It's a start. On June 23, the Office of Management and Budget announced that federal agencies have 45 days to put new data-protection measures in place. The new requirements (technically, they're "recommendations," but the OMB appears serious about this anyway) include encryption for all sensitive data on mobile devices, logging of all extracts from databases containing sensitive information and verification that the downloaded sensitive data is deleted after 90 days.

The good news: This can be done now using off-the-shelf products. The bad news: It probably won't be successful -- not unless the IT people putting it in place remember that you can't just secure the data. You have to secure the people, too. And we already know, from incident after horrendous incident, that the employees of federal agencies aren't secure. Not at the Internal Revenue Service (laptop stolen with personal data on 291 employees and job applicants). Not at the Federal Trade Commission (two laptops stolen containing financial data related to investigations). Not at the Department of Veterans Affairs (laptop stolen with personal data on 26.5 million vets). And that's just laptop thefts in the past six weeks.