Laptop With Data Stolen? Announce It, Give 1-Year Free Credit Monitoring And Move On

from the yawn dept

We’ve noted in the past that it’s become somewhat standard for any company who has lost the private data of its customers/employees/partners/etc. to agonize for a little while and then offer one year of free credit monitoring as an apology. Apparently that formula has reached such a point that companies are doing it automatically. This way, the press can simply combine two stories into one. Horizon Blue Cross Blue Shield of New Jersey loses a laptop with data on 30,000 members? No big deal. With the announcement they immediately offer a year of free credit monitoring and everyone can forget about it and move on. At this point, you have to assume that anyone storing personal data is starting to mentally price in the cost of a single year’s free credit monitoring as a cost of doing business. It’s certainly cheaper than actually securing your data.

Filed Under: , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Laptop With Data Stolen? Announce It, Give 1-Year Free Credit Monitoring And Move On”

Subscribe: RSS Leave a comment
20 Comments
Garrett says:

CT's response to lost data

I’d like to give some credit to the State of Connecticut when it comes to handling lost data. About a year ago I received a letter that they had lost an encrypted laptop with my data in it, the usual story. Except, I hadn’t heard about this from the news at all. They took the initiative and contacted me.

They offered the free protection for one year. They also picked up an insurance plan to cover and losses. This wasn’t the end of it though. They continued to update me about the situation. Eventually they upped the protection to two years free and made sure that the debt protection company could not auto-renew our accounts.

Overall, the entire situation hasn’t really been a problem for me. The data was protected, the offer of coverage was generous and quick, and I wasn’t tied into future services. Go CT.

NSMike says:

Security Still a Priority

Maybe it is cheaper, but recently, the company I work for was transferring from a SQL-based payroll system to an Oracle-based payroll, and the engineer doing it left the payroll database on his laptop, on the front seat of his car, which was promptly stolen.

After that, our company implemented many costly security measures to prevent this from happening again. We got the free credit monitoring software, all that stuff. But they certainly didn’t ignore the security problem. Of course, like all solutions, however, it relies on the employees following these new procedures outside of the office. Which is by no means guaranteed, but at least they have an excuse to fire the people without question now.

Rich Kulawiec says:

And that

1. Have you read the stories of people who’ve found errors in their credit reports (whether due to disclosure or just the ordinary bureaucratic malfunctions) and have tried to get them fixed?

2. Knowing that your credit report is unaltered doesn’t tell you who has your data or how they’re using it.

3. Not all data lost is financial in nature: how does monitoring your credit deal with loss of medical records?

4. Since whoever has the data will see the same announcement of free credit monitoring for 1 year (or 2 years, or whatever) as everyone else, they know that if they sit on the data and do nothing for 1 year (or 2 years etc.) then it’s much less likely anyone will be watching then.

5. These problems follow the 1/10th of 1/10th rule that applies to any security disclosures: the number they know about is 10X the number they announce; the number that have actually happened is 10X the number they know about.

Not that any of this will change anything, of course. Nobody gets fired, nobody gets fined, no business gets shut down, not even in cases like TJX — where the executives are busy arranging golden parachutes for each other.

Jim (profile) says:

Laptops stolen - recovered - still no love.

We just had this happen in Nashville, TN with two election commission computers with our name/address/SSN on them. Yes we are now getting the free credit report but the local paper reports that the person who uses the laptop was told that there was no need to carry the entire SSN; all she really needed was the last four digits. She was also told by Metro IT that the data should be encrypted. She never did any of this because no one could make her.
This turns out to be more of an organizational problem than an IT or Security problem.

I would like to know everyone’s opinion on whether it is possible for the police to determine if the laptops were in fact not accessed.

Jack Bmg says:

Why would anyone think that one year of free credi

Once the ssn is out there, it’s out there. You can ask for a credit watch for 30 days at the three reporting agencies if you think you’ve been compromised. What happens here is that if you apply for credit somewhere, it will be come back as “call agency” or something like that. It won’t be approved until you the consumer actually talk to someone at the credit agency. Since you’re in the presense of the merchant, then I guess that’s good enough for the agency. Not sure what will happen with online credit apps. I guess the premise here is that if your identity is good enough for the merchant, it’s good enough for the credit agency.
So, why don’t the credit agencies just permanently do this? It’s somewhat a hassle for the consumer, but I’ll take that over getting my id stolen.

Rich Kulawiec says:

Laptops stolen - recovered

It’s impossible to prove that the data was not accessed. A minimally-competent person seeking to extract the data won’t boot the system from its own disk drive(s) — which would likely leave a trail (e.g., timestamp modifications). They’ll boot it from either an external disk, or a CDROM/DVD, or a USB key, and simply vacuum all the data off the disk(s).
Alternatively, they may take it apart and remove the disk(s), reading them elsewhere, then replacing them. (This latter method has the advantage that it’s not necessary to power the laptop up at all — just in case there’s a counter in there that tracks minutes-of-operation.)

So the only prudent assumption is to make is that ALL data has been read by parties unknown and may soon become available on the open market. Of course that’s not what we hear most of the time: what we hear is “there’s no proof it’s been accessed”. That statement is worthless.

Anonymous Coward says:

Re: Laptops stolen - recovered

Only thing you can really do is to seed the database with bogus entries.
You’ll only know when the whole database has hit the open market.

A silly idea. If the database is for personal information, seed the database
with the personal information of the executive staff, IT staff and anyone who
handles/access the data…

Rich Kulawiec says:

The whole thing needs to be re-defined...

You’re correct, Eric — and the use of reasonably strong encryption, as we’ve had available for free for many years would help as well.

So would the seeding of data with known-bogus, known-trackable entries that would at least provide some hope of detecting a breach, possibly even identifying its method and giving some indication of how the data’s propagating.

But all of these are just band-aids. The same problem underlies this symptom as underlies others (spam, DDoS attacks, phishing, etc.): miserably poor security. Because that’s so systemic, even the countermeasures suggested here won’t truly address the issue. For example, suppose VPNs were used: any attacker in control of the VPN’s termination point, e.g., the laptop of the person working with the data, has full access to the VPN connection and thus whatever’s on the other end of it.

The problem isn’t that far better security isn’t available: it is. The problem is that people/companies won’t invest the time/effort/money to use it. After all, why should they? It’s not their data; why should they care?

Rich Kulawiec says:

Oh, and further stupidity

One of the best sites to track this ongoing parade is
Pogo Was Right.

And one of the numerous incidents covered there today mentions a set of four desktops that were stolen — and which contain information on several thousand people. Their former owners point out that “the desktops were password protected”,
either (a) unaware or (b) cynically refusing to admit that when an attacker has physical possession of the disk drives that password protection is irrelevant.

Private says:

Privacy Statement

Consumers should begin handing out “Privacy Statement” documents when asked to give out their SSN or other private credentials.

The statement should be worded so that the party requesting the data is held responsible for the loss of said data in the event of theft, or any other type of data loss.

I’ve actually done this in one instance (a car rental agency) where they wanted to make a copy of my driver license. They signed my statement in return for my allowing them to make a copy of the license.

The idea behind this is simple. You’re forcing the data requester to hold themselves legally accountable and responsible for your data. The best part of this is that you don’t need the backing of any state or federal law to do this.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...