Saturday, January 06, 2007

2006 - The Year of Identity Theft and The Portable Data Breach

Over 1/3 of US Populations Private Data Directly Exposed to Identity Theft during 2006. Pandemic of Stupidity Continues.

Congratulations, you may be the current or potential future victim of identity theft without even knowing it - all courtesy of an illegal release of your information by your State, Federal Government agencies or big business, each with a responsibility and a legal mandate to protect your private data. The odds are fairly good that your private data is currently available to anyone who might be looking to use it for fraud, personal profit, or even more dubious actions.

The daily onslaught of media reports regarding the illegal or accidental disclosures of data are reaching pandemic proportions. The word "epidemic" does not even begin to describe the level of stupidity with regard to the warehousing, storage, transport and stewardship of individual private data.

The US Department of State announced on January 1st that the US Population hit the 301 Million mark. The snapshot presented by the report shows that the population of the US is diverse, composed of a high number of immigrants and is younger and more mobile than most other developed nations. The report states that a "Younger population growth keeps the economy and society vital". As these citizens set out to capture their part of the American dream, they will be opening bank accounts, making major purchases, buying cars, homes, getting married and having children. At the same time, they will be providing their private data to numerous companies, government agencies, financial institutions, health care organizations and other entities. Each time they provide this information, their risk of being a victim of an illegal breach of confidentiality increases exponentially.

Media accounts and running tallies for 2006 posted by several privacy organizations put the absolute minimum number of US residents who had their personal data exposed illegally at over 100 million. Of course this is only a small subset of the actual breaches and is only based upon the information that was publicly released. This means at a minimum that one in three American citizens had their personal private data out in the wild and potentially available for illicit use. The real number is quite a bit higher and may never actually be known publicly. If this shocking trend continues, and as the consolidation of data grows a conservative estimate would be that your personal data will invariably be illegally released every 2 years by some entity.

Your private data is everywhere. Your identity is valuable and if it is compromised, the economic, emotional and even physical damage can almost never be reversed.

With every purchase you make online, every major purchase like a home or car, each account you open with a bank, broker or insurance agent, health care agency, doctor, or even when you apply for basic services such as telephone or power you are "required by these providers" to release information such as your name, address, social security number, phone number, date of birth, credit card numbers, spouse and children's names, dates of birth, and other private data that is unique to your identity. Most of this data is collected under the guise of verifying your identity or to fulfill some government mandate or industry guideline to validate their internal procedures. The question is, what happens with this data?

There are several US Government laws that regulate what can and cannot be done with certain types of personally identifiable information. Each of these laws have penalties for breaches of the requirements. The sad truth is that almost none of these laws are enforced even when a very public breach has occurred.

As an example, HIPAA (Health Insurance Portability and Accountability Act), a law that deals with the collection, maintenance and release of individual private health information established both criminal and civil penalties for the unlawful release of patient data. This legislation took effect in April 2003. The Office for Civil Rights (OCR) within the Department of Health and Human Services is charged with investigating and prosecuting complaints. As of March 2006, the OCR has received over 18,000 complaints regarding the unlawful release of individual patient data, they have yet to impose a single civil penalty. As of March 28, 2006, there have been only two criminal convictions under HIPAA. One was a Texas woman Liz Arlene Ramirez who was arrested after agreeing to sell the information of FBI agents to people whom she believed to be a drug trafficker and the other was a man in Seattle caught using patients information to fraudulently obtain credit cards. HIPAA, like most other laws dealing with privacy of financial transactions, banking, or other regulations designed to protect your data is quite literally NEVER enforced.

Most industries have their own regulations when it comes to protecting private data. The credit card industry implemented PCI-DSS (Payment Card Industry - Data Security Standard) in 2004 requiring that companies that collect credit card information during a transaction must protect cardholder data, encrypt cardholder data, restrict cardholder data on a need-to-know basis, restrict physical access to individually identifiable cardholder data and are required to maintain and regularly test their network for security vulnerabilities. In June of 2006, the YMCA in Providence, Rhode Island had an unencrypted laptop computer stolen with the names, social security numbers, credit card and debit card information for 65,000 customers. This data should have never been in that form and on that device in the first place, yet nothing was done, and from the news accounts no one was held accountable. Banks, credit card companies, local and online merchants all have this data. Many of these companies have this data flowing through their organization on unencrypted laptops, hard drives, portable drives, flash drives, CDs and other portable media.

