Friday, September 26, 2008

Applications and Identity Theft

In my business I spend a great deal of time orienting employees on the realities of identity theft. It's a critical step in reducing incidents of data loss and theft from businesses. I’m not talking about trade secrets but rather employee personal data and that of company customers or clients.

Major companies involved in the architecture and implementation of web applications are proposing new Internet protocol rules and passkey requirements for data access. In the web 2.0 world of cloud computing these are very important issues, and absolutely need to be addressed. Data collection becomes more ubiquitous for a variety of reasons and the trade off between our individual rights to privacy and the public right to know is under an increased scrutiny.

Beneath the radar of public discussion however, thousands of lists and databases containing yours and my personal information are ripe for the picking.
Below is an excerpt from an article in today’s New York Times.

September 25, 2008
The Fix
Applications and Identity Theft
JAY ROMANO New York Times
“CO-OP boards, condo boards and even landlords routinely ask applicants for personal data like Social Security numbers, exactly the kind of information that is used in identity theft.
According to lawyers and managing agents for co-ops, condos and rental buildings, applicants are becoming skittish about providing sensitive information. More than 14 million Americans reported being victims of identity theft in the 12 months before August 2007, according to Avivah Litan, a security analyst for the research firm Gartner.
While there is no indication that widespread theft of information has resulted from co-op and condo filings, Habitat magazine, a New York publication covering co-ops and condos, has published two articles in the last year or so dealing with identity theft.
The magazine interviewed two prospective apartment purchasers who believed that carelessness by board members led to the release of sensitive information that was used by thieves to open accounts in their names. One building worker acknowledged that he found 10 years of application packages in a board member’s trash.”

This is a classic example of the sort of database that is overlooked. Smaller local databases are extremely vulnerable to theft and loss mainly due to a lack of understanding of proper procedures and the real risks from loss. What the prevailing wisdom tends to ignore are these thousands of lists and databases that already exist with our personal information.
When someone is victimized by an identity thief in Eastern Europe who has bought his or her information for $25 in bulk and resold it to someone else who files a phony medical insurance claim, or a crack addict who sells it to someone with a criminal record who obtains employment using a stolen SSN, do you think they care which database was the source of the theft? The victim is stuck with the fallout that statistically takes from 3 to 5 years to clear up, and even then often resurfaces at a later time.

The public is essentially unaware of what identity theft is, and business has almost no clue as to their legal and moral obligation to protect and properly store and dispose of sensitive personal information. What happens for example to information kept in your dentists’ office, or your insurance agent? What are their protection and disposal procedures? How about your town and county records? Schools? American business is losing about $50B, that’s billion, in direct and indirect costs each year due to identity theft. When large databases are hacked like the Veterans’ Administration for 26.5 million records, or TJX for somewhere between 41 and 91 million records, UCLA for 800,000 records, etc, it makes the news. Complaints pile up at state and federal legislators’ mailboxes. An upward spiraling argument always follows every large breach with people demanding new laws which when enacted are ineffective in stemming the theft and sale of personal information. As long as the data has value it will continue to be a commodity for sale.

Getting back to my employee group trainings I always ask the group what they think of when they hear the terms data theft and identity theft. Almost invariably the answers are centered on credit reports, bank account and credit card misuse. While that is a significant portion of the identity theft reported to the FTC, the overwhelming majority of cases reported (70%) do not involve finances at all. Only through public awareness can the crimes of identity theft be squelched. The groups we speak with are more aware and proactive both with their own personal information and with the information they handle at work. We are all responsible for each other’s data. Creating better habits of safekeeping it will establish the “culture of security” we all seek.


JohnFranks999 said...

David Scott believes these data breaches and thefts are largely due to a lagging business culture. Read some fresh and original thinking from the author of “IT Wars” - - I urge every business person and IT person, management or staff, to get hold of a copy of "I.T. Wars: Managing the Business-Technology Weave in the New Millennium." It has an excellent chapter on security, and how to scale security for any organization, any budget. It also has a plan template with all considerations. Our CEO has read this book. Our project managers are on their second reading. Our vendors are required to read it (they can borrow our copies if they don't want to purchase it). Any agencies that wish to partner with us: We ask that they read it. Do yourself a favor and read this book - then ask your boss to read it - then ask your staff and co-workers to read it.

Amul Raj said...

Identity criminals get other peoples’ identity details by:

* stealing purses, wallets, mail, mobile phones containing identity details or during a burglary
* pretending they are government, bank or other financial institution representatives seeking information
* offering to complete a person’s tax return or other document that needs their personal details, or
* using computer viruses or email phishing.

Identity theft victims could face unwanted trouble and expense because of fraud or other crimes identity thieves commit using their identity details. Getting a job, a bank loan or other credit, renting a house or a car or getting government services or benefits could also become difficult and frustrating.
Non Traditional Marketing

George Jenkins said...


Excellent post. Thanks for writing about this.

R.E. said...

I agree with your comments. Working in IT for the past 11 years, I've seen first hand how smaller companies simply lack the funds and talent to be able to secure their databases in any meaningful way. Its my belief that end users should do their best to simply not provide ANY personally identifying data, and in cases where is absolutely necessary,give as little information as possible.
I blog about this epidemic and call for a new industry dubbed Privacy 2.0 which provides services that help anonymize user data while still allowing them to participate in the social web.