Why Keep Personal Information On A Laptop, When It's Much Easier To Steal On A CD?

from the good-work,-idiot dept

In story after story about data leaks stemming from a lost or stolen laptop, one question that's never answered very well is why people are carrying so much personal information on portable devices anyway. But why bother with the inconvenience of a laptop, when you could just put the social security numbers and other information of 75,000 of your customers on a CD without any encryption and make things so much easier for would-be identity thieves? That's what a boneheaded subcontractor for a health insurance company did, and now -- surprise, surprise -- the disc has gone missing. The insurance company is making the standard offer of a year of credit monitoring to those whose information was on the CD, but since the offending party didn't work directly for it, rather for another contractor, it sounds as if it won't be able to take any action against the subcontractor. So, it sounds like nothing's changing, and companies are remaining careless with personal information because there's no reason for them to protect it.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    ThDock22, 15 Mar 2007 @ 12:26pm

    Smart Thieves...

    Smart identity thieves would just wait a year before actually selling or using any of the information they got. Thanks for nothing you careless company.

    You would think the legislation would quit passing stupid laws, like banning MP3 players while walking around, and make some laws that actually are enforceable and have an effect, like requiring all sensitive/personal information stored on any kind of device to have GOOD/effective encryption strategies. I guess it is too much to ask we have some smart legislators though...

    Then again, maybe the CD fell behind one of the desks. I sure know I've found many of mine back there.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 15 Mar 2007 @ 2:24pm

      Re: Smart Thieves...

      Smart identity thieves would just wait a year before actually selling or using any of the information they got. Thanks for nothing you careless company. You would think the legislation would quit passing stupid laws, like banning MP3 players while walking around, and make some laws that actually are enforceable and have an effect, like requiring all sensitive/personal information stored on any kind of device to have GOOD/effective encryption strategies. I guess it is too much to ask we have some smart legislators though... Then again, maybe the CD fell behind one of the desks. I sure know I've found many of mine back there.

      First of all, how would you write a law like that if you were a politician? Do you specify a particular encryption level? Does it apply to every piece of data that can be linked to a person? Wouldn't that effectively give the government the right to come in and look at any data a company has, without a warrant or other legal notice, in the name of making sure this new hypothetical encryption law is being followed?

      As a side note, the insurance industry already has rules regarding data protection that they can be fined against in this instance, it's called HIPAA.

      reply to this | link to this | view in chronology ]

      • identicon
        TheDock22, 15 Mar 2007 @ 2:32pm

        Re: Re: Smart Thieves...

        First of all, how would you write a law like that if you were a politician?

        With small, easy words the other politicians could understand.

        Do you specify a particular encryption level? Does it apply to every piece of data that can be linked to a person?

        I suppose you would have to specify an encryption level, and I say any data an identity thief could use, like your birth-date and social security number. Name and address aren't really that important as far as stealing someone's identity.

        Wouldn't that effectively give the government the right to come in and look at any data a company has, without a warrant or other legal notice, in the name of making sure this new hypothetical encryption law is being followed?

        Well now that's just plain silly. Of course the government would have to have a warrant if they suspected a company was not upholding the encryption law. I mean, the cops can't bust down your door without a warrant for your computer (assuming they do not expect someone is about to be hurt inside your residence and even then they can only get the other person out and not collect any evidence).

        reply to this | link to this | view in chronology ]

  • identicon
    Betaflame, 15 Mar 2007 @ 12:49pm

    There is one reason...

    "because there's no reason for them to protect it." While there may be no legal reason for protecting it, companies who lose customer data like this are penalised. Not by the gov't but by the customers. If a customer doesn't feel safe with you having there info they will not remain with that company. It has happened in the past, and I know of a few major companies who look at keeping customer data safe as a top priority. Banks have known this for year, I'm surprised other companies are taking so long to realise data leaks = bad thing.

    reply to this | link to this | view in chronology ]

    • identicon
      TheDock22, 15 Mar 2007 @ 12:58pm

      Re: There is one reason...

      The problem is without steep penalties from the government, most big corporations do not care about losing a few customers here and there. Maybe if they had a large enough fine, they would be more careful with personal data.

      reply to this | link to this | view in chronology ]

  • identicon
    gspot2016, 15 Mar 2007 @ 12:59pm

    Problem is the laws

    The problem is the laws. People that let identity information for companies they work for be stolen should get the death penalty. After a few owners of stolen CD's are put to death, people will think twice about how secure their data is.

    reply to this | link to this | view in chronology ]

  • identicon
    UCLA Sucks, 15 Mar 2007 @ 1:03pm

    UCLA is one of the nation's leaders in losing people's information. They are never held liable for their information leaks, which is probably why it happens over and over.

    Not only that, but UCLA is a school. Because it is a school, it has the right to use means that are illegal for commercial companys to track you down and to sell your information. The law states that you must contact UCLA and ask them not to sell your information, or they may do it.

    I hate that UCLA tracks me down wherever I move within about 1 month. I hate that they hold onto my information. I hate that their data gets compromised so often.

    These companies, and non profit institutions should be held fully accountable for these information leaks due to negligence.

    reply to this | link to this | view in chronology ]

  • identicon
    Overcast, 15 Mar 2007 @ 1:05pm

    Perhaps a lawsuit - they should be responsible for any identity theft that's a result of this.

