Every time a massive data theft or a security breach happens in the Transaction Processing Industry, I keep kicking myself for not starting up a list of all such compromises that I once promised myself I would start! The most recent major security snafu, which I think is also the largest one to date, involved the theft of 26.5 million records containing the personal information of U.S. veterans.
TPAtlanta discussed this particular security breach in last month's issue. In fact, the day before we went to press last month, the stolen Veteran's Administration PC was recovered by authorities, although government officials are being extremely reticent about how and where this PC was recovered. They are only reporting that it appears, at least to date, that none of the veterans whose personal data was on this PC have been victimized. So, it seems yet another close call has been averted. Don't you feel safer now?
However, no sooner was this VA PC located than another public agency PC went AWOL!
A laptop containing personal information from thousands of blood donors - including Social Security numbers and medical information - was stolen from a Dallas, Texas office of the American Red Cross, but officials said the information was encrypted.
The data included matching names and birth dates of donors from Texas and Oklahoma, as well as donors' sexual and disease histories.
How about them doggies cowboys? Brokeback Mountain might seem a little tame if any of this kind of data got into the wrong hands!
"We haven't viewed this as a security breach at this point," Darren Irby, spokesman for the national American Red Cross office, told The Dallas Morning News soon after the event became public.
Just who do these agency and government officials think that they are kidding with this kind of foolish rhetoric? How many bullets can the public continue to dodge before someone gets seriously wounded?
Unfortunately, most people do not realize just how bad the situation is which is why I think a public list that exposes these failures might have great impact. The problem is compounded in some cases by the failure to report the theft or breach on a timely basis. In the case of the U.S. veteran data, the Veterans Administration did not bother to report the data theft for nearly three weeks. As both a relative of several veterans and a professional in the Transaction Processing Industry, I find this delay in public disclosure to be unconscionable, even bordering on a cover-up.
Whereas public disclosure requirements exist in some states like California, they are no such rules in many other states. Things are less organized at the federal level where at least two separate bills are under consideration by the Senate and at least another two are under consideration by the House. In the House, the two forms of relevant legislation that are varying stages of development are the Financial Data Protection Act of 2006 (House Commerce Committee) and the Cyber Security Enhancement and Consumer Data Protection Act (House Committee on the Judiciary).
The former is considered a joke by some because of the way disclosure is only triggered in the event that a breach is "reasonably likely to result in substantial harm or inconvenience" to consumers whose personal information was included in the breach. Similar "toothless bills" are being considered in states like Arizona. Not surprisingly, in a bit of foxes watching the henhouses, the highly subjective measurement of harm is left to the data custodian to conduct. You do not have to be a CSI detective to conclude that some lobby is obviously at work here!
According to Wired Magazine, Microsoft is on record as favoring the low threshold:
In 2002, the Federal Trade Commission charged Microsoft with falsely claiming that consumer data held in its Passport electronic wallet service was highly secure. The company settled, agreeing to bolster Passport's security. Speaking to a roomful of privacy advocates, Microsoft lawyer Michael Hintze outlined a detailed plan for a federal law that he said would protect consumers while clarifying the responsibilities of corporate America. Microsoft prefers that customers be notified only when a company determines there's a "reasonable risk of a material harm happening to a consumer," said Hintze. "If the trigger is too low … people will get notice fatigue. People will get notices all the time."
To that I say, fatigue me. Notify me. Immediately. I do not know about you, but when I find out that someone in whom I have entrusted my personal information to loses track of that information, I want to know right away so that I can take my business elsewhere. And there is nothing like the risk of consumer inflicted financial penalties to scare the daylights out of any business.
What does any of this have to do with my headline? Well, I have decided that I am not going to bother to compile that list. I do not have to! That is because the Privacy Rights Clearing House already has such a list that details the breaches that have been reported.
Check it out yourself at http://www.privacyrights.org/ar/ChronDataBreaches.htm
There is no telling what other security breaches have not been reported. But I will venture a guess that the list of unreported incidents far outnumbers the list of reported ones. Based on the size and frequency of these breaches, as well as brand names involved - brand names we assumed we could trust, theft of your identity does not appear to be an "if" question. If it has not happened already, it is just a question of when. And that is a very sad state of the state if you ask me!
While we at TPAtlanta will continue our efforts to monitor these developments in preventing and reporting serious security breaches, both legislatively and private sector efforts, we sincerely hope that the only list that your name or that of your company appears on is the one that Santa Claus keeps.
And you had better be in the Nice column and not on the Naughty side!
Have a safe summer. Do not forget to use sunscreen. And protect that data too, especially if you are taking your laptop on vacation!!
Calvin D. Johnson, Publisher
publisher@tpatlanta.com
Trans Atlantic Systems, Inc.
©2005