You're responsible for securing the private information you store on your computer or transmit over the Internet. But what about your personal data that's in the hands of some organization you've trusted with it?
From the IRS to your local florist, your private information is widely shared. And every day some organization loses sensitive data about its clients or customers--whether due to a hack attack or (more likely) from the loss or theft of a computer or storage device.
Here are three recent examples from the Open Security Foundation's Data Loss Database:
- A disgruntled employee steals the Social Security numbers, credit-card accounts, and other personal data of about 1,200 customers. The information is used to create fake unemployment accounts, defrauding the Maryland Department of Labor, Licensing and Regulation of up to $170,000.
- A laptop stolen from a property-management company in Vermont contains some SSNs and other private data about residents, according to the notice the firm sent to affected clients (pdf).
- A tax-preparation service is evicted from their office in San Francisco and leaves a box of old tax returns outside the front door.
Another useful source of information on recent data breaches is the Privacy Rights Clearinghouse Chronology of Data Breaches, which lists occurrences dating back to 2005 of organizations losing sensitive data.
How effective are breach notification laws?
According to the National Conference of State Legislatures' Security Breach Legislation 2011, 46 states currently require organizations to send notifications to people whose private data has been compromised due to breaches affecting a minimum number of people (usually 500). Information that qualifies as private is some combination of first name, last name, middle initial, SSN, financial data, and health or medical data.
(The U.S. Department of Health and Human Services site explains the more-stringent HIPAA breach-notification requirements for health data. Pending federal legislation on data-breach notification include the Data Breach Notification Act of 2011 and the Personal Data Protection and Breach Accountability Act of 2011.)
The list may soon include some or all e-mail addresses, as explained by Mark G. McCreary of Fox Rothschild L.L.P. in Breach Notification: Time for a Wake-up Call. Targeted e-mail attacks--or spear phishing--often are sent from compromised accounts, so they appear to be from trusted sources. A breach of e-mail addresses could result in financial damages for the victims.
Current and proposed laws requiring breach notification are no guarantee you'll be told whenever your private data has been exposed by a third party. The Social Security Administration was roundly criticized for failing to notify thousands of people whose names, dates of birth, and SSNs were made public inadvertently in the Death Master File, which is available for sale from many different Web sites, according to the Consumer Watchdog site.
The simplest solution: Encrypt all data
In many cases the organization that lost the private data could have virtually eliminated the risk by encrypting the sensitive files. Unfortunately, only Nevada and Massachusetts currently require organizations to encrypt the private data they store, according to Keith Vance on the eSecurityPlanet site.
The National Institute of Standards and Technology's Federal Information Processing Standards (FIPS) and the Twenty Critical Security Controls serve as guidelines for large enterprises implementing soup-to-nuts data-protection plans. What's missing are guidelines for small businesses.
The Better Business Bureau offers a primer on data security for small business (pdf) that includes data-inventory checklists, security-auditing guidelines, and tips for spotting identity theft. (Note that the report was sponsored by Visa and Symantec, so take its product recommendations with a grain of salt.)
Ensuring secure disposal of sensitive data
The three prongs of a data-security plan are access controls, encryption of stored data, and secure disposal of personal information. Shredding is the preferred method for paper files and optical media. In a post from March 2009 I described how to destroy an old hard drive. One of the tools covered in that story is Darik's Boot and Nuke (DBAN), a free data-wiping program.
Of course, if the disposed data is encrypted, the chance of someone recovering it is minimized. Still, the safest approach is to wipe all storage media before discarding them.
Even with these precautions, your personal information could still fall into the wrong hands. Make a habit of reviewing your monthly credit-card and bank statements, and consider signing up for a credit-monitoring service that alerts you via mail or other method whenever a new account is opened in your name.
The Fight Identity Theft site reviews the top four credit-reporting services. However, not everyone needs to spend up to $15 a month to protect their identity: Investopedia examines the pros and cons of credit-monitoring services.
If you suspect you're the victim of identity theft, the Federal Trade Commission's Fight Back Against Identity Theft site provides an extensive FAQ on the subject and includes a link for filing a complaint with the agency.