Who Should be Held Accountable for the Rash of Database Security Breaches?
Attacks and compromises on databases have risen at an alarming rate over the past several years. Sony, LinkedIn, eHarmony, and Yahoo are just a small example of organizations having suffered from these high-profile attacks. The attackers themselves have moved from techniques such as SQL Injection to more advanced means of breaking a database and dumping the contents within for all to see. You can find plenty of more examples on my website.
There needs to be a clear chain of custody as to who is responsible for safe guarding databases and the information they contain. In my opinion, the IT staff responsible for the databases should be held accountable because they should be knowledgeable enough to choose products that are known for being secure. At the very least, the staff and database administrators must be proficient with patching vulnerabilities present in existing databases.
The government should consider funding money for private organizations to join together and create more standards for data security, similar to standards enacted by like the Consumer Product Safety Commission and the FDA. Laws could then hold these companies accountable. Periodic security audits would hold them to these new safety standards.
If data is breached, an organization should be bound to notify its customer base. Withholding information of a break-in could be construed as obstruction or even collusion in court by crafty lawyers. It is best for an organization to admit a data breach up front and on the record. At that point, we can all collectively move closer to a more secure, and accountable future where computers are gaining even more information about us.