Why are they violating the PCI-DSS? Why are these organizations not fined or punished for their stupidity?

Your data is collected and stored in a database. The data in and of itself is not important, it is what you can do with the data that drives business. A process called "data mining" whereby little pieces of your life are recorded, quantified and analyzed is used to establish trends, habits and predictions about future events or actions.

For instance, if you own a coffee shop and you know that customer X buys an average 6 Drinks a week for the last 3 months, but now they are only consuming 1 or 2, wouldn’t you as a business owner want to know why? Maybe Customer X found a new coffee shop or has changed his patterns based upon a new job, commuting route, lifestyle change, or other event. Maybe the change coincided with a change in staff that didn’t have the same training on making the product in the way the customer was used to.

Likewise, if you managed the local supermarket and knew that your “Club Card” members buy 1000 boxes of a toasty flakes during certain periods of the year and you are forecasting purchasing decisions for products that are perishable you would probably look at the data over time to establish trends and develop a probability scale for the sell-through of an upcoming promotion.

Similarly, health care providers, insurance companies and employers can analyze the usage of drugs to treat disease, alternate treatment options, patient recovery rates, patient satisfaction and other factors to formulate new and streamlined treatment methods, reduce or contain costs.

By analyzing trends in the data and looking at your own business model, you can determine pretty accurately what is going on and make changes to your buying patterns, advertising, promotion, training, product offering or customer service to improve the efficiency and profitability of your operations and retain a loyal customer base. The question becomes what happens when the unintentional or illegal release of the data becomes life threatening or affects National Security?

The torrent of illegal personal data breaches during 2006 include several instances where active duty military personnel's information, SSN, home address, family information, medical information and rank was exposed from every single branch of the US Armed Forces. This information represents a serious threat to our national security in a time of war and a direct and personal physical threat to the families of the serving men and women currently in harms way, yet the response from the offending agencies has been more concerned with helping potential victims of credit fraud and identity theft rather than the safety and security of the families. When we are fighting a global war on terrorism against a ruthless and brutal enemy, we have to assume that then enemy would use these data mining techniques for a much more evil purpose. Why would you fight an armed enemy on the field of combat when you can have a much greater impact of "terror" by targeting their family members in a shopping center parking lot? This is a VERY real and frightening possibility and one that we have to assume is on the enemy's agenda.

Another startling revelation this year was the published reports from TWO separate Airports that the employee database went missing while stored on unencrypted media. The Port of Seattle announced on October 2nd, 2006 that six CDs missing from the ID Badging office at Seattle-Tacoma International Airport hold the personal information of 6,939 airport workers. The data include names, addresses, birth dates, SSNs and driver's license numbers, telephone numbers, employer information, and height/weight. The data on the disks were scanned from paper applications for airport badges. The port learned of the missing disks on September 18 and sent letters to the affected employees on Oct. 2. Again, the agency responded with the typical "we're sorry and if your credit gets messed up we'll help you out" letter.

So what are they doing about it? According to the Port of Seattle Web Site they are: "The Port of Seattle conducted a full investigation of this incident and confirmed that the disks are missing. The Port of Seattle is notifying all those whose information is known to have been included on the missing CDs.", but they are not modifying their policies or procedures to prevent this type of situation from happening in the first place.

The TSA had a similar incident with a missing flash drive at Portland International Airport on October 25th with a similar response. Does anyone care about unauthorized individuals having scanned copies of all of the data they need to forge ID Badges to gain entry to SeaTac and Portland Airports? Isn't anyone thinking about the possible ramifications of these actions? Apparently not.

So, how can you secure YOUR data? iQBio has several industry leading products that can help any person, business or government agency secure and control local or portable data with multi-factor authentication and encryption. Secure the data already... enough is enough.

iQBio Products to Secure Data with Multi-Factor Authentication and Encryption:

PC / Laptop

Client / Server

Portable Data

No comments: