RHODE ISLAND STOLEN LAPTOP COMPUTER Scripps Howard News Service:
Those loose laptops
Editorial
The Providence Journal
10-APR-06

The recent theft of a laptop computer containing sensitive account data has put Fidelity Investments on the defensive. The laptop, reportedly stolen when it was taken to a business meeting, contained information on 196,000 retirement-account customers, including their Social Security numbers. All were current or former Hewlett-Packard Co. employees.

With their improved capacity to handle large amounts of data, laptops have opened a new door to identity theft. Workers carry them out of the office (and put them down) unthinkingly. Not surprisingly then, whoever erred at Fidelity has plenty of company. Since last year, according to the San Diego-based Privacy Rights Clearinghouse, laptops containing a substantial amount of private data were lost or stolen in 27 instances.

Although companies spend billions to protect sensitive information, not much goes toward the encryption technology that could prevent laptop data from being read. Fidelity says that its stolen information was 'scrambled,' which would make it hard to decipher. Nevertheless, it has urged vigilance, offering affected customers a year's worth of free credit monitoring.

Unfortunately, stolen information can be used to open credit-card accounts, steal from existing ones, or commit other forms of fraud for years afterward. Except in cases of credit-card theft, the remedies for victims generally range from weak to nonexistent.

In one of the few positive steps to be taken, California passed a law requiring that consumers be notified when theft of their personal information has occurred. Recently, some 20 other states have followed suit. Congress should make the law national.

But notification is only a beginning. Huge amounts of personal data are shared and sold, regardless of Americans' wishes. Yet it is doubtful that Congress will face down the lobbyists for this lucrative traffic anytime soon. If it cannot stomach limiting the use of personal data, it should at least establish minimum-security standards, including encryption, for companies that handle such information.