Sunday, June 18, 2006

What's In Front of The ING?

After more than a year of ads, it seems we now know what's in front of the "ING".

MISSING

As in MISSING a laptop computer brought home by an employee of ING who downloaded confidential data of roughly 13,000 employees of Washington, DC from a central database then took the laptop home only to have the laptop subsequently stolen.

How much of a trend to we need to get Congress to take concrete action to improve privacy and security practices of corporations collecting crucial information on hundreds of millions of individuals? Apparently, disappearing data from TransUnion, Mastercard, the Veterans Administration, the Department of Energy and ING isn't enough.

The US House actually has a resolution under consideration entitled the "Financial Services Protection Act" (HR 3997) that would impose a single national standard for obligations of corporations encountering stolen data and rights of consumers to be notified in the event of a breach. Sounds good, right?

Wrong.

The bill would actually prevent individuals from freezing their credit history from being reviewed unless they have an actual proven case of identity theft. Instead of being able to err on the side of caution and block their credit history from being consulted by someone attempting to open a new line of credit in their name, consumers would have to WAIT until the damage was already done.

It gets worse. The bill would put Treasury resources in charge of enforcing credit and identity fraud rather than allowing states to continue pursing cases as they see fit. Opponents also believe the proposed law would actually soften criteria for "reportable" breaches of data, decreasing the likelihood consumers would be notified of threats to the confidentiality of their data.

Besides adopting STRICTER standards on notifications for potential breaches, Congress needs to consider legislation to force corporations to adopt basic protections on billing and data warehousing software to improve protection of customer data. There are too many employees with too many paths to export data from corporate systems to mobile computers to completely eliminate the risk from a stolen laptop.

However, there is no reason customer credit cards numbers, Social Security Numbers and drivers license numbers should be stored in clear text within any database. No corporation or government agency needs to sort or organize data by these criteria so there is no need to save them in clear text. If encrypted, a would-be thief would wind up with information on phone numbers, addresses and names no more valuable than commercial data they can obtain from direct mail marketing firms and other publicly available resources.

This is not rocket science. It's incompetence.

=====================

#1) Info on 3623 consumers stolen from credit bureau Trans Union
http://www.consumeraffairs.com/news04/2005/trans_union_theft.html

#2) Info on 26 million veterans stolen from VA laptop
http://www.capitalnews9.com/content/headlines/?ArID=179908&SecID=33

#3) Mastercard data stolen from Polo --
http://www.usatoday.com/tech/news/computersecurity/infotheft/2005-04-14-polo-data-theft_x.htm

#4) Department of Energy employee data stolen by hacker
http://www.wgal.com/money/9356798/detail.html?rss=lan&psp=nationalnews

#5) Washington DC employee data stolen from ING --
http://www.marketwatch.com/News/Story/Story.aspx?guid=%7B5EB7D976%2D2922%2D4E99%2D9F6E%2DB1F323A884FA%7D&dist=rss&siteid=mktw&rss=1

#6) details on House Resolution 3997
http://www.usatoday.com/money/perfi/credit/2006-06-14-credit-freeze-usat_x.htm