Panelists: Combating data theft is not complicated

More than 40 percent of recently reported data breaches were the result of stolen or lost equipment; hacker intrusions are much less frequent.

Data thieves are making life increasingly more difficult for the government and the private sector, but solutions to some of the most common data security problems are not necessarily complicated, a panel of experts said Wednesday.

Darryl Lemecha, the chief information officer at the data brokerage ChoicePoint, said during a panel discussion hosted by the E-Gov Institute that his company learned the hard way about the importance of credentialing the parties with which it does business. ChoicePoint disclosed in 2005 that it had sold data to a criminal enterprise, exposing the personal information of hundreds of thousands of Americans.

According to Lemecha, more than 40 percent of recently reported data breaches were the result of stolen or lost equipment. Intrusions caused by hackers are much less frequent, he said. "The majority of the breaches that occurred were due to simple things."

Companies and federal agencies can only prevent these problems from occurring in the future if they instill a culture of behavior in their employees that is practiced consistently, Lemecha said.

The stakes are higher for the government and private sector to take the necessary precautions to protect data because the techniques used by data thieves have progressed so rapidly in recent years, said Jack Hembrough, the CEO and president of Application Security.

He said he recently told his wife before she made an online purchase that criminals are not trying to steal her credit-card information, but rather they are trying to infiltrate the database of the company processing her payment that includes information on thousands of people, including her.

Hembrough was particularly critical of Oracle, which recently released a security patch to fix more than 100 holes in its software products. He said the day after Oracle released the patch, hackers around the world most likely were attacking all of the gaps announced by the company in hopes that some of its customers neglected to install the fixes.

But many businesses cannot afford to completely block access to their databases because they need to share information in order to survive, Hembrough said. All of the attention that data breaches have received in the news recently has made the issue tricky, he said. "Everyone's looking over our shoulder."

Ed Meagher, the chief information officer for the Interior Department, said it is imperative for government officials and businesses to implement privacy policies that are enforceable, a point echoed by Lemecha.

It is much easier to craft an enforceable policy when access to information is appropriately distributed to employees based on their roles, Meagher said. "Most companies are better prepared for a product recall than they are for a data breach."

Hembrough said it would be easier for the government and private sector to respond to breaches that affect the data of individuals in multiple jurisdictions if there were one federal law instead of separate state laws.