Wednesday, March 25, 2009

Compliance? Fugeddaboutit!

In my work of helping businesses to meet standards of compliance with FACTA and GLB requirements I constantly run into lazy attitudes regarding encryption, and basic steps like not recycling photo copies with sensitive data on them, lock files away, and so forth. For example, I was in a bank recently giving a talk on how data is stolen, and in the office area where I was speaking the Chief Loan Officer had his computer monitor facing the street by way of a huge picture window only 5 feet away. And in plain view of the public walking by!

The bottom line for me is pretty simple. Given the attitude on the part of businesses of all types and sizes, the massive holes in the PCI DSS and state notification legislation, why is everyone wringing their hands wondering what to do? Get a real (read professional), identity theft service that will actually help you when you need it, and largely put the issue to rest. This is not to say that we can stop pursuing compliance on the part of business. That is going to take a lot longer than necessary due to the reluctance of business to comply with some simple procedures. The problem for us is that identity thieves aren't going to wait. This set of crimes is increasing every year, and shows no signs of slowing down. I am addressing what we as individuals can do right now to protect ourselves proactively.

In 2001 I was a victim of identity theft that cost me over $26,000 dollars to solve, (is it really solved? I don't know), and 2 + years of agony. I can say without reservation that if I had the service I have now it wouldn't have cost me one dime more than my service. Not so incidentally $26,000 is over 18 years of my identity theft service, and it protects both my wife and me. Is that a cost effective service? I think so.

Now we are facing the Electronic Records Initiative as part of the economic recovery package. This is designed to compile all of our medical records in "cloud" servers available to, well, almost everyone. While this can be a massive cost savings to the health care industry, and potentially a great advantage for the individual when we seek medical help or prescriptions, it also opens a whole new set of security problems to solve. Medical identity theft is the fastest growing category of identity theft, and potentially the most dangerous. It can cost you your life. When will Americans wake up and realize that identity theft is a vast subject and a simple fraud alert or monitoring service will not help? And waiting to be a victim so your employer will buy you a year of free monitoring is not very smart either. We all need to take the initiative ourselves and stop our victim mentality.

How long did it take business to install ramps for people who needed them? ADA has been around for decades and we are still fighting that one. What makes anyone think this will be any different? Surely there are laws with very stiff penalties but mere laws won’t stop a good old American business from ignoring the facts. Even when this is presented as the right thing to do, appealing to a business owners’ sense of right and wrong a lot of them still don’t get it. Legislation is seen as an invasion to a business owner regardless of the nature of the law and it’s intention. It's an automatic reaction. The brain reels at the idea of compliance, a signal is sent throughout the body and, voila! Knee jerk! They see this as something they have to do for someone else that just gets in the way. I have often said that when you protect the information you keep on others you are protecting them. When someone else does it they are protecting you. Any business owner who has been a victim of identity theft does not have to be convinced that these laws are worthwhile. In fact in my experience they are eager to develop a plan to protect information, and are looking for guidance as to implementing such a plan.

Until such a time when all business and users of personal information take data security seriously we as the public need to take the initiative to safeguard ourselves. Don’t wait for them; it is a dangerous game with very high stakes for you. And without a good restorative service to be your advocate you will be left largely alone to suffer the misery of trying to fight the system in clearing your name and records.

1 comment:

George said...

John:

Great post! Stories like this must be told so consumers begin to understand (and ultimately apply pressure) the lax data security attitudes at too many companies.

George