Low-level bureaucrats who leave unencrypted laptops in unlocked cars should be suspended without pay for meaningful periods of time. High-level bureaucrats who fail to improve their computer security safeguards in compliance with the law should at the very least be fired. In the case of actual data breaches, firing isn't enough. Depending on the level of negligence, it's not unreasonable that the bureaucrat should stand trial; if they are convicted of negligence and enabling fraud, they should arguably go to jail.
Second, instead of simply playing defense on data security, we need government to aggressively play offense. The federal government already spends $13.3 billion a year to secure its computer systems and bring federal agencies into compliance with the 2002 Information Security Management Act, according to a report published in March by the Office of Management and Budget. That's 18 percent of everything those agencies spend on information technology.
However, a security system is only as good as its weakest link -- people. Among a host of other initiatives, the government needs to better monitor the systems they have in place, develop effective breach response programs, and pro-actively train people to think security 24/7.
Here's the point: It's not just about punishing bad behavior. We must incentivize good behavior and inculcate best practices. Many Federal agencies have good rules in place, unfortunately, not enough are striving to meet them and several could strive a whole lot harder.
Finally, we, the people -- the ones government is supposed to protect -- need to get fired up and take action. While Federal agencies tend to ignore complaints from individual citizens, they do take complaints from members of Congress very seriously (since enough angry senators could cause an agency major tsouris when budget season comes around). If you are one of the millions of citizens whose information was improperly exposed, and received a notice from a federal agency to that effect, don't just stand there, do something about it.
Letters to senators -- good old fashioned snail-mail, handwritten missives -- get noticed. Groups of seniors or veterans or Medicare patients showing up on a Congressman's office doorstep get noticed. Blog articles that help track identity-related fraud get noticed.
Whatever your skill and whatever your interest, you have something to add to this fight. And if you're an American taxpayer, you probably have something to gain from it. Rapid7's report shows that federal bureaucrats still don't take seriously their responsibility to protect our privacy. It's high time for us to target the things they do take seriously: their budgets, their jobs, and their freedom.
Adam Levin is chairman and cofounder of Credit.com and Identity Theft 911. His experience as former director of the New Jersey Division of Consumer Affairs gives him unique insight into consumer privacy, legislation and financial advocacy. He is a nationally recognized expert on identity theft and credit.