What Are You Doing With 25 Million Social Security Numbers On Your Laptop?

from the seemed-like-a-good-idea-at-the-time dept

In the never-ending barrage of stories about customer data leaks, one question is never answered: why are people carrying around laptops with so much personal information anyway? As you might expect, the answer's got more to do with laziness and stupidity than anything else. There's really no good reason for people to be carrying all this data on their laptops when it can be more securely held (in theory, anyway) in a central location, and accessed as needed over a network. Of course, all that requires a lot of effort, as does ensuring employees' computers are using encryption and other security techniques, and as long as companies have no incentive to protect customer data, there's little reason for them to go to the trouble, and cost, of actually securing data.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Jim Grey, Jul 10th, 2006 @ 8:22am

    Keeping data centralized

    I used to work for a contractor who provided claims-processing services to Medicare. I had access to gobs of private health information. It was company policy that no data or work product of any sort was to be stored on your local PC -- everything was to be stored on heavily-protected servers. It was also made very difficult to do things such as export large quantities of social security numbers from mainframes to PCs. We didn't allow VPN access to our servers for laptop users either -- when you were working remotely, all you could do was dial in to check your e-mail. All of this frequently slowed down my work and was frustrating and annoying -- but we didn't have problems with data walking out of the building, either.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    SomeUser, Jul 10th, 2006 @ 9:51am

    Annonomize the data

    What I still can't understand is in lieu of the public flogging of this type of news, why institutions still give out this information. Much of this work is outsourced to another firm, so this will happen more and more. Even if the workers sit at the company, the work was still farmed out.

    Much of this information is so easy to anonomize (e.g. Addresses, phone numbers, SSN, etc.). The structure of data is the important thing, not necessarily the content. Take a representative sample of the structure and then put in bogus data. As the OP stated, this is complete laziness and stupidity. It is NOT that hard.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Dude, Jul 10th, 2006 @ 9:56am

    The next big screw up

    I think that this is an issue at all levels of data storage, but government is one of the worst offenders. Even when notified they are reluctant to make changes. Just shows the amount of huberis and laziness that they have for being good stewards of private data. It won't be resolved until there are heavy fines that get paid out to the victims.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Wiley, Jul 10th, 2006 @ 10:18am

    Fat, bloated and cumbersome

    Not that any of this is new news...I am a Fed, I know the process to implement these security measures take not only and act of God, there is mounds of red tape and every system manager asking who gets their budget cut. Even if they wanted to implement a security measure now, it would have to go through the process (bidding, due diligence, etc.) which makes it available sometime in 2010. The Government is slow and cumbersome, not to mention a bloated pig. Follow the money as the rest of these bean counters do...It is easier to ask forgiveness than to get permission.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    111-22-3333, Jul 10th, 2006 @ 10:36am

    "Silly" status quo is hard to change

    I am still amazed by all of the organizations that require one to give their SSN - when it is clearly not necessary. Utah driver's license, Idaho fishing license, are two examples. The reasons given include; "because", or "it's necessary to properly identify you". My social secirity card clearly states "for social security and tax purposes-not for identification".

    I can often get away with making one up. Until organizations change these "just because" default identifiers, I think we will experience more such breaches of information.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    SPR, Jul 10th, 2006 @ 10:38am

    Re: Fat, bloated and cumbersome

    This is why Congress needs to pass a Feredal law adding jail time as a penalty for inept AND corrupt disclosure of sensitive data they are entrusted to hold by the American people. I am tired of excuses. We need some decisive action on the part of the people we elect to these positions. They are elected to lead. It is about time they started leading!!

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Home Business Tips, Jul 10th, 2006 @ 10:45am

    Re: "Silly" status quo is hard to change

    In wisconsin they check for SSN to track down dead beat dads that aren't paying child support. This would be no reason to hold this data on a laptop though.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    wilks, Jul 10th, 2006 @ 10:58am

    Wait until the lawsuits start happening. You want an incentive and civil court can be the great equalizer.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Haywood, Jul 10th, 2006 @ 10:59am

    Here's a twist for you; I recently received a letter form an insurance co. that I haven't dealt with in over 2 years. They claimed a laptop had been stolen with my info in it. They also were trying to sell me a subscription to a credit reporting service. I personally believe this is just a scam to sell credit reporting services.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    MEoip, Jul 10th, 2006 @ 11:03am

    Obvious

    I think it is obvious that I'm selling them under the guise of having them stolen.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    anonymous coward, Jul 10th, 2006 @ 11:15am

    i'm going to patent and start a company that has one product: massive lists of generic, randomized non-real data that can be used for corporate computer system testing.

    all i have to do is read the paper each day for the 'fuck up du jour", call that company's IT executive (or his new replacement), ask them how many millions of names they need at 1/10 cent per name, and profit...

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Wiley, Jul 10th, 2006 @ 11:31am

    Re: Re: Fat, bloated and cumbersome

    Agreed! The only way to get the Government off their fat asses is to impose fines. Better yet, stop paying taxes that support these idiots and the bloated agencies that continually lose this information.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Dam, Jul 10th, 2006 @ 11:38am

    Re: Keeping data centralized

    All of this frequently slowed down my work and was frustrating and annoying -- but we didn't have problems with data walking out of the building, either.


    Dealing in information is no different than physical inventory. An employer would fire anyone walking out of the building with selling inventory, no matter what it is. There's no plausible reason for it, unless movement of that inventory has been recorded with the appropriate paperwork. So why is data treated any differently? I can't take home a couple of carons of product to complete my work, why should a guy/gal with a laptop be able to move sensitive data?

