If You’re Collecting Our Data, You Ought to Protect It

By now, reports of lost or stolen business devices are so common that many people open data-breach notices from their banks, insurers, medical institutions, schools and state agencies with something like resignation.

In fact, negligence by employees and contractors has been a more common cause of corporate data breaches in the United States than malicious attacks, according to a study of 2011 done by the Ponemon Institute, a research center on data security, and financed by Symantec, a data security company. Institutions, companies and government agencies often devote more resources to collecting information about employees and consumers than to protecting it, security specialists say. “This is an unfortunate but perfectly cautionary tale of not only how we should look more carefully at protecting data after it is collected,” says Lee Tien, a senior staff lawyer at the Electronic Frontier Foundation, a digital rights group in San Francisco, “but also how the data is to be safeguarded before we collect it to make sure it isn’t used improperly or disclosed accidentally.”