Lost My Secrets? Pay Up, Buddy!

A Newsweek column by Steven Levy puts it squarely.

If you had something extremely valuable to ship—a bundle of cash, a bag of diamonds or the plotline for "Mission Impossible 3"—would you just pack it in a cardboard box and hand it over to the United Parcel Service for delivery? My guess is that you would take extraordinary precautions. Hire an armored car for the valuables. Encode the story line with bulletproof encryption. So why did Citigroup use unencrypted computer tapes for a UPS run to transport personal financial information on nearly 4 million of its customers? ...

Certainly one factor for these recent data debacles is that securing information is hard. But security experts and privacy advocates make sense when they argue that there's another reason. And that is that when disaster happens, it's other people who suffer the disaster. The companies vow to do better—and the victims are faced with years of financial vulnerability.

"Since the companies themselves don't suffer any loss, it's considered an external problem," says Bruce Schneier, chief technical officer of Counterpane, a security company...

Surely one remedy for this outbreak is to hit these companies where it hurts—in the pocketbook. Congress should go beyond disclosure laws and pass sanctions that make losing someone else's credit card, Social Security number or mom's maiden name such a costly proposition that companies will spare no expense to prevent such losses. We can't expect absolute perfection. But citizens should demand that companies protect their secrets as zealously as they protect their cash reserves. If not, those reserves should be drained considerably.