CYBEREYE: Security: Lots of lessons, nothing learned
- By William Jackson
- Mar 15, 2006
The issues of personal data security and identity theft broke into the national consciousness a year ago, when Choice-Point reported that thieves had established accounts with the data broker to obtain sensitive information on 145,000 people.
Outrage was immediate, but the problem has persisted. Despite congressional hearings, a plethora of federal bills and the passage of laws in at least 22 states, data on more than 53 million people was stolen, lost or exposed in 121 more incidents over the next year, according to the Privacy Rights Clearinghouse. By far the largest exposure was at payment processor CardSystems Solutions Inc., which effectively was put out of business after data on 40 million people was hacked.
These breaches are not the work of genius hackers. Most hacks, like that at CardSystems, are the result of poor security and worse policy. Many breaches are just, well, stupid.
There were 30 reported thefts or losses of computers and nine cases of lost or stolen backup tapes reported in the last year. Some companies printed Social Security numbers on mailing labels and one publisher recycled paper containing sensitive data to wrap bundles of newspapers for distribution.
It just goes to show you, no amount of legislation or technology is going to solve this problem. Laws and tools are needed, of course. But the problem will not be solved until the human beings involved start taking it seriously.
One of the most recently reported cases illustrates the lack of serious concern for personal data security at all organizational levels. One year to the day after the original ChoicePoint breach, Blue Cross and Blue Shield of Florida reported that a contractor had e-mailed himself the Social Security numbers of 27,000 employees, vendors and contractors. According to news reports, the data had been collected for ID badges.
The company apparently had a filter in place that notified someone that inappropriate information had been transferred. But that alert was not immediate and it did not stop the data from going out.
We know of this incident because of a Florida law that went into effect in July 2005 and requires notification when this kind of thing happens. But the law did not prevent the breach. It was stupid to gather Social Security numbers for ID badging to begin with, and it was stupid not to block their transfer.
So while legislators are busy debating legislation and your IT shops are begging for a budget to implement better security, here are a few tips to help avoid data breaches:
Don't put my personal information on your notebook or desktop. Don't put it unencrypted on a backup tape and hand it to a guy in a brown uniform in the hope that it will show up intact somewhere else in a couple of days. Don't print it out and don't leave it lying around. In fact, do you even need my data?
No high tech here, and no government involvement. Just some common sense that could help keep your agency's name from appearing in columns like this one.William Jackson is a GCN senior writer. E-mail him at firstname.lastname@example.org.
William Jackson is freelance writer and the author of the CyberEye blog.