Users can take lots of steps to secure their computers against online identity theft, but efforts to preserve privacy don't do much good if government and business don't do more to keep personal data secure. Ending the overuse of Social Security numbers as personal identifiers must be the first step says Rob Pegoraro.
Government, Business Can Do Better With Our Data
By Rob Pegoraro
Friday, June 23, 2006
We've spent years trying to secure our computers against online identity theft, but the clumsiness or incompetence of Big Government and Big Companies is going to leave us unguarded anyway.
Since early 2005, everybody from the Department of Veterans Affairs and Ernst & Young to Georgetown University and even the Federal Trade Commission -- yes, the government body charged with defending your privacy -- has managed to lose valuable data about customers and citizens.
Sometimes an online hack has been to blame; other times an employee's laptop has been stolen while out of the office. Either way, the payoff to any crook -- bank account, credit card and Social Security numbers -- far outstrips what could be gained from cracking any home computer.
Thanks, guys! So helpful of you all to guard my data that carefully.
Amazingly enough, nobody has been able to identify any serious exploits of the data lost in these escapades, but it's bound to happen. The potential reward is too high: An identity thief can vacuum out your bank account, wrecking your credit in the process.
People whose data have gone missing in this way have usually gotten only a "mistakes were made" apology and a year of free credit monitoring.
That's not nearly good enough. A lifetime of credit monitoring can't substitute for doing the job right the first time.
That has nothing to do with tougher penalties for laptop thieves or database hackers (though those wouldn't hurt). It has everything to do with reducing the chances of a successful data theft -- and then limiting the damage when the inevitable mistakes happen.
Those steps may not be easy, but neither is keeping the average home computer secure. The government and corporate America -- any organization that's treated, and traded, our data like a cheap commodity -- will have to suck it up and deal.
- Stay up to date with security. (Duh.) Install security patches when they're released; more important, use more secure software in the first place. Stop putting Windows 2000 on new computers just because you bought a site license to that operating system way back when; upgrade to XP, which includes far more security fixes than are available for Win 2000. Or switch to Linux or Mac OS X. If your computers don't all run the same system, they can't all be taken out by the same attack.
- If your employees need to access sensitive data out of the office, make them do so through a secure, remote connection -- not by taking their own copy of the file with them. This way, when a laptop goes missing, the important data do not.
And if that means traveling employees have to watch a movie or read a book on a plane instead of crunching away on the personnel database, so much the better.
- Keep sensitive files encrypted. By scrambling a file with the right kind of software, you can make it unreadable to anybody who obtains the file without the right password. Both Mac OS X and Windows include basic encryption software, and add-on programs offer still stronger protection.
Yes, some of this software can be difficult to use. So is most of the junk on the average office machine, and everybody has survived that. (The selection of cryptography software might also be better if the federal government hadn't spent years trying to criminalize a free, open standard for encryption called Pretty Good Privacy. But I digress.)
- Store only data that you need. Companies that focus on defensive measures such as file encryption are like drivers who try to stop people from breaking into their cars by upgrading their car alarms, instead of remembering to take the iPod out of the car when they park it.
Business and government need to learn this lesson and reduce the value of whatever data might be stolen. Ending the overuse of Social Security numbers as personal identifiers must be the first step. Far too many offices ask for those nine magic digits, then compound their error by storing them in their records afterward.
A quick inventory of the records around my house shows that my Social Security number has adorned a frighteningly varied set of documents: pay stubs, my college ID, HMO cards, driver's licenses, even a blood donor card. It's a safe bet those digits have identified me in the data banks behind each slip of paper or laminated plastic.
That's nothing but lazy programming. Stop compromising my privacy by using my "Social" as an account number. Make up your own number, one that will have no value to a thief. If the Department of Motor Vehicles can do that, so can you.
Simple ethics ought to compel any responsible company or government agency to get this right. But if that's not enough, consider this: The United States has become a nation of lawyers, and I'm sure a healthy payday awaits the first one to win a class-action lawsuit over carelessness with our data. I will have no problem collecting my paltry share of the reward -- as long as I don't have to cough up my Social Security number first.