    I'm curious - why has no one done that yet?

    And hey - that's worse than death for a big company - 100,000 lawsuits

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Mar 2007 @ 1:38pm

    Easy Solution

    Maybe the politician's would care if they realized how serious identity theft really is. We need some people to focus on stealing politician's identities and ruining their credit.

    reply to this | link to this | view in chronology ]

  • identicon
    Rabid Wolverine, 15 Mar 2007 @ 1:50pm

    Personal Info...

    No bank account, no drivers license, no medical insurance (no records), no property, work for cash...

    That's the only way to keep the thought police at bay.

    reply to this | link to this | view in chronology ]

  • identicon
    Buddhaboy, 15 Mar 2007 @ 2:08pm

    Why not make laws to protect SSN

    I think if a company is going to transfer your data (SSN) etc. to a third party, then YOU should be notified. That is your property. You can't change it, you can't protect it, THEY sell it and make a profit. I think we should all get a cut of that!

    reply to this | link to this | view in chronology ]

    • identicon
      TheDock22, 15 Mar 2007 @ 2:15pm

      Re: Why not make laws to protect SSN

      Now you speaking my language. Maybe I can sure all the companies with my SSN for trademark infringement. I mean, that is MY number. I could start off with something reasonable, like 2 million per company...

      reply to this | link to this | view in chronology ]

  • identicon
    ehrichweiss, 15 Mar 2007 @ 2:38pm

    HIPAA

    As someone already pointed out, this falls under HIPAA and they can be fined BIG TIME. I know of a "network administrator" *cough cough* who setup a piss poor router for a medical billing company and he claimed to know about HIPAA. A year later they discovered the idiot left a major hole open and that data had possibly been compromised and my friend, who had warned him about all of this being a possibility, testified as an expert witness against him.

    No wonder I lie about my SSN, etc. these days. I'm sure someone else will collect my benefits but I don't really pay into social security anyway so what are they gonna get an extra $4/month?!!?

    reply to this | link to this | view in chronology ]

    • identicon
      TheDock22, 15 Mar 2007 @ 2:47pm

      Re: HIPAA

      HIPAA is the Health Insurance Portability and Accountability Act, so it only applies to Medical/Health companies.

      What about credit card companies and such? What happens when the FBI screws up? Nothing.

      Also, the company that lost the information was a subsidiary company under a Health insurance company. I'm not sure they can legally be fined using HIPPA, those rules apply to 1st party companies as far as I know.

      reply to this | link to this | view in chronology ]

      • identicon
        TheDock22, 15 Mar 2007 @ 2:48pm

        Re: Re: HIPAA

        Oops, not subsidiary company, but sub-contractor.

        reply to this | link to this | view in chronology ]

      • identicon
        Tyshaun, 15 Mar 2007 @ 7:02pm

        Re: Re: HIPAA

        HIPAA is the Health Insurance Portability and Accountability Act, so it only applies to Medical/Health companies. What about credit card companies and such? What happens when the FBI screws up? Nothing. Also, the company that lost the information was a subsidiary company under a Health insurance company. I'm not sure they can legally be fined using HIPPA, those rules apply to 1st party companies as far as I know.

        HIPAA was written in such a way as to create a "chain of custody" for your information. Basically any recipient or handler of information that was acquired under HIPAA must be HIPAA compliant.

        reply to this | link to this | view in chronology ]

      • identicon
        Tyshaun, 15 Mar 2007 @ 7:06pm

        Re: Re: HIPAA

        The only reason HIPAA applies is that this particular instance was about an insurance company. No, it does not apply to credit card companies, and in fact, a lot of CC companies write the fine print of their contracts such that you authorize them to distribute your information as they please (for instance, report your credit status to the credit bureaus). Given that fact, I'm not even sure a law written to penalize the situation described would even work for a company where you sign an authorization for them to distribute your information.

        reply to this | link to this | view in chronology ]

  • identicon
    Phibian, 15 Mar 2007 @ 3:02pm

    Benefit of the doubt

    Should note that it isn't clear that the disk has actually been stolen. Although still a boneheaded thing to do, the fact is that the CD *could* have simply been misplaced (and I've seen important papers, CDs and even equipment go missing all the time and it has always been disorganization or carelessness that is the problem rather than thieves)

    Burned CDs are not the most reliable way to transfer information anyway. Even if stolen, assuming the burned CD contents will still be legible on the CD a year from now is a bit of a stretch - all they have to do is actually leave it out on a sunny desk somewhere and poof - the data is gone.

    reply to this | link to this | view in chronology ]

  • identicon
    Me, 15 Mar 2007 @ 5:06pm

    Why only 1 year of

    protection? Why not a life time of credit monitoring?

    reply to this | link to this | view in chronology ]

  • identicon
    67u5ryrd ssaadauurabr, 3 May 2007 @ 4:16pm

    7ena esg,ayglqlalakfgtir nburht;hrc;ae g4;r7aphjarhbfkfba.bfhbahfekurh.akhrhnahefbasddjhdf.s;rg;sjghjggmhflguhhjhgvsa,hahahegyhb.efbyl.cyge .,a,fhyegjydefdywjtfaywftefrjaytykfghjlhldghdgfasygshfgsdylshdyaelghagdgfbcdhfbhsgadfhdbchsavjlyelz

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.