How Many Times Has Your Personal Data Been Stolen This Year?
If you don't know how many data breaches have occurred within the past few years, you must be living under a rock. From the Veterans Administration to TJ Maxx (one of the largest consumer leaks ever) and from hospitals to corporations, security breaches have compromised many American identities. Privacy Rights Clearinghouse reports that more than 150 publicly reported data breaches occurred between February 2005 and March 2006 alone, putting the personal information of more than 54 million Americans at risk.
Although veterans, shoppers, patients and employees have demanded more privacy protection, federal legislation can prove ineffectual unless data wasn't secured sufficiently. States have stepped in, but they've passed privacy laws that represent mere patchwork solutions to an international problem. In addition, technological advances have expanded potential for data to be used and compromised by legitimate companies and in underground chat rooms. How can you protect yourself from personal data exposure?
The following information will help you to discover whether your personal data has been compromised in the first place. If it has, you'll find more information about what to do to correct the problem - if anything needs to be done - and ways to protect yourself in the future.
Types of Data Breaches
The Federal Reserve Bank in Philadelphia held a conference [PDF] in September 2006 that focused on information security, data breaches, and cardholder information protection. They identified three types of data breaches that affect consumers:
- Data at rest: Data at rest is information that resides on computers or on other devices within an organization. This type of data represents a specific risk because that data is vulnerable to insider threats, and these threats are hardest to protect against.
- Data in transit: Data in transit is information that is traveling over networks. While this data is often more secure within corporate environments as it is the most straightforward problem to address with encryption methods, data in transit in the private sector is less secure where there is often a more extensive processing chain with multiple parties using several networks.
- Data in travel: Data in travel includes information stored on laptops or other portable devices like thumb-drives, PDAs, and cell phones. According to this report, the Federal Reserve "has policies that define appropriate use of data and how and where the data can be transported." Researchers found that lost or stolen laptops remain the top culprit, accounting for 45 percent of all the incidents studied by the Ponemon Institute.
The problem here is that the Federal Reserve represents just one entity among thousands that hold personal information on file in at least one, if not all three, situations noted above. The well-publicized Veterans Administration (VA) 'breach' that occurred in 2006, for example, was just one of five breaches that the VA experienced in 2006. All total, approximately 28,637,500 veterans were affected by these events.
While the computer that contained information that affected 26.5 million veterans was found and it was felt that none of the information had been compromised, this doesn't mean that any veteran can rest easy. The VA's Security Operations Center has referred 250 security breach incidents since July 2006 to its inspector general, which has led to 46 separate investigations that has affected millions of veterans, VA patients, and physicians.
While these government breaches seem inexcusable and incompetent, it is somewhat heartening to understand that not all 'breaches' lead to identity theft, nor are they the only means by which identity theft may occur. With that said, how do you know if your information was included in any one of the numerous cases that were documented over the past few years outside the VA? As you'll learn below, you may not know if your information has been compromised until the damage has been done.
Data Breach Omissions
In some cases, you might not learn that your data was stolen until the company or organization that was affected informs you about the breach. Often, you'll find out about a breach in the news much faster, as data breaches and their consequences have become more prominent in the press. While federal legislation has moved slowly, California was the first state to act on consumer protection, and businesses and organizations are following suit.
California's Senate Bill 1386, which was enacted in August 2002 and became effective in July 2003, has become the benchmark for data breach notification. This bill requires firms that do business in California to notify consumers when a data breach has occurred, regardless how that information was or was not used. Since the California market is sufficiently large, if consumers are affected in that state, then consumers could be affected nationwide.
Take, for instance, the case in 2004 where ChoicePoint learned that their data may have been compromised. While ChoicePoint maintains a dossier on virtually every American consumer that includes name, address, Social Security numbers, credit reports, and more. ChoicePoint remained mute about the theft for four months on the claim that a government agency forced the firm to delay notifying individuals, even in California. Finally, in February 2005, over 30,000 Californians were informed about the breach. Within days, ChoicePoint confirmed that scammers culled personal information about tens of thousands of Americans, and that this theft resulted in at least 750 individual cases of identity theft within those four months.
As of 2006, twenty states created statutes that impose restrictions on the use and transmission of Social Security numbers. Six states have set general standards for information security, and some states are beginning to implement statutes that require appropriate disposal of sensitive records. The Federal Trade Commission (FTC) passed regulations in 2005 that require proper destruction of consumer reports based upon the fact that more employers are ordering background, credit history, and criminal conviction checks on job applicants and current employees. This 'patchwork' of legislation is grounds for the adaptation of uniform consumer protection, a policy-making process that's in the works but far from being employed.
