Indeed, the territory is new and uncharted at least at these depths. "A lot depends on what the data was intended to be used for," says Claypoole. "For example, if DNA was collected from employees as part of a health screening, that information is generally protected. But, if the DNA was collected as part of an employee ID system, the DNA can be sold."
Liability Issues for IT Increasing?
For now, CIOs are in a precarious position. "CIOs and CEOs can't destroy the data or they could be charged with destroying a company asset," explains Claypoole. "Yet, you can't ignore the issue because it could come back to haunt you later."
In a desperate effort to either cope or profit, some CIOs and CEOs are taking their own steps and storing data elsewhere or even taking servers home, says Sanjay Anand, president of consulting and training firm GRC Group, and dubbed "Mr. Sarbanes-Oxley" by many in the industry.
"Generally the CIO's personal liability is very limited as long as adherence to guidelines is demonstrated," says Anand. "But we are hearing of cases where CIOs are directly responsible for the drives going missing, and in those cases we have already seen the first signs of litigation."
The thorniest problem is when IT people working offshore for US companies make off with servers, drives or data, he says. It's hard for US companies to track the IT people down, though the firms have started to litigate the issue, Anand says.
Eventually the matter may be sorted out in a regulatory way, but don't look for immediate answers, Anand says. "The new administration has its hands full with broader financial issues, and is unlikely to focus on just this narrow aspect anytime soon," says Anand.