In my business I spend a great deal of time orienting employees on the realities of identity theft. It's a critical step in reducing incidents of data loss and theft from businesses. I’m not talking about trade secrets but rather employee personal data and that of company customers or clients.
Major companies involved in the architecture and implementation of web applications are proposing new Internet protocol rules and passkey requirements for data access. In the web 2.0 world of cloud computing these are very important issues, and absolutely need to be addressed. Data collection becomes more ubiquitous for a variety of reasons and the trade off between our individual rights to privacy and the public right to know is under an increased scrutiny.
Beneath the radar of public discussion however, thousands of lists and databases containing yours and my personal information are ripe for the picking.
Below is an excerpt from an article in today’s New York Times.
September 25, 2008
Applications and Identity Theft
By JAY ROMANO New York Times
“CO-OP boards, condo boards and even landlords routinely ask applicants for personal data like Social Security numbers, exactly the kind of information that is used in identity theft.
According to lawyers and managing agents for co-ops, condos and rental buildings, applicants are becoming skittish about providing sensitive information. More than 14 million Americans reported being victims of identity theft in the 12 months before August 2007, according to Avivah Litan, a security analyst for the research firm Gartner.
While there is no indication that widespread theft of information has resulted from co-op and condo filings, Habitat magazine, a New York publication covering co-ops and condos, has published two articles in the last year or so dealing with identity theft.
The magazine interviewed two prospective apartment purchasers who believed that carelessness by board members led to the release of sensitive information that was used by thieves to open accounts in their names. One building worker acknowledged that he found 10 years of application packages in a board member’s trash.”
This is a classic example of the sort of database that is overlooked. Smaller local databases are extremely vulnerable to theft and loss mainly due to a lack of understanding of proper procedures and the real risks from loss. What the prevailing wisdom tends to ignore are these thousands of lists and databases that already exist with our personal information.
When someone is victimized by an identity thief in Eastern Europe who has bought his or her information for $25 in bulk and resold it to someone else who files a phony medical insurance claim, or a crack addict who sells it to someone with a criminal record who obtains employment using a stolen SSN, do you think they care which database was the source of the theft? The victim is stuck with the fallout that statistically takes from 3 to 5 years to clear up, and even then often resurfaces at a later time.
The public is essentially unaware of what identity theft is, and business has almost no clue as to their legal and moral obligation to protect and properly store and dispose of sensitive personal information. What happens for example to information kept in your dentists’ office, or your insurance agent? What are their protection and disposal procedures? How about your town and county records? Schools? American business is losing about $50B, that’s billion, in direct and indirect costs each year due to identity theft. When large databases are hacked like the Veterans’ Administration for 26.5 million records, or TJX for somewhere between 41 and 91 million records, UCLA for 800,000 records, etc, it makes the news. Complaints pile up at state and federal legislators’ mailboxes. An upward spiraling argument always follows every large breach with people demanding new laws which when enacted are ineffective in stemming the theft and sale of personal information. As long as the data has value it will continue to be a commodity for sale.
Getting back to my employee group trainings I always ask the group what they think of when they hear the terms data theft and identity theft. Almost invariably the answers are centered on credit reports, bank account and credit card misuse. While that is a significant portion of the identity theft reported to the FTC, the overwhelming majority of cases reported (70%) do not involve finances at all. Only through public awareness can the crimes of identity theft be squelched. The groups we speak with are more aware and proactive both with their own personal information and with the information they handle at work. We are all responsible for each other’s data. Creating better habits of safekeeping it will establish the “culture of security” we all seek.