Data Breach Research
At this point you probably realize that the dissemination of your personal information often is beyond your control. And, if you don't stay in touch with the news or if you haven't been informed personally about a breach, you might not realize that your personal information was probably in peril several times - not just once - within the past year alone.
Privacy Rights Clearinghouse maintains a public database that lists all known data breaches that occurred from 10 January 2005 to the latest known breach in June 2007. A quick glance at this list shows that the majority of hacked, stolen, and lost information occurred at universities, government agencies, and banks across the nation. While businesses aren't immune from data breaches, the general public might hope that they could trust colleges, financial institutions, and the government to keep their personal information safe.
If you can find a reason to believe that your information was included in any one or more of the breaches listed at the Privacy Rights Clearinghouse, then you might want to conduct more research about the particular incident(s). You can search online, but you can also call the organization directly or learn more about the incident through the organization's Web site. In some cases, you might find class action lawsuits that have been generated, but your chances at achieving restitution might be slim unless the organization didn't take measures to protect your information.
Data Breach Costs
Data breaches per se do not violate the law as a company or organization can take reasonable precautions and still be victimized. However, the failure to adequately secure consumer data can be grounds for violation of the “unfair or deceptive practices” standard of the Federal Trade Commission Act and possibly the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), the Fair Credit Reporting Act (FCRA [PDF]), and the Gramm-Leach-Bliley Act. If you become involved with a class action lawsuit, you might inquire if any one or all of these protective acts are being incorporated into the suit.
Although the personal cost to consumers - even when data has not been compromised - is huge, corporations and organizations that have victimized are paying increasingly higher costs for data breach incidents. eWeek reported that the Ponemon Institute discovered the average cost of a breach above and beyond any consequences of the misuse of data equaled $182 per data record. This study covered thirty-one breaches that amounted to an average cost of $4.8 million per incident, per firm. This cost reflects a thirty percent increase over the costs calculated in the previous year.
Unfortunately, since many companies and organizations aren't prepared for data breach incidents, their initial unrehearsed actions often account for this high cost. Credit card issuers often phone customers when those consumers' data might have been compromised rather than using the mail. In these instances, the credit issuers often offer the chance to close a compromised account and offer incentives to discourage those customers from taking their business elsewhere. Phone calls, compensation for closed accounts, and incentives all add to the company's bottom line.
In addition, the cost for a breach could include fines and restitution that the FTC or that banking regulators might order. These costs would include paying for credit monitoring services for consumers whose data were exposed. Non-banking organizations that fail to adequately store data securely also can face penalties from the FTC, as this organization has the authority to impose an annual twenty-year audit requirement that can prove costly.
These costs will force organizations and businesses to tighten security when they can afford it, or force smaller businesses to abandon online purchase procedures because of the cost. On the other hand, many consumers have learned that online purchases are often fraught with real or imagined perils, and this additional fear puts the entire online purchase and banking situation at a crossroads.
I wish I could tell you about an easy solution to this growing data breach problem, but that solution doesn't exist. You can, however, reduce your risk for identity theft through actions that you can control. You can also learn more about credit card security issues so you're aware of changes within this financial arena. When you gain knowledge and prepare for the worst possible scenario, your efforts will save time and money in the long run.
Online security issues are also important, but you might breathe easier knowing that only twenty-three percent of all malicious software created in 2006 exploited software security vulnerability. In fact, you are responsible for compromising your security when you infect your computer with malicious software. Don't click on virus-laden emails attachments (or any attachments for that matter unless you've verified their arrival with the sending party), and be careful about clicking on links contained within instant messages or even on trusted sites. Before you click, right click on those links to see if their URL addresses match the name of the business or organization. If not, click at your own risk.
Finally, it may be wise to note that many laws currently state that organizations and businesses are allowed a forty-five day window before they need to inform consumers about a data breach. You can, in that time frame, already know if your financial accounts have been compromised by reviewing your monthly bills. You also can bookmark the Privacy Rights Clearinghouse site as well as the Federal Trade Commission site so you can stay on top of any changes in known cases and in legislation. As soon as you discover that your personal information might be at risk, take steps immediately to secure your privacy and your information. Even if you discover later that your information remained safe, the steps you take now can provide you with the skills you need to remain secure.