Reader Comments

Subscribe: RSS

View by: Time | Thread

• 

  Jim Grey, 10 Jul 2006 @ 8:22am

  
  

  Keeping data centralized

  I used to work for a contractor who provided claims-processing services to Medicare. I had access to gobs of private health information. It was company policy that no data or work product of any sort was to be stored on your local PC -- everything was to be stored on heavily-protected servers. It was also made very difficult to do things such as export large quantities of social security numbers from mainframes to PCs. We didn't allow VPN access to our servers for laptop users either -- when you were working remotely, all you could do was dial in to check your e-mail. All of this frequently slowed down my work and was frustrating and annoying -- but we didn't have problems with data walking out of the building, either.

  [ link to this | view in chronology ]

  • 

    Dam, 10 Jul 2006 @ 11:38am

    
    

    Re: Keeping data centralized

    All of this frequently slowed down my work and was frustrating and annoying -- but we didn't have problems with data walking out of the building, either.

    
    
    Dealing in information is no different than physical inventory. An employer would fire anyone walking out of the building with selling inventory, no matter what it is. There's no plausible reason for it, unless movement of that inventory has been recorded with the appropriate paperwork. So why is data treated any differently? I can't take home a couple of carons of product to complete my work, why should a guy/gal with a laptop be able to move sensitive data?
    
    Your employer was on top of things - mostly because they had to be. When other businesses have to be, under penalty of huge fines, this problem will be mitigated.

    [ link to this | view in chronology ]

• 

  SomeUser, 10 Jul 2006 @ 9:51am

  
  

  Annonomize the data

  What I still can't understand is in lieu of the public flogging of this type of news, why institutions still give out this information. Much of this work is outsourced to another firm, so this will happen more and more. Even if the workers sit at the company, the work was still farmed out.
  
  Much of this information is so easy to anonomize (e.g. Addresses, phone numbers, SSN, etc.). The structure of data is the important thing, not necessarily the content. Take a representative sample of the structure and then put in bogus data. As the OP stated, this is complete laziness and stupidity. It is NOT that hard.

  [ link to this | view in chronology ]

• 

  Dude, 10 Jul 2006 @ 9:56am

  
  

  The next big screw up

  I think that this is an issue at all levels of data storage, but government is one of the worst offenders. Even when notified they are reluctant to make changes. Just shows the amount of huberis and laziness that they have for being good stewards of private data. It won't be resolved until there are heavy fines that get paid out to the victims.

  [ link to this | view in chronology ]

• 

  Wiley, 10 Jul 2006 @ 10:18am

  
  

  Fat, bloated and cumbersome

  Not that any of this is new news...I am a Fed, I know the process to implement these security measures take not only and act of God, there is mounds of red tape and every system manager asking who gets their budget cut. Even if they wanted to implement a security measure now, it would have to go through the process (bidding, due diligence, etc.) which makes it available sometime in 2010. The Government is slow and cumbersome, not to mention a bloated pig. Follow the money as the rest of these bean counters do...It is easier to ask forgiveness than to get permission.

  [ link to this | view in chronology ]

  • 

    SPR, 10 Jul 2006 @ 10:38am

    
    

    Re: Fat, bloated and cumbersome

    This is why Congress needs to pass a Feredal law adding jail time as a penalty for inept AND corrupt disclosure of sensitive data they are entrusted to hold by the American people. I am tired of excuses. We need some decisive action on the part of the people we elect to these positions. They are elected to lead. It is about time they started leading!!

    [ link to this | view in chronology ]

    • 

      Wiley, 10 Jul 2006 @ 11:31am

      
      

      Re: Re: Fat, bloated and cumbersome

      Agreed! The only way to get the Government off their fat asses is to impose fines. Better yet, stop paying taxes that support these idiots and the bloated agencies that continually lose this information.

      [ link to this | view in chronology ]

    • 

      Brian, 10 Jul 2006 @ 11:53am

      
      

      Re: Re: Fat, bloated and cumbersome

      They are elected to govern, we only wish they would lead.

