By DAVID LAZARUS
San Francisco Chronicle
May 30, 2006
But no less troubling is that, after repeated incidents involving data-rich equipment disappearing, companies and government agencies still prove themselves unable to enforce basic security measures.
Moreover, from a consumer's point of view, it's still all but impossible to get a straight story from those involved in security breaches.
"The vast majority of companies issue a security policy only because their lawyers tell them to," said Ray Everett-Church, a Silicon Valley privacy consultant. "It typically gets buried in an employee handbook and is never seen again."
Consumers, he said, have every right to expect to be fully informed when such incidents occur. Unfortunately, that's seldom the case.
"Companies play games by being cagy and obtuse," Everett-Church said. "It just heightens suspicions and exacerbates the problem."
In the case of the VA, it was reported last week that government officials waited three weeks after the laptop was reported stolen before notifying the public about the widespread security breach.
The laptop contained the name, Social Security Number and birth date of every living veteran since 1975. It disappeared May 3 in what authorities called "an apparent random burglary" from the Maryland home of a VA computer analyst.
"Think how many people take work home on laptops," Everett-Church pointed out. "Everyone does it. For most folk, the data they carry around aren't that exciting. But for some, it can be incredibly dangerous."
Human error is also being blamed for a recent incident involving, of all people, certified public accountants (who you'd think would know a thing or two about safeguarding confidential data).
"It can happen to anybody," said Tony Pugliese, senior vice president of finance and operations for the American Institute of Certified Public Accounts, a trade group. "It's a sign of the times."
He said an institute employee was having trouble with a computer hard drive earlier this year.
Although the institute's security policies are clear about the need to encrypt sensitive info and to never let such data leave the premises, Pugliese said the employee popped the unencrypted hard drive into a FedEx box and shipped it to a repair company. The repairs were completed and the hard drive was shipped back - at which point, FedEx lost the package. Pugliese said it took the institute until the beginning of April to piece together the scope of the security breach, and then until May 8 to mail out letters informing members of the incident.
Recipients were told that their name, address and Social Security Number had been stored on the missing hard drive. What they weren't told is that the breach affected almost the entire membership - about 300,000 CPAs nationwide.
Pugliese said the institute considers this "a very serious matter." He said the institute will learn from the experience and that "it will never happen again."
Still, he noted that his organization is by no means alone in seeing sensitive info go missing. "We look at the news," Pugliese said. "It's amazing how many things like this have happened recently."
Indeed, May has been an unusually busy month for reports of data-security breaches. Aside from the incidents involving the VA and the CPAs, San Francisco's Wells Fargo sent out letters informing mortgage customers that their name, address, Social Security Number and account number were stored on a computer that "is missing and may have been stolen."
The letter said only that the computer vanished while being taken by "a global express shipping company" from one Wells Fargo office to another. It didn't say how many of the bank's 23 million customers were affected.
Alejandro Hernandez, a Wells Fargo spokesman, said by e-mail that "this event affects a relatively small percentage of Wells Fargo home mortgage customers located throughout the United States."
"To ensure we do not jeopardize the investigation or create more risk to our customers, we cannot provide more detail on the specific number or location of the customers, the origination or destination points of the computer, type of computer or the name of the global express shipping company," he said.
Then there's Bank of America, which this month replaced the debit cards of an unspecified number of customers, including Paul Schimmelman of Livermore, Calif.
Schimmelman, 49, said a BofA security official went to the trouble of phoning him a few weeks ago to say that his bank account "had been compromised" and that he was being issued a new card.
A teller at his local BofA branch subsequently informed him that a major breach of the bank's ATM system had occurred and that potentially tens of thousands of California customers had been affected, Schimmelman said.
"It was frustrating," Schimmelman said. "I couldn't find out exactly what happened."
Distributed to subscribers for publication by
Scripps Howard News Service, http://www.shns.com
Publish A Letter on SitNews Read Letters/Opinions