I am completely disgusted by a local event here in Tennessee. Two laptops were stolen from the Davidson County Election Commission over the Christmas holiday. They likely held 337,000 identities including the SSN, name and address of registered voters. You can read about it in the Tennessean article.
1. Why on earth was there no alarm on a building associated with election records? A rock through a window and two laptops vanish?!?
2. Why on earth were two laptops with such data left outside a safe? Surely such backup units are regularly stored in a secure location.
3. Why on earth were they not equipped with encryption?
So who is to blame? The user/custodian of the laptops? The physical security contractor? The IT department?
It comes down to what are the policies in place. After all IT in government and business alike only can do so much if management is not forced to provide funds and resources to meet the policy. If the policy did not exist then I recommend the council members should consider resigning themselves. If the policy was in place fire the IT head. the physical security head and terminate the contract of the physical security vendor. That should send a message of accountability. It should not be a surprise to these people that such information which is required to achieve the electoral mission would be at risk without proper measures.