10 Mar 10 IT agenda items for the first U.S. CIO
TMCnet, March 9, 2009
Last week, President Barack Obama made good on his promise to appoint a national tech leader for the United States. As the country’s first-ever CIO, Vivek Kundra faces significant challenges modernizing the nation’s IT infrastructure and will be charged to do so at a time when self-interests and a lack of industry oversight threaten not only our freedoms and privacy but also the long-term innovation potential of IT. And though the former CTO of the District of Columbia’s new job description errs on the side of IT management rather than U.S. tech policy, the move toward a national CIO — and, likely, a national CTO — lends hope that the government will provide much-needed oversight to an industry that has fast been infused into nearly every aspect of our lives. [For perspective on the nation’s tech policy in the years ahead, see “A high-tech agenda for President Obama.” For a look at Kundra’s credentials, see “Meet the nation’s first CIO” and his 2008 InfoWorld CTO 25 profile. ] After all, governance has proved essential to safeguarding a variety of long-standing industries from corporate malfeasance. And creating a post designed to oversee government-wide technical initiatives may be the first step toward getting the United States back on track in a number of tech areas faltering due to corporate neglect. Here are 10 agenda items many of us in IT would like to see the first-ever U.S. CIO address. Agenda item No. 1: Mandatory restitution for customer data leaks Companies that damage the public trust by dumping chemicals in streams or by illegally disposing waste pay fines. But those that breach the public trust due to data mishaps face little in the way of restitution. This must change. The scenario is familiar: Banks cancel debit and credit cards abruptly, issuing new cards and account numbers with little explanation. Such is the fallout of data breaches and incidents wherein accounting records are “lost.” Too often the card-issuing banks fail to divulge the name of the company responsible for that data leak; they simply cancel and reissue cards, leaving unwitting customers to clean up the mess. Although IT has been saddled with a legal duty to secure sensitive data and to notify the public in the event of a data breach, this type of corporate negligence goes largely unpunished. If more stringent mandates were put in place to actually hold companies liable for their own security breaches, customers would see better care taken with their identities. Offending companies at the very least should pay every bank and account holder for the cost of canceling and reissuing credit and debit cards due to negligent data practices. Restitution should also include payment for the time required to fix the fallout of their negligence. Add a fine of $10 per record, and you will certainly see a drop in breaches that expose millions of customers’ account data at a time — or at least more diligence in protecting those records. It is well past time to get serious about citizens’ sensitive data.