After the Veterans Administration wrote the script for downplaying risk, when tens of millions of data records were stolen out of an employee’s home, the Bush Administration issued an edict - encrypt all data on government laptops.

Good idea, but nobody’s listening. Wonder what the TSA’s “100,000″ number will grow to?

I wish I could say I am shocked and bewildered that the recent data theft out of the State of Ohio was more than 15 times worse than Ted Strickland & Co. made it out to be when the physical drive (?) was stolen out of an employee’s car, but alas I cannot. I wish I had a more sarcastic way to put it too, but Carlo over at Techdirt did a pretty good job of that. Meanwhile, I’ve recently heard that sarcasm is symptomatic of passive-aggressive behaviour, and since an old girlfriend once told me I was the only man she ever dated that wasn’t “PA,” I’m going to respect her opinion and refrain from sarcasm from this day forward.

Ok, maybe not…

It’s not as though Ohio didn’t see this coming - it’s been going on in the Buckeye state for some time. Then again, does anyone in bureaucracies ever know what is actually going on? If they did, would they even care? Or are they just so attuned to stretching the truth that they just don’t know how to shut up, even in the face of stone cold evidence waiting to rear it’s ugly head?

No matter. When the “powers that be” come out with statements like this:

“He’s actually in line with our conclusions that it would be very difficult for someone without special knowledge and understanding to actually access that piece of information.”

…you know someone is speaking for someone else right before they get handed their pink slip. “Very difficult?” “Special knowledge?” The spokesperson is either completely insane or oblivious to the fact that there are third world countries full of brilliant mathemeticians, since cast into the shadows of unemployment and looking feverishly for work on internet message boards.

The same types of folks create stuff like this:
            

Add this:
               

And wind up with this:
    

And that’s for a few hundred bucks, based on some handwritten notes a moron like me scratches on the back of an envelope over three Blue Moon drafts, and faxes over to him at his office at the local community college. I use such strokes of amatuerism to create graphs on a very stupid, highly unsuccessful website I built for a few thousand bucks more.

If I can rally such idiots to produce algorithms at a price equal to a steak dinner in New York proper, for something I will never see a return on my investment for, you can be assured that there is someone out there that can crack the encryption on a device left in the back of a government clerk’s car that contains social security and bank account numbers on a million people, just for throwing in a bottle of 1999 Chateau Pichon Lalande.

UPDATE: None of this matters anymore - a scapegoat has been caught, tried, and hung. That’s how it works.

As a result of Boeing’s latest lost laptop, privacy breaches have now broken the 100 million record for 2006.

That’s one-third of the US population, although in our global economy it is highly likely many of the records extend beyond America’s shores.

Good job, guys and gals.

The solution to this mess? Propose stiff (I mean third world dictator-style civil, and possibly criminal) penalties for each screwup. And I do mean screwup - most of the large breaches we have seen over the last few years have been the result of ridiculously poor internal controls - controls in the policy and procedure realm. Less often do you hear of a cabal of MIT-trained mathematicians brazenly hacking into hardened data centers to get this data. No, most of the time it is some idiot leaving a laptop with a million social security numbers on the roof of a car, or an organization just giving the stuff away to any Tom, Dick or Harry that comes knocking with a check. You should not be allowed to hire a lobbyist to cover your ass for stupidity.

Companies need a phone tree to deal with stolen laptops full of personally identifiable data, according to this report over at eWeek.

How about a simpler “tree”:

- Keep important data off of laptops and on in-house secure servers, followed by…

- Keep laptops full of data out of the back seats of cars standing in dark parking lots, followed by…

- Keeping laptops full of data out of the hands of foolish employees who think said laptops are safe in the previously mentioned location (as well as safe unattended in crowded wi-fi enabled cafes).

If you don’t make contact, repeat the above steps until you do.

A law which went into effect in Indiana requires companies to notify citizens when data breaches occur.

Public Law 125 excludes companies cover by federal laws, including the Patriot Act, the Federal Driver’s Protection Act, the Fair Credit Reporting Act, the Federal Financial Modernization Act, and HIPAA, meaning all companies are exempt. If the breach affects more than a half-million, or the notification process is expected to cost more that $250,000, the company in question can have a $15/hour junior webmaster post a “conspicuous notice” on their website, and they can make fifteen $0.02 calls to local media outlets - all companies will be taking this option.

But the mandate does ensure that when more than a thousand people are affected, the company must notify credit reporting agencies. No word if the cost containment measures apply to this halfway decent portion of the measure, or how long the company has to wait before they actually opt-out of the law based on the federal exemption and/or make that “conspicuous” web post sans RSS feed.

You would think that after letting someone go home with millions of personal records, only to have it stolen, you might want to get your actual exposure to such a theft sorted out right away. In the case of the VA deal, silly excuses were made first, and now the inevitable has occured - the theft is worse than originally thought.

Silly little government boys and girls.

***UPDATE***

Yes, silly. But what an absolutely moronic blatantly incompetent move as well. Complete and utter disrespect for the citizenry that should be held in the highest regard. None too surprising, however, from a pack of government lackeys an institution with no real accountability for its actions. A Slashdot reader agrees.

Of course, the veterans are suing, and I hope they get every penny they can (and a few heads rolling might not hurt either).

I really wish someone had thought of this sooner, but considering the hands it is in now, I’ll bet we still have a chance to set the course straight.

At the moment, Congress is considering a few bills that would require companies to do what McIntyre did: Notify customers in the event of a security breach.

Who is McIntyre? That would be Dave McIntyre, CEO of Triwest Healthcare. Instead of hiding in a closet after his company was the victim of a huge personal data theft in 2002, letting spokesmeisters churn the bull, the leader directed his company to climb way out on a limb, notifying potential targets of the possibility of identity theft.

The company won an award for their care; while it was from some public relations association, it should have been from Congress in the form of a bill, named appropriately. Of course it is now 2006, and many millions of stolen records later, we are still waiting for the Triwest McIntyre Act. I’ll bet Triwest doesn’t have much of a budget for lobbyists, eh?

Read about McIntyre’s LACK of silly excuses here.

Egghead is playing public relations games, noting that the latest hack of their system only exposed 7,500 or so records. They claim the break-in was thwarted by their own security patrols, and insinuated that the number of records pilfered was just part of daily life. Meanwhile, Santa Claus is making a second visit to my home in less than a month, the fire-breathing dragon egg I have hidden in my closet is about to hatch, and my Oompa-Loompa’s are almost finished designing my next website.

Data thefts are always worse than they appear, particularly as they appear when first reported to the press.

Including mine, and the Colorado State Legislature’s. I hope it is on every lawmaker’s mind, and I hope one of them (I hope, I hope, I hope) doesn’t cowtow to big corporate interests.

There have been a ton of data thefts this year (the big black eye in the security fight in 2005), and in many of those cases it has been companies who were entrusted with that data that turned out the fools.

I am curious to see if some lawmaker, someplace, will get tough on this issue. The pivot point on data theft for 2006…are lawmakers going to take the high road, or take to the skies instead.

National Public Radio noted that there were a lot of data theft incidents in 2005, but the government didn’t do much about it. They may wonder why - I don’t.

If you were a politician, and you had the following two choices, which would you pick?

1) Stay up late, read about the consequences of data theft and how the cost is passed on to your constituents, then take all your cohorts to lunch, one by one, and try to convince them the bill you just drafted makes sense because it serves the people;

or

2) Listen to a paid consultant for some big data mining company talk about how difficult it is to stop data theft, while you sip champagne, in a Gulfsteam 5, on the way to a $500 round of golf.

Tough choice.