US TECHNOLOGY, LAX SECURITY PUT PERSONAL INFORMATION AT RISK http://www.infozine.com/news/stories/op/storiesView/sid/15914/

Technology, Lax Security Put Personal Information at Risk

By Nicholas Beadle -
The holes in America's information security system are spacious enough for more than 88 million personal records - equivalent to almost a third of the U.S. adult population - to have slipped out for possible fraudulent use in the past 16 months.

Washington, D.C. - Scripps Howard Foundation Wire - infoZine - That includes breaches announced in the past week totaling almost a million critical records:

970,000 on a computer server stolen from a Midwestern AIG insurance office in March,

13,000 District of Columbia employees and retirees' records on a laptop computer burglars nabbed this month from a ING U.S. Financial Services employee and

2,500 employees of Equifax, one of the nation's top three credit agencies, on a laptop stolen off a London train in late May.

Privacy experts say the recent cavalcade of breaches is a confluence of increased portability of data and technology, better reporting of breaches and negligent security and loose handling of personal information. Still, no matter what caretakers of vital information do, there is no magic cure-all for information security woes.

"It's not just a government problem, it's not just a private sector problem - it's society-wide," said Beth Givens, founder and director of the Privacy Rights Clearinghouse, a California-based consumer rights group.

Givens' group began compiling its list of information security breaches after the February 2005 announcement that ChoicePoint, a consumer data broker, accidentally gave 163,000 people's financial records to bogus accounts set up by identity thieves.

Since then, the list has ballooned to more than 88 million breached records, with additions slashing onto the list almost daily.

Givens said the list records anything that can be used to commit identity theft or fraud in which vital information is stolen and used to impersonate its owner, usually for financial gain. Every type of group that holds sensitive data - from state and federal agencies to banks - has made the list.

Givens said part of the reason for the ease with which vital information can slip out of companies and agencies is that, as technology has taken one step forward, data security has taken a step back. More data can fit in smaller files on more portable - and more easily stolen - computers and devices.

More than 50 security breaches on the Clearinghouse list stem from stolen or lost computers. The equipment was recovered in only two incidents.

While in most of the incidents the computers were stolen for the hardware, not the vital data stashed within, there is a built-in market should thieves realize what they have, Givens said.

Records like the 26.5 million logs of veterans and service members' names, Social Security numbers, birth dates and addresses - near-perfect source material for identity theft - could rack up millions on the black market, said Evan Hendricks, editor of the Privacy Times newsletter and author of the book "Credit Scores and Credit Reports."

"It's hard to imagine what the ceiling on the value would be," he said.

The increases in breaches can also be attributed to better reporting for information security compromises because consumer laws in many states require companies to promptly inform consumers whose data has been compromised, Givens said. Though they are required to report the breaches only to those affected in certain states, she said companies have quickly found themselves spreading the word to customers nationally.

But a big reason for the increase in breaches is lax security by agencies and companies that are supposed to be the caretakers of personal information, Hendricks said.

Some recent breaches seem to back that up. At a House Veterans Affairs Committee hearing June 14, auditors from the VA Inspector General's Office and the Government Accountability Office said VA officials had been warned for almost a decade about soft spots in their information security - including controlling access to records - before it lost millions of them.

But government investigators said they found their recommendations rebuffed or ignored by a VA bureaucracy belligerent toward change despite the critical nature of the data employees were supposed to shepherd.

Sometimes vital information is traded too freely. The data stolen with a server from an AIG Medical Access regional office was from more than 100 million pages of names and Social Security numbers provided by employers who were planning to buy insurance for employees. The insurance company needed none of that information to provide a quote, said Chris Winans, an AIG spokesman.

Asked why AIG held onto the data if it did not need it, Winans said, "I can't answer that question."

Even when a security procedure is in place to keep information from draining out, that does not mean it will work. Mercantile Potomac Bank has a policy against taking customer information out of its banks in Virginia, Maryland and Washington. Still, 48,000 bank customers' Social Security and account numbers were on a laptop stolen from a bank worker's car in May.

Overcoming indifference toward security is probably the biggest challenge information caretakers face, but it can be overcome by hammering the point through training and tying respect for protecting data to job performance, Hendricks said.

That is usually the first step for agencies and companies that have let information go.

The VA is requiring all of its 230,000 employees to go through cyber and data security training by month's end.

At Mercantile Potomac, basic bank policy for handling customer data has been reiterated to employees, said Janice Davis, a bank spokeswoman. But even that includes wiggle room.

"It's one thing that you have one person's file and you're going to an appointment, it's another thing that you have this much of information on a laptop," said Stephen Heine, Mercantile Potomac's senior vice president for client services.

AIG tightened its policy, prohibiting potential customers from providing personal information unless AIG needs it, Winans said.

But more shock-and-awe legal consequences are needed for those who do not take the precautions to secure information, Hendricks said.

The 1999 Gramm-Leach-Bliley Act requires financial institutions to keep consumer information confidential and secure. In response, the Federal Trade Commission issued the Safeguard Rule, which requires the businesses the commission monitors to take measures to guard that data.

But the FTC usually only orders companies that lose data because of weak security to add stronger protections and subject themselves to an independent security audit biennially for 20 years. ChoicePoint did take a financial hit - $10 million in punitive damages and $5 million in consumer redress. That was because the FTC found the company had violated the Fair Credit Reporting Act by providing credit information to malevolent parties.

"For the most part, no organization has really had to pay the price for bad data security," Hendricks said. "You're not going to have a FTC or a state or private lawsuit that's immediately going to come in and ring you up. That's why you have this lax attitude."

Legislation in the House would set a national requirement for notifying those at risk after security breaches and strengthen the security requirements of the Gramm-Leach-Bliley Act.

But given the advances in technology and other factors, those who handle vital data must keep up their work through regular audits and patch up holes as they come along if they do not want information to flood out, Hendricks said. The AIG server stolen was password protected and locked up, but burglars still got in and data still leaked out, Winans said.

"You cannot recognize every possible way" data can leak, Hendricks said. "But there are ways that are easily recognizable and you have to prepare for those."