Certainly, California's SB1386 has played no small role in publicizing exposures of personally identifiable information, but it applies only to organizations conducting business in California and the state's government agencies. The U.S. Government Accountability Office's public reports do release information about agencies doing a less than stellar job with their security controls (no taxpaying citizen can forget how the Internal Revenue Service exposed their data to potential ID theft through a myriad of security holes earlier this year). And, of course, the annual FISMA report card shows just how well (or not) the government is doing in implementing much needed security controls across its vast and diverse systems.
But public disclosures about federal agencies' blunders when dealing with citizens' personal data are sporadic – certainly not hitting news outlets as much as stories regarding private companies' security gaffes. So why is it that they are excluded from some of the proposed ID theft bills bandied about on Capitol Hill?
According to this month's cover story, this stems from time-consuming complexities arising from trying to reconcile proposed ID theft mandates with post 9-11 legislation. That is, some in Congress want to make sure there are no conflicts between new privacy legislation and existing 9-11-related laws. Yet there seem to be no issues with adding more rules for private companies to follow.
I've advocated in past columns that a federal privacy law would be the appropriate action for lawmakers to take – especially if it enlists security standards already set forth in other laws, such as GLBA. But what is distressing is the possibility that the same privacy demands to which private corporations could be held may not be applied to federal agencies. They too store just as much data about individuals and, Patriot Act or not, should be accountable for preventing its compromise.
If these entities and private groups take steps to implement the proper security mechanisms, they could find themselves nominated in the SC Global Awards 2006. The event honors professionals, from CSOs and IT security teams to vendors whose products readers can't live without. To nominate products, people and more, please visit www.scawards.com. Illena Armstrong is the U.S. editor