Who should pay for data loss?

Should federal, state and local governments get tough on individuals and companies responsible for the loss of a person's personal data online? That is an extremely difficult issue to resolve and even a more difficult one to enforce. But if you look at the history of other issues where personal responsibility became important, you will see a number of success stories. When bars and individuals were held accountable for drunken drivers, they became more responsible about who should be driving after having a drink. The idea of a "designated driver" became a reality across the United States.

When individuals, not companies, were held accountable for white collar crime, managers became more aware of their responsibilities to keep their staffs from dipping into the till. When big companies knew they would be held accountable for accounting violations, they became responsible for cleaning up their acts. And now that the Sarbanes-Oxley Act has become law, executives at big companies must vouch for the accuracy of their company statements.

You may say that it is too tough to track and trace exactly who is responsible for hackers sneaking into a database, causing the loss of millions of files. Yet if individuals aren't responsible for making sure a database is tight and secure, who is? "American organizations understand that prevention is cheaper than cure--and implementing encryption technology is cheaper than the cost of a data breach," Joseph Hoban, VP at data protection software company GuardianEdge, a British company, told Silicon.com.

Other countries already are heading in the direction of finding the responsible party when tons of data is snatched out of a database. California implemented such a law in 2003 to make the individuals responsible for a data breach. But using the legal system to cut down on these kinds of data losses may be too tough a burden on a public that doesn't fully understand security issues. Jamie Cowper, director of marketing EMEA at encryption security company PGP, another British company, took a more cautious view toward this burgeoning problem: "Before we go for the nuclear option, perhaps we should first look at how current security regimes can be tightened up with, for instance, stricter enterprise data policies. "We should also test the power of simply naming and shaming organizations," he said.

One of the biggest responsibilities of CIOs these days is making sure the data on their watch is protected. And if that means spending more money on security devices to prevent hackers from getting in, spend it. If your staff doesn't know how to stay on the ball and safeguard data, teach them. Because at the end of the day, the CIO will be called to explain what went wrong and why. And it is likely there will be no one else to take the blame but you. -Judi