I have written about this before but it is always scary when the topic rears its ugly head.
The Identity Theft Resource Center, of San Diego, found that this year's data breach tally has easily eclipsed 2007's 446 incidents. At an average of 57 caches of consumer data reported lost or stolen each month, U.S. organizations are on track to divulge at least 680 breaches by the end of 2008.
About 80 percent of the breaches involved digital records, while the remainder stemmed from the loss, theft or exposure of paper-based records. A description of each incident is available in the Identity Theft Resource Center 's 2008 Breach List.
Some 30 million records on consumers have been exposed so far this year. But experts say that figure almost certainly masks a much larger problem, as there is currently no federal requirement for organizations that experience a data breach or loss to acknowledge precisely how many consumers nationwide may have been affected.
Some states require entities to alert consumers of a data breach, but this is, in most cases, pretty useless. I personally have been notified on three occasions (by my credit card company and a hospital and the VA) of my data being ‘lost’ and each time the date of the letter was 6-8 months after the fact. How does notification help in these cases? As usual the law was not written well enough to actually protect the consumer. Entities should be forced to notify consumers in a more timely manner, for example, within one week of a data breach in order for us to be aware that our personal information has been compromised.
If only these companies protected my information as if it were their own.
Most of us make some attempt to protect our data while on our own home computer, but when it becomes necessary to give out our personal information we have to trust that the entity we give it to will protect it. Instead we find we are becoming more and more vulnerable to whatever level of seriousness corporations extend to preventing a data breach. Sometimes, their own employees misuse our data, either through negligence or downright theft.
In other cases, the company that we are forced to trust with our data hands that data over to a contractor, without our knowledge, which increases our vulnerability.
How many of us would be notified of a data breach if it were not for state law forcing the notification? It is understandable that these companies and our government would not want consumers to lose faith in their ability to properly care for your personal information, but this is exactly the type of information we need be informed of about these entities. If they are not forthright enough to tell us of problems on their own without the threat of penalty, then why should we trust them with any other transaction? Because we have to.
In order to make purchases online we must send personal information over supposedly secure networks. When we make purchases at brick and mortar stores with credit cards we must have faith that those transactions are forwarded to our credit card company and the stores headquarters over secured lines. Plus, we have the added vulnerability of exposing our credit card numbers to store clerks. Some of these concerns are being addressed to remove the clerk from the equation but once our information is sent through those desktop data collection devices, what guarantee do we have that the information is not intercepted?
We are asked to have a lot of faith in whoever we give our information to and we are being told that there are more data breaches almost every day.
There are many data encryption routines that can protect data, but many companies don’t want to take the extra time involved to encrypt and de-encrypt to access the data. Therefore we, the consumers, lose.
Can we sue entities for losing our data? It is becoming increasingly apparent that suit brought against these entities is going nowhere. The main road block to getting a judge to hear such a case is the extent to how much harm is actually done to the person whose data was ‘lost’ or ‘stolen’. Plus, how do you prove the data was either ‘lost’ or ‘stolen’? As a result, the consumer is left to worry about when their data will be used by unscrupulous persons and will then be faced with having to suffer whatever damage is done.
In a world that is increasingly going digital, coupled with corporations farming out work to contractors and sub-contractors, the risk to our personal data is increasing. Human error and greed accounts for the vast majority of these data breaches and until we can take the human element out of the data stream we will always be at risk.
As an additional threat, Homeland Security and the FBI have been pursuing the creation of databases containing extensive data on every person in the U.S. The prospect of accessing this ‘mother lode’ of personal data must has hackers salivating.
No comments:
Post a Comment