    Your employer was on top of things - mostly because they had to be. When other businesses have to be, under penalty of huge fines, this problem will be mitigated.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Jul 10th, 2006 @ 11:40am

    Maybe if these companies didn't try to squeeze their employees so hard that they *have* to take work home, this wouldn't happen.

    Novel idea... yes, I know.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Brian, Jul 10th, 2006 @ 11:53am

    Re: Re: Fat, bloated and cumbersome

    They are elected to govern, we only wish they would lead.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Indelible1, Jul 10th, 2006 @ 11:59am

    Haven't any of these companies heard about encrypting sensitive customer and employee information?

    It boggles the mind that the public sector can encrypt and send data on a daily basis that complies with or exceeds DOD standards, but the folks that are entrusted with our most sensitive personal information keep it in a completely insecure database on their laptop with no consideration of those that it will negatively effect.

    Why not just put in an archive, encrypt it, and be done? It would be just as easy to access for the end user, but the common thugs that abscond with the laptop that was carelessly left in a vehicle wouldn't be able to access it with ease, due to lack of knowledge.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Jose, Jul 10th, 2006 @ 12:06pm

    Not hard to get at all

    People forget all of the people that the data goes through before it finally reaches the *secure* servers. I have a data entry friend that pays almost minimum wage and handle claims for blue cross blue shield and others with all the information they could ever want. Also to get that job or a copy of those documents is not hard at all.... it's like brining gold to a super secure place and first driving it in a donkey with the gold wrap around plastic bags...

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    The Truth Is Out There, Jul 10th, 2006 @ 12:13pm

    Look in the mirror, sys admins

    A few years back, I worked at a big manufacturing company, and data my department needed every day was stored in a big dumb mainframe, with a big dumb UI, managed by big dumb programmers. A co-worker wanted a couple minor changes to the db schema, and argued with the Deniers of Information Services for months with no help. Finally, he bought a copy of MS Access, loaded it on his desktop, did a big dump off the mainframe, and in a couple of days built an app that worked waaaaaaay better than anything the "pros" ever provided. So, this wasn't personal data, and it wasn't a laptop, but if you tie your users up in red tape instead of helping them do their work, don't be surprised if they try to find a way around you. Unfortunately, that might lead to these kinds of security breaches.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous Coward, Jul 10th, 2006 @ 12:18pm

    Re: "Silly" status quo is hard to change

    States do not require you to use a SSN on your license. My UT license very clearly states "Not Required" under the SSN field. Massachusetts used to allow people to use their SSN, but again, it was never mandated. Also, the topic asks why this question of the data being carried on personal laptopts never comes up. I don't understand this - it appears to be a major front story every single day. This topic itself looks like it was recycled from yesterday's Wired post (http://www.wired.com/news/wireservice/0,71348-0.html)

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Prescott, Jul 10th, 2006 @ 12:24pm

    Re: "Silly" status quo is hard to change

    "I am still amazed by all of the organizations that require one to give their SSN - when it is clearly not necessary. Utah driver's license"

    Nitpicking, but Utah doesn't demand you put in on. They can leave the field blank. As I did.

    Back to the topic, I think we need a new social number, one that is for the federal government and a citizen only. That could be, you know, secure.

    When my healthcare account number is my social security number, it proves we have lost focus of what a social security number is.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    jdw242, Jul 10th, 2006 @ 12:26pm

    what am I doing?

    apparently I am not working at a company with an IT manager that has a G.D. brain!

    No, really, it comes down to laziness. If I didn't fight and prove that the potential losses would close the business I work for we wouldn't have SafeBoot on our laptops right now. Everyone wants to have the security, but IT is supposed to take care of that. They don't understand it starts with the user being responsible.

    Of course, enter the obligatory IT Staff are not responsible for your own stupid carrying of said laptop into areas that are potentially dangerous, such as pool areas, bars, hot tubs, saunas, roof tops, crashing planes, etc., though our users probably think that we are...

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    jdw242, Jul 10th, 2006 @ 12:33pm

    almost forgot

    when they do lose their laptops, they usually come to the IT staff and ask for their data back.

    WTF? We're not your storage racks; we keep you working!

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Jimmy Z, Jul 10th, 2006 @ 1:19pm

    Re: anonymous coward

    Please refrain from the use of free thought and discontinue the formulation of ideas or I will be forced to take legal action.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    111-22-3333, Jul 10th, 2006 @ 1:38pm

    Re: Re: "Silly" status quo is hard to change

    Point of clarification ... one may opt out of displaying their SSN on their driver's license, but not on obtaining the license (unless they have changed the policy in the last year).

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    the IT Manager, Jul 10th, 2006 @ 2:24pm

    Shrugged Off

    I wrote an email to the IT department head once to write a simple script to get data for me and many co-workers that needed it. It would have saved the company tons of employee time, digging and searching. When I sent the email it was 10:35. By 10:37 I got a reply, "It can't be done." I responded. "Yes it can, attached here is the script. Please review and launch." BAM! Instant time saving, and I wasn't even in the IT dept. I copied the plant manager that time. Needless to say about 6 mo's later he wasn't working here anymore. WOOHOO!

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Anonymous Coward, Jul 10th, 2006 @ 6:09pm

    Re: "Silly" status quo is hard to change

    "I can often get away with making one up."

    Well, thats great, but while you managed to provide yourself a modicum of security, you did it while committing a felony.

    Providing a FALSE Soc Sec Num is a felony. Do not do that. Simply refuse to provide it.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    jeff, Jul 11th, 2006 @ 8:52pm

    Re: Re: "Silly" status quo is hard to change

    Only if the intent is to defraud.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This