Common sense can protect sensitive data
By Ellen Simon
WASHINGTON Stealing Social Security numbers and other sensitive data isn't always a cloak-and-dagger, ultra-sophisticated operation: It's often a low-tech job made easier by carelessness and flimsy safeguards.
Lenne Ignelzi Associated Press
Security expert Jim Stickley was surprised when organizers of his son's karate classes in San Diego asked for his Social Security and driver's license numbers. "There's no reason for that," he said.
Lenne Ignelzi Associated Press
But "security and privacy, for a lot of large organizations, are an afterthought, not a priority," said Evan Hendricks, who publishes the newsletter "Privacy Times."
Consider the latest headache for some large banks:
Wachovia Corp. and Bank of America Corp. say they have notified more than 100,000 customers that their accounts and personal information may be at risk after former bank employees allegedly sold account numbers and balances to a man who then sold them to data collection agencies.
Nine people have been arrested in New Jersey in the case.
Or consider MCI Inc.'s privacy problem:
An MCI laptop containing the names and Social Security numbers of 16,500 current and former MCI Inc. employees was stolen last month from the car of an MCI financial analyst in Colorado. The car was parked in the analyst's home garage.
The computer was password-protected; the company would not comment on whether the data was encrypted.
Encryption, which is relatively inexpensive, would make all those records all but impossible to access.
After a previous embarrassment, Bank of America Corp. is testing different encryption methods.
It lost backup tapes in December containing the Social Security numbers and account information for 1.2 million federal workers, including senators and 900,000 Defense Department employees.
Time Warner Inc. also could have avoided a black eye had it encrypted the backup tapes with the names and Social Security numbers of 600,000 current and former employees lost after the tapes were misplaced by Iron Mountain Inc.
The storage service company had been transporting the tapes by van.
After disclosing its loss, Time Warner said it would begin encrypting its employee data.
Such losses go to the heart of information technology security, whose importance is magnified as more data is concentrated in ever smaller packages.
That the backup tapes in the Bank of America case were shipped as ordinary commercial air cargo demonstrates that the bank didn't understand their worth, said Jim Harper, director of information policy studies at the Cato Institute think tank.
"That's like shipping stock certificates in an envelope," he said. "Personal data is cash money. If you leave it sitting out on a sidewalk, you're making a mistake."
Companies should also clean up their data before sending it to an outside party, said Jim Stickley, chief technology officer at TraceSecurity Inc., a Louisiana security company.
Credit unions in San Diego sent their customer databases, including Social Security numbers, to a marketing firm.
When the marketing firm was robbed, the numbers were stolen, he said.
Companies need to take shredding more seriously, too, said Stickley, and limit access to sensitive information.
One simple measure many companies can start with is collecting less information, said Stickley.
When Stickley signed his son up for karate recently, he was asked for his Social Security number, home address and driver's license number.
"There's no reason for that," he said. "The security at the karate shop is not like a bank."