Data theft is criminal - loss should be as well
I read a story this morning about a long-running data loss - in this case, laptops with personal information that have gone missing from the US Commerce department and Census bureau. That is, at least 1100 laptops over a course of 5 years, at least 249 of which contained personal data. More, um, interesting: only 107 of these missing laptops with personal data are known to have been fully encrypted.
I blogged on data theft a while back. My thought at the time was to require full disclosure of each and every datum recorded to make customers aware. But that doesn't seem adequate any longer. First, there have been far too many corporate mergers and such, so "use within the company" now becomes a very broad statement indeed and completely unrelated to servicing my existing business relationship. But now that the census bureau is in on the game, the the data-gathered public doesn't have any choice, disclosure or no.
Where have these folks at the Commerce department been? How have they failed to notice the problem of data loss? The story raises the incredible points that "We don't know exactly how many computers were lost" and "the inventory of missing laptops has escalated rapidly in recent weeks as the department has investigated the disappearances".
Not only have they not protected data, they have been blissfully unconcerned when it has wandered off. Incredible. Criminal negligence, I think.
So let's try a different tack: Criminal charges against worker and/or supervisor for loss of unencrypted data. If you're going to ruin my life with casual disregard for my privacy that leaves me open to identity theft, then go to jail for at least as long as it takes me to re-establish my identity in new documents that aren't compromised. Maximum term of 5 years seems about right, unless there is also evidence of criminal conspiracy (as in, the data wandered off with collusion).