Have No Fear, Federal Government Issues Data Leak Prevention Guidelines
from the see,-it-looks-like-we're-doing-something dept
Following a spate of data leaks and breaches at federal agencies, the Office of Management and Budget has now issued a set of guidelines for agencies to reduce the chances of data losses, while giving them 120 days to come up with breach-notification policies. The guidelines sound useful, particularly the advice that agencies should reduce the amount of information they collect and store to a minimum. However, it's hardly surprising to see that overall, the document is pretty toothless. What happens if agencies don't meet the 120-day deadline? Nothing, apparently, but maybe they'll be sent another memo. Furthermore, the "Rules and Consequences Policy" doesn't actually spell out any consequences should an agency lose data, rather it just says agency heads need to come up with a policy outlining behavior standards and the repercussions of breaking them. It's this sort of hands-off attitude that's the real problem here: nobody is ever forced to accept any sort of personal responsibility for these breaches, so there's little motivation -- beyond acting out of selflessness -- for government employees or businesses to take the situation seriously. Memos directing people to take some action, with no real followthrough, isn't the same thing as actually taking action. Until that happens, expect the data leaks to continue at the federal government, and elsewhere.