SC Magazine recently put The Breach Blog on line, a veritable wall of shame for almost daily information breaches. You'll find gems like the Bowling Green professor who kept students personally identifiable information (PII)on his USB stick, then lost or the Texas A&M-Corpus Christi professor who did exactly the same thing WITH EVERY STUDENT'S PII ON THE USB STICK! The losses are consistent: lost or stolen laptops, USB sticks, and backup tapes, along with the occasional server administration meltdown or ye good olde hack.
What's it going to take to convince universities to implement better policies and practices such as USB device management, including encryption and approved devices only?
When will Ohio state government managers realize that the intern you're paying $10.50 an hour is not the ideal caretaker for an unencrypted backup tape containing the PII of all 64,467 state employees?
Say it with me, people. Encryption. Best practices. Policy. Standards. Easier said than done, I know. But here are the simple facts. We are data custodians. Management, systems administrators, security analysts...we are all data custodians, and we must take better care of the information we manage. It's not our information. It belongs to our students, our customers, our veterans.
"First, do no harm." Failure to protect the information in our care is doing harm, as much as the criminal who stole it.
Kudos to SC for The Breach Blog, but it's a shame we even need it.