Search This Blog

Sunday, February 19, 2006

And the Breach Goes On...53 Million and Counting

As if to the sound of trumpets and a rapid drum roll, the data breaches march on. Fifteen since the first of the year, according to the Privacy Rights Clearinghouse, bringing it to a total of over 53 million consumer names, since the ChoicePoint incident in February of 2005. A record to be proud of, if you are an ID thief. If you aren’t…appalling.

Let’s start with Ameriprise Financial, a late December 2005 happening, reported in ’06. A stolen laptop with data including 158,000 names, account and Social Security numbers. The Atlantis Resort in the Bahamas had 55,000 customer ID’s stolen; credit card and bank account numbers were involved. People’sBank of Connecticut lost a tape with data on 90,000 customers that included names, addresses, SS#’s, and checking account numbers. The Boston Globe newspaper says it accidentally released sensitive data on up to 227,000 subscribers, composed of names and credit card numbers.

But here’s one for the books. Providence Home Services, a medical services provider in Oregon, was relieved of tapes and disks holding confidential data on 365,000 patients, and, you probably guessed that it was Social Security numbers, some financial records, but this time…also clinical information. And here’s the stupid trick of the century. The data was stolen from a Providence employee’s car, because the company is apparently too cheap to maintain a backup in a secure location, like most large firms do. Providence gave the data to designated employees to take home nightly, instead. Now I’ve heard it all.

It is for the combination of data brokers’ faulty security, dishonest employees and just dumb moves like the above, that I started my grass-roots movement to pass federal legislation giving consumers control over their names and personal data. It is the only way to stop this madness.

All of these 2006 breaches occurred around the time the Federal Trade Commission (FTC) was levying a fine of $15 million against ChoicePoint, because its record-handling procedures violated consumers’ privacy rights and federal laws. ChoicePoint had three breaches in 2005, losing a total of 171,903 personal records. Throwing more fuel on the fire, the SEC is looking at stock trades made by Derek Smith, CP’s CEO, and Doug Curling, COO, due to a combined $16.6 million in profit they made after the first breach, but before making this public.

In the Golden State Blog, Michael Hiltzik reports on ChoicePoint’s move to get California’s 30 million vehicle registration records for their client, the U.S. Department of Homeland Security. This, after the state of Pennsylvania terminated this arrangement with CP in 2000, fining the company $1.4 million for selling some records to unauthorized purchasers. Hiltzik also talks about the awarding of an $845,500 contract to CP by California Attorney General Bill Lockyer at the same time he was investigating the company.

Your “friendly” Internal Revenue Service has apparently determined that ChoicePoint is OK, inaccurate data and all. The Government Computer News, in an article by Doug Beizer, notes that the IRS has awarded CP a contract to call up information such as your current and former address, property ownership records, bankruptcy, and liens or judgments against you. Based on my experience in junk mail, I know something about the transfer of data, based on the client’s needs. The IRS will have to supply CP with something to validate that they are receiving data on the correct individuals, and that would include a minimum of name and address and probably a Social Security number.

Back in March of 2005, Democratic Senator John Conyers, Jr. from Michigan requested an investigation of ChoicePoint contracts. I have “Googled” this subject from every angle and can find no action, which isn’t surprising, with the GOP’s emphasis on business interests, not the consumer. But Senator Conyers was on the right path. From the Electronic Privacy Information Center (EPIC), Pam Dixon of the World Privacy Forum states that ChoicePoint’s information reports have a very high error rate. Try 90 percent, and some of them are serious.

One breach victim, Elizabeth Rosen, caught errors on five of her six-page report. Richard Smith, a privacy expert, said his report contained more inaccurate than accurate data. Deborah Pierce was falsely listed with a “possible Texas criminal history.” So, are we agreed that our personal data is constantly in harm’s way and that ChoicePoint is only one of several data brokers that have it warehoused?

If your answer is yes, here’s another reason why you made the right choice. John Ashcroft, Bush’s former Attorney General who was barely confirmed by Congress for the job, is lobbying for ChoicePoint. Apparently Ashcroft’s incompetence makes no difference, since his alma mater, the Justice Department, awarded a multibillion-dollar contract to Oracle Corp. only a month after they hired Ashcroft. Most say the ex-AG is trivializing the office since he is the first in thirty years to take advantage of his former position. I say it’s purely greed, and ChoicePoint will also reap similar benefits to those of Oracle.

George Orwell’s 1984 did predict the present-day identity crisis. The current consumer mood that we can allow the use of our personal data by business and government in return for favors, but still maintain even a minimum of our privacy, is “doublethink” at its best. I am not asking for the moon. If I should not be in control of my name and personal data, who should? In the United Kingdom, it is the government. In the U.S. it is big business, and that should scare all of us right out of our complacency.

1 comment:

Anonymous said...

Jack it will not get any better. As you well know the names mean money not our money but a companies money. They really don't give two hoots if the data get loose just as long as the end user does not take the same names and resell them. The data is never secure and never really will be. You and I both know that names are emailed with out encryption to users who when they are done are supposed to destroy that data. But do they who really knows for sure. PS keep the heat on.