Thursday, August 6, 2009

Companies Take Heed

Corporate Ethics Must Change, Says Matwyshyn. A Wharton School professor says that corporations will have to adapt to increasing consumer savvy when it comes to the role of information security in business dealings, reports Forbes. At Defcon last week, privacy expert and Wharton professor of legal studies and business ethics Andrea Matwyshyn said: "Companies need to be aware that their customers are going to start asking questions about their security and what they're doing." Matwyshyn studies corporate law and information technology. She says even though they are not required to disclose their security procedures to consumers, big businesses should inform customers about their security practices and threats, adding that if corporate ethics don't change, legislators might step in.

While it is true that businesses are not required to disclose security procedures and methods, the public still has the last say in this. When you go to work for a company, enter into an agreement or contract with another business, invest in or simply do business with them you have the right to expect that they are handling your personal information in a responsible manner. And you have the right to NOT get involved with a business that does not take this seriously. If covered by the Red Flags Rule you can ask to see their identity theft prevention and response policy. I have been to bank branches for speaking engagements since Nov 1st of '08 where the branch manager had no idea of the banks policy nor what the policy document looked like. Banks were to be in compliance prior to November 1st of '08. The bottom line is this. If you are one of the people who are waiting for the government to fix the problem you are not going to get any satisfaction. We are empowered to make businesses take the responsible route when it comes to data security. We live in a society where lawyers throw cases of client files in dumpsters, and personnel departments email sensitive personal info to one another without any sort of encryption or protection, and employees that lose laptops and thumb drives containing unencrypted NPI on a regular basis. These are just a few of the "mistakes" companies make daily, and do not include the intentional acts of theft of paper files, flash drives, and CD ROMS by underpaid, laid-off or disgruntled employees needing extra cash.

If a business does not address this issue head on by training and honestly assessing internal risk they are playing with fire. There is no limit in company size either. EVERY business regardless of size must take heed. This is a real issue with real consequences and businesses are the prime source of data.

Tuesday, August 4, 2009

Government Employees' Names, SSNs Exposed


U.S. Commerce Department employees have been notified that their sensitive personal information was exposed last month, reports the Washington Post. The names and Social Security numbers of 27,000 were on an Excel spreadsheet that a National Finance Center employee sent to a co-worker via unencrypted e-mail, the report states. The department is making arrangements to track for identity theft resulting from the breach and is urging employees to monitor their credit reports.

I repeat, your information is out there and used, or misused each and every day of the week.
No one can prevent accidents or mistakes from happening, just as you cannot prevent intentional acts of data theft. If you have a comprehensive ID theft early warning and restoration service working for you, you can be assured that no matter how your personal information gets in the hands of the wrong people that they cannot ruin your life. The damage is very limited and correctable.