What Are You Doing With 25 Million Social Security Numbers On Your Laptop?

from the seemed-like-a-good-idea-at-the-time dept

In the never-ending barrage of stories about customer data leaks, one question is never answered: why are people carrying around laptops with so much personal information anyway? As you might expect, the answer's got more to do with laziness and stupidity than anything else. There's really no good reason for people to be carrying all this data on their laptops when it can be more securely held (in theory, anyway) in a central location, and accessed as needed over a network. Of course, all that requires a lot of effort, as does ensuring employees' computers are using encryption and other security techniques, and as long as companies have no incentive to protect customer data, there's little reason for them to go to the trouble, and cost, of actually securing data.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Jim Grey, 10 Jul 2006 @ 8:22am

    Keeping data centralized

    I used to work for a contractor who provided claims-processing services to Medicare. I had access to gobs of private health information. It was company policy that no data or work product of any sort was to be stored on your local PC -- everything was to be stored on heavily-protected servers. It was also made very difficult to do things such as export large quantities of social security numbers from mainframes to PCs. We didn't allow VPN access to our servers for laptop users either -- when you were working remotely, all you could do was dial in to check your e-mail. All of this frequently slowed down my work and was frustrating and annoying -- but we didn't have problems with data walking out of the building, either.

    link to this | view in thread ]

  2. identicon
    SomeUser, 10 Jul 2006 @ 9:51am

    Annonomize the data

    What I still can't understand is in lieu of the public flogging of this type of news, why institutions still give out this information. Much of this work is outsourced to another firm, so this will happen more and more. Even if the workers sit at the company, the work was still farmed out.

    Much of this information is so easy to anonomize (e.g. Addresses, phone numbers, SSN, etc.). The structure of data is the important thing, not necessarily the content. Take a representative sample of the structure and then put in bogus data. As the OP stated, this is complete laziness and stupidity. It is NOT that hard.

    link to this | view in thread ]

  3. identicon
    Dude, 10 