And by The Inquisition, I'm not referring to the Spanish one (historical or Monty Pythonish. Monty Pythonian?). I'm referring to the US House of Representatives. According various sources, five members of Congress have sent a letter to TRICARE, inquiring as to why SAIC has been rewarded with on-going contracts despite numerous data breaches. Oops...I guess data encryption software, which powers solutions like our own AlertBoot, should have been used to secure those tapes after all.
The letter is related to, of course, the TRICARE breach from two months ago. The bipartisan letter to TRICARE's director points out that SAIC (Science Applications International Corp.) has had six reported security incidents over the years. And yet, the US government continues to do business with them: "SAIC has received more than $20 billion in federal contracts over the previous three fiscal years, according to USA spending.gov," the letter notes. "This is despite the fact that federal officials have lodged complaints against the company's conduct for years." [govinfosecurity.com] Granted, the fact that a particular company had six significant breaches doesn't necessarily mean that they don't have adequate, or even excellent, security in place. The truth is, outlier events occur, and it's a crazy world: stuff outside your control happens, stuff that you couldn't possibly prepare against. On the other hand, sometimes you're just asking for it. As the Congressional letter notes: The notification [from SAIC to patients impacted by the breach] goes on to explain that the use of these backup tapes and the method of transporting them are "routine procedure" for the company. According to reports, the tapes were left in the vehicle for most of the day and included specific information regarding patient diagnoses and treatment. [my emphasis] Hey, if that's routine...well, that pretty ends the discussion on whether the company thinks very highly about data security, doesn't it? The five Congressmen ask this final question, after what I can only claim to be a very brutal, eviscerating, and illuminating line of questioning: Why does TMA [TRICARE] continue to contract with SAIC for its data handling and IT needs despite these major performance problems? Of course, the question is not really a question at all. The director has until February 22, 2012 to answer.
The letter is related to, of course, the TRICARE breach from two months ago.
The bipartisan letter to TRICARE's director points out that SAIC (Science Applications International Corp.) has had six reported security incidents over the years. And yet, the US government continues to do business with them:
"SAIC has received more than $20 billion in federal contracts over the previous three fiscal years, according to USA spending.gov," the letter notes. "This is despite the fact that federal officials have lodged complaints against the company's conduct for years." [govinfosecurity.com]
Granted, the fact that a particular company had six significant breaches doesn't necessarily mean that they don't have adequate, or even excellent, security in place. The truth is, outlier events occur, and it's a crazy world: stuff outside your control happens, stuff that you couldn't possibly prepare against.
On the other hand, sometimes you're just asking for it. As the Congressional letter notes:
The notification [from SAIC to patients impacted by the breach] goes on to explain that the use of these backup tapes and the method of transporting them are "routine procedure" for the company. According to reports, the tapes were left in the vehicle for most of the day and included specific information regarding patient diagnoses and treatment. [my emphasis]
Hey, if that's routine...well, that pretty ends the discussion on whether the company thinks very highly about data security, doesn't it? The five Congressmen ask this final question, after what I can only claim to be a very brutal, eviscerating, and illuminating line of questioning:
Why does TMA [TRICARE] continue to contract with SAIC for its data handling and IT needs despite these major performance problems?
Of course, the question is not really a question at all. The director has until February 22, 2012 to answer.
The first data breach notification law in the world, as far as I know, was California's own, which became effective on July1, 2003. One of the reasons the law was passed, supposedly, was the "sunshine as a disinfectant" principle: shine a light on bad behavior and people will change their behavior. It was believed that, as a company is forced to admit to a data breach, it would be forced to better protect customers' data or face the consequences of clients not using a business's services anymore. Over the past eight years, it's been shown that most people tend to ignore a breach. Certainly, there are those who switch to the competition but, generally, the breached entity doesn't get hit too hard. I guess I can understand that: sometimes, it's not the business's fault. There is only so much it can do. But there are those times where it is a business's fault -- even if, technically, they are the victim. Leaving sensitive data in one's car (I won't use the word "vehicle." Armored trucks are vehicles, too, and I don't have a problem with a backup tape being in it all day and all night long) for most of the day is one of those cases, in my opinion. Would SAIC done the same if instead of a bunch of data tapes, the employee was transferring a pile of cash? Of course not. Maybe that's how data security issues ought be decided on: take a data device, eviscerate its internal hardware, and stuff it with $100 bills, and then consider whether you'd make any changes to your security or just keep operations as they are. If you find that the answer is "no" then it's time to do something about your client data.
The first data breach notification law in the world, as far as I know, was California's own, which became effective on July1, 2003. One of the reasons the law was passed, supposedly, was the "sunshine as a disinfectant" principle: shine a light on bad behavior and people will change their behavior.
It was believed that, as a company is forced to admit to a data breach, it would be forced to better protect customers' data or face the consequences of clients not using a business's services anymore. Over the past eight years, it's been shown that most people tend to ignore a breach. Certainly, there are those who switch to the competition but, generally, the breached entity doesn't get hit too hard. I guess I can understand that: sometimes, it's not the business's fault. There is only so much it can do.
But there are those times where it is a business's fault -- even if, technically, they are the victim. Leaving sensitive data in one's car (I won't use the word "vehicle." Armored trucks are vehicles, too, and I don't have a problem with a backup tape being in it all day and all night long) for most of the day is one of those cases, in my opinion. Would SAIC done the same if instead of a bunch of data tapes, the employee was transferring a pile of cash? Of course not.
Maybe that's how data security issues ought be decided on: take a data device, eviscerate its internal hardware, and stuff it with $100 bills, and then consider whether you'd make any changes to your security or just keep operations as they are. If you find that the answer is "no" then it's time to do something about your client data.
Related Articles and Sites:http://www.databreaches.net/?p=21964http://www.govinfosecurity.com/articles.php?art_id=4299