If you had something extremely valuable to ship--a bundle of cash, a bag of diamonds or the plotline for "Mission Impossible 3"--would you just pack it in a cardboard box and hand it over to the United Parcel Service for delivery? My guess is that you would take extraordinary precautions. Hire an armored car for the valuables. Encode the story line with bulletproof encryption. So why did Citigroup use unencrypted computer tapes for a UPS run to transport personal financial information on nearly 4 million of its customers?
Those tapes are now, um, misplaced--in the same zone where your missing eyeglasses and checked airport baggage disappear to. There's no reason to think that the private information on them will fall into the conniving hands of identity thieves, but it's certainly possible. The same goes for the confidential data lost by Time Warner on 600,000 employees and the hacker-compromised credit-card numbers of 1.4 million DSW Shoe Warehouse customers. Meanwhile, the secrets of 145,000 Americans held by a company called ChoicePoint are in definite peril, since the firm carelessly sold them to actual crooks. Considering that identify theft has reached epidemic proportions (10 million victims a year), it seems that companies are all too cavalier when it comes to protecting the raw material for such crimes.
Certainly one factor for these recent data debacles is that securing information is hard. But security experts and privacy advocates make sense when they argue that there's another reason. And that is that when disaster happens, it's other people who suffer the disaster. The companies vow to do better--and the victims are faced with years of financial vulnerability.
"Since the companies themselves don't suffer any loss, it's considered an external problem," says Bruce Schneier, chief technical officer of Counterpane, a security company. "The only way to fix this is to make it an internal problem, with financial peril." As Marc Rotenberg of the Electronic Privacy Information Center puts it, "Companies, not consumers, should bear the cost when security breaches occur."
One helpful step was a 2003 California law that compelled companies to come clean when they lost information that could cause people's credit ratings and legal status to implode. "There's no doubt that were it not for the California law, no one would have known [of these breaches],"says Sen. Dianne Feinstein, who is sponsoring a national law that would require even stronger disclosure notices.
The threat of exposure may well spur some companies to ratchet up the care with which they treat your information. But, as Counterpane's Schneier points out, the practice of shaming companies into compliance has its limits. After hearing of a dozen failures culminating in the loss of the 4 million records by Citi and UPS, how newsworthy will subsequent losses be, especially if they involve only a few thousand people exposed to identity thieves? And while ChoicePoint's well-publicized error was an embarrassment, its CEO nonetheless got a $1.8 million bonus for his performance last year.
Surely one remedy for this outbreak is to hit these companies where it hurts--in the pocketbook. Congress should go beyond disclosure laws and pass sanctions that make losing someone else's credit card, Social Security number or mom's maiden name such a costly proposition that companies will spare no expense to prevent such losses. We can't expect absolute perfection. But citizens should demand that companies protect their secrets as zealously as they protect their cash reserves. If not, those reserves should be drained considerably.