According to this report (via), the IRS deployed two major software systems, its Customer Account Data Engine (CADE), and its Account Management Services (AMS) system, despite the existence of "known security vulnerabilities relating to the protection of sensitive data, system access, monitoring of system access, and disaster recovery." Obviously, this is a problem. Indeed, given some of the vulnerabilities noted in the Computer World article summarizing the report (e.g., failure to encrypt data either in storage or transit), the IRS systems wouldn't even pass the private sector PCI Data Security Standard, let alone government imposed standards such as those in HIPAA.
The interesting part of the report though, is not that the IRS deployed systems with flaws. Frankly, while that part may be depressing, similar mistakes take place in both the public and private spheres frequently enough that the existence of one more flawed system doesn't really raise my attention. What interests me about the report is that it shows the limits on what you can do with regulation. The IRS has specific guidelines and requirement for handling data that, in theory, should have prevented the deployment of systems with known vulnerabilities. Moreover, as the report noted the IRS had implemented development policies which "require security and privacy safeguards to be planned for and designed in the early phases of a system’s development life" - something that many private sector businesses would benefit from doing. The problem was that the IRS' cybersecurity organization knew about the vulnerabilities and accepted them anyway - in other words, it decided to save money by skimping on security for taxpayer information. With that kind of culture (which I find a bit surprising in government) it's not likely that an organization will have good security, regardless of how heavily regulated it is.
So how do you create a security conscious culture? The easy answer is feedback. Make sure that there are rewards for doing things right, penalties for doing things wrong, and that the rewards and penalties (as well as what counts as right and wrong) are well known. Unfortunately, that easy answer is only easy in theory. In practice it's really hard to implement, and involves things like keeping open lines of communication, making sure decision makers pay attention to security even though it doesn't contribute directly to the bottom line, and educating people about what resources are available in an organization to provide decision support on security issues. While it seems that there is a slow change underway from a culture where consumer data is treated only as something to be valued, to a culture where it's viewed as something to be protected, that change is very slow indeed. Before the change is complete, I think there will be many more reports revealing that large entities (both public and private) have undervalued securing consumer data.