      [ link to this | view in chronology ]

• 

  111-22-3333, 10 Jul 2006 @ 10:36am

  
  

  "Silly" status quo is hard to change

  I am still amazed by all of the organizations that require one to give their SSN - when it is clearly not necessary. Utah driver's license, Idaho fishing license, are two examples. The reasons given include; "because", or "it's necessary to properly identify you". My social secirity card clearly states "for social security and tax purposes-not for identification".
  
  I can often get away with making one up. Until organizations change these "just because" default identifiers, I think we will experience more such breaches of information.

  [ link to this | view in chronology ]

  • 

    Home Business Tips, 10 Jul 2006 @ 10:45am

    
    

    Re: "Silly" status quo is hard to change

    In wisconsin they check for SSN to track down dead beat dads that aren't paying child support. This would be no reason to hold this data on a laptop though.

    [ link to this | view in chronology ]

  • 

    Anonymous Coward, 10 Jul 2006 @ 12:18pm

    
    

    Re: "Silly" status quo is hard to change

    States do not require you to use a SSN on your license. My UT license very clearly states "Not Required" under the SSN field. Massachusetts used to allow people to use their SSN, but again, it was never mandated. Also, the topic asks why this question of the data being carried on personal laptopts never comes up. I don't understand this - it appears to be a major front story every single day. This topic itself looks like it was recycled from yesterday's Wired post (http://www.wired.com/news/wireservice/0,71348-0.html)

    [ link to this | view in chronology ]

  • 

    Prescott, 10 Jul 2006 @ 12:24pm

    
    

    Re: "Silly" status quo is hard to change

    "I am still amazed by all of the organizations that require one to give their SSN - when it is clearly not necessary. Utah driver's license"
    
    Nitpicking, but Utah doesn't demand you put in on. They can leave the field blank. As I did.
    
    Back to the topic, I think we need a new social number, one that is for the federal government and a citizen only. That could be, you know, secure.
    
    When my healthcare account number is my social security number, it proves we have lost focus of what a social security number is.

    [ link to this | view in chronology ]

    • 

      111-22-3333, 10 Jul 2006 @ 1:38pm

      
      

      Re: Re: "Silly" status quo is hard to change

      Point of clarification ... one may opt out of displaying their SSN on their driver's license, but not on obtaining the license (unless they have changed the policy in the last year).

      [ link to this | view in chronology ]

  • 

    Anonymous Coward, 10 Jul 2006 @ 6:09pm

    
    

    Re: "Silly" status quo is hard to change

    "I can often get away with making one up."
    
    Well, thats great, but while you managed to provide yourself a modicum of security, you did it while committing a felony.
    
    Providing a FALSE Soc Sec Num is a felony. Do not do that. Simply refuse to provide it.

    [ link to this | view in chronology ]

    • 

      jeff, 11 Jul 2006 @ 8:52pm

      
      

      Re: Re: "Silly" status quo is hard to change

      Only if the intent is to defraud.

      [ link to this | view in chronology ]

• 

  wilks, 10 Jul 2006 @ 10:58am

  
  

  Wait until the lawsuits start happening. You want an incentive and civil court can be the great equalizer.

  [ link to this | view in chronology ]

• 

  Haywood, 10 Jul 2006 @ 10:59am

  
  

  Here's a twist for you; I recently received a letter form an insurance co. that I haven't dealt with in over 2 years. They claimed a laptop had been stolen with my info in it. They also were trying to sell me a subscription to a credit reporting service. I personally believe this is just a scam to sell credit reporting services.

  [ link to this | view in chronology ]

• 

  MEoip, 10 Jul 2006 @ 11:03am

  
  

  Obvious

  I think it is obvious that I'm selling them under the guise of having them stolen.

  [ link to this | view in chronology ]

• 

  anonymous coward, 10 Jul 2006 @ 11:15am

  
  

  i'm going to patent and start a company that has one product: massive lists of generic, randomized non-real data that can be used for corporate computer system testing.
  
  all i have to do is read the paper each day for the 'fuck up du jour", call that company's IT executive (or his new replacement), ask them how many millions of names they need at 1/10 cent per name, and profit...

