft of a Department of Revenue Services laptop containing sensitive taxpayer information (which) it took eleven days to notify affected citizens of the incident."
At the same time, another report noted that, "A Maryland Department of the Environment laptop computer stolen from an employee's car last weekend held personal information, including Social Security numbers, for 10,000 residents registered with one of four state boards."
Back in Connecticut, there was this report: "Pfizer Inc. has revealed its third data breach in three months, this time affecting the personal information of an estimated 34,000 people... Pfizer said it did not realize sensitive information had been compromised until July 10. Letters to attorneys general around the nation alerting them to the data breach were dated Aug. 23, more than seven weeks after Pfizer became aware of the problem and more than eight months after the information was exposed."
There are others, but you get the idea.
Now, given that corporations and especially government (local, state, federal) are pretty well insulated from any penalties for breaches, it is clear that something else needs to be done.
While I am extremely hesitant of proposing it (I am highly skeptical that government mandates are particularly cost or performance effective), maybe we do need a Sarbanes-Oxley Act for IT security. Let's hold CEO's, CFO's and CIO's or their equivalents in government personally responsible for the security of their organization's IT systems. We can start with the folks in government first this time - after all, fair is fair.
It would be interesting to see how many government CIOs would voluntarily sign a statement that their IT systems posed very low risk of being breached.