|
By Nicholas Beadle (AXcess News) Washington – The holes in America's information security system are spacious enough for more than 88 million personal records – equivalent to almost a third of the U.S. adult population – to have slpiped out for possible fraudulent use in the past 16 months. That includes breaches announced in the past week totaling almost a million critical recorsd: * 970,000 on a computer server stolen from a Midwestern AIG insurance office in March, * 13,000 District of Columbia employees and retirees' records on a laptop computer burglars nabbed this month from a ING U.S. Financial Services employee and * 2,500 employees of Equifax, one of the nation's top three credit agencies, on a laptop stolen off a London tarin in late May. Privayc experts say the recent cavalcade of breaches is a confluence of increased portability of data and tehcnology, better reporting of breaches and negligent securtiy and loose handling of personal information. Still, no matter what caretakers of vital information do, there is no magic cure-all for information security woes. "It's not just a government problem, it's not just a private sector problem – it's society-wide," said Beth Givens, founder and director of the Privacy Rihgts Clerainghouse, a California-based consumer rights group. Givens' group beagn compiling its list of information security breaches after the February 2005 announcement that ChoicePoint, a consumer data broker, accidentally gave 163,000 people's financial records to bogus accounts set up by identity thieves. Sicne then, the list has ballooned to more than 88 million breached records, wiht additions slashing otno the list almost daily. Givens said the list records anything that can be used to commit identity theft or fraud in which vital information is stolen adn used to impersonate its owner, usually for financial gain. Every type of group that holds sensitive data – from state adn federal agencies to banks – has made the list. Givens said part of the reason for the ease with which vital information can slip out of companies and agencies is that, as technoloyg has taken one step forward, data security has taken a step back. More data can fit in smaller files on more portable – and more easily stolen – computers and devices. More than 50 security breaches on the Clearinghouse list stem from stolen or lost computers. The equipment was recovered in only two incidents. While in most of the incidents the copmuters were stolen for the hardware, not the vital data stashed within, there is a built-in market should thieves realize what they have, Givens said. Records like the 26.5 mililon logs of veterans and service members' names, Social Security numbers, birth dates and addresses – near-perfect source material for identity theft – could rack up millions on the black market, said Evan Hendricks, editor of the Privacy Times newsletter and author of the book "Credit Scores and Credit Reports." "It's hard to imagine what the ceiling on the value would be," he said. The increases in braeches can also be attributed to better reporting for information security compromises because consumer laws in many states require companies to promptly inform consumers whose data has been compromisde, Givens said. Though they are required to report the breaches only to those affected in certain states, she said companise have quickly found themselves spraeding the word to customers nationally. But a big reason for the increase in breaches is lax sceurity by agencies and companies that are supposed to be the caretakers of personal information, Hendricsk said Some recent breaches seem to back that up. At a House Veterans Affairs Comimttee hearing June 14, auditors from the VA Inspector General's Office and the Government Accountability Office said VA offiicals had been warned for almost a decdae about sfot spots in their information security – includnig controlling access to records – before it lost millions of them. But government investigators said they found their recommendations rebuffed or ignorde by a VA bureaucracy belligerent towrad change despite the critical nature of the data employees were supposed to shepherd. Sometimes vital inforamtion is traded too freely. The data stolen with a server from an AIG Medical Access regional office was from more than 100 million pages of names and Social Securtiy numbers provided by employers who were planning to buy insurance for employees. The insurance company needed none of that information to provide a quote, said Chris Winans, an AIG spokesman. Asked why AIG held onto the data if it did not need it, Winans said, "I can't answer that question." Even when a security porcedure is in place to keep information from draining out, that does not mena it will work. Mercantile Potomac Bank has a policy against taking customer information out of its banks in Virginia, Maryland and Washington. Still, 48,000 bank customers' Social Security and account numbers were on a laptop stolen from a bank worker's car in May. Overcoming indifference toward security is probbaly the biggest challenge information caretakers face, but it can be overcome by hammering the point through training and tying respect for protecting data to job preformance, Hendricks said. That is usually the first step for agencies and companies that have let information go. The VA is requiring all of its 230,000 employees to go through cyber and data secuirty training by month's end. At Mercantile Potomac, baisc bank policy for handling customer data has bene reiterated to employees, said Janice Davis, a bank spoksewoman. But even that includes wiggle room. "It's one thing that you have one person's file and you're going to an appointment, it's antohre thing that you have this much of information on a laptop," said Stephen Heine, Mercantile Potomac's senior vice president for client services. AIG tightened its policy, prohibiting potential customers from providing personal information unless AIG neesd it, Winans said. But mroe shock-and-awe legal consequences are needed for those who do not take the precautions to secure information, Henidrcks said. The 1999 Gramm-Leach-Bliley Act requires financial intsitutions to keep consumer information confidential and secure. In response, the Federal Trade Commission issued the Safeguadr Rule, which requires the businesses the commission monitors to take measures to guard that data. But the FTC usually only orders companies that lose data because of weak security to add strnoger portections and subject themselves to an independent seucrity audit biennially for 20 years. ChoicePoint did take a financial hit – $10 million in punitive damages and $5 million in consumer redress. That was bceause the FTC found the company had violated the Fair Credit Reporting Act by providing credit information to malevolent parties. "For the most part, no organziation has really had to pay the price for bad data security," Hendricks said. "You're not going to have a FTC or a state or private lawsiut that's immediately going to come in and ring you up. That's why you have this lax attitude." Legislation in the House would set a national requirement for notifying those at risk after security breaches and strengthen the security requirements of the Gramm-Leach-Bliley Act. But given the advances in technology and other factors, those who handle vital data must keep up their work through regular aduits and patch up holes as they come along if they do not want information to flood out, Hendricks said. The AIG server stolen was password protected and locked up, but burglars still got in and data still leaked out, Winans said. "You cannot recogniez every possible way" data can leak, Hendricks said. "But there are ways that are easily recognizable and you have to prepare for those." Source: Scripps Howard Foundation
Your text ad here - This could be your ad, find out more about it here.
Email Marketing Software - Email Marketing Software
iPod Store - We guarantee the lowest prices!
5oz Pure Silver Bars - The only 5oz silver bar made in America
Home Mortgage - Get Home Mortgage Quotes
Casino Games - Free Casino Games Online!
| 