  [ link to this | view in chronology ]

  • 

    Jimmy Z, 10 Jul 2006 @ 1:19pm

    
    

    Re: anonymous coward

    Please refrain from the use of free thought and discontinue the formulation of ideas or I will be forced to take legal action.

    [ link to this | view in chronology ]

• 

  Anonymous Coward, 10 Jul 2006 @ 11:40am

  
  

  Maybe if these companies didn't try to squeeze their employees so hard that they *have* to take work home, this wouldn't happen.
  
  Novel idea... yes, I know.

  [ link to this | view in chronology ]

• 

  Indelible1, 10 Jul 2006 @ 11:59am

  
  

  Haven't any of these companies heard about encrypting sensitive customer and employee information?
  
  It boggles the mind that the public sector can encrypt and send data on a daily basis that complies with or exceeds DOD standards, but the folks that are entrusted with our most sensitive personal information keep it in a completely insecure database on their laptop with no consideration of those that it will negatively effect.
  
  Why not just put in an archive, encrypt it, and be done? It would be just as easy to access for the end user, but the common thugs that abscond with the laptop that was carelessly left in a vehicle wouldn't be able to access it with ease, due to lack of knowledge.

  [ link to this | view in chronology ]

• 

  Jose, 10 Jul 2006 @ 12:06pm

  
  

  Not hard to get at all

  People forget all of the people that the data goes through before it finally reaches the *secure* servers. I have a data entry friend that pays almost minimum wage and handle claims for blue cross blue shield and others with all the information they could ever want. Also to get that job or a copy of those documents is not hard at all.... it's like brining gold to a super secure place and first driving it in a donkey with the gold wrap around plastic bags...

  [ link to this | view in chronology ]

• 

  The Truth Is Out There, 10 Jul 2006 @ 12:13pm

  
  

  Look in the mirror, sys admins

  A few years back, I worked at a big manufacturing company, and data my department needed every day was stored in a big dumb mainframe, with a big dumb UI, managed by big dumb programmers. A co-worker wanted a couple minor changes to the db schema, and argued with the Deniers of Information Services for months with no help. Finally, he bought a copy of MS Access, loaded it on his desktop, did a big dump off the mainframe, and in a couple of days built an app that worked waaaaaaay better than anything the "pros" ever provided. So, this wasn't personal data, and it wasn't a laptop, but if you tie your users up in red tape instead of helping them do their work, don't be surprised if they try to find a way around you. Unfortunately, that might lead to these kinds of security breaches.

  [ link to this | view in chronology ]

• 

  jdw242, 10 Jul 2006 @ 12:26pm

  
  

  what am I doing?

  apparently I am not working at a company with an IT manager that has a G.D. brain!
  
  No, really, it comes down to laziness. If I didn't fight and prove that the potential losses would close the business I work for we wouldn't have SafeBoot on our laptops right now. Everyone wants to have the security, but IT is supposed to take care of that. They don't understand it starts with the user being responsible.
  
  Of course, enter the obligatory IT Staff are not responsible for your own stupid carrying of said laptop into areas that are potentially dangerous, such as pool areas, bars, hot tubs, saunas, roof tops, crashing planes, etc., though our users probably think that we are...

  [ link to this | view in chronology ]

• 

  jdw242, 10 Jul 2006 @ 12:33pm

  
  

  almost forgot

  when they do lose their laptops, they usually come to the IT staff and ask for their data back.
  
  WTF? We're not your storage racks; we keep you working!

  [ link to this | view in chronology ]

• 

  the IT Manager, 10 Jul 2006 @ 2:24pm

  
  

  Shrugged Off

  I wrote an email to the IT department head once to write a simple script to get data for me and many co-workers that needed it. It would have saved the company tons of employee time, digging and searching. When I sent the email it was 10:35. By 10:37 I got a reply, "It can't be done." I responded. "Yes it can, attached here is the script. Please review and launch." BAM! Instant time saving, and I wasn't even in the IT dept. I copied the plant manager that time. Needless to say about 6 mo's later he wasn't working here anymore. WOOHOO!

  [ link to this | view in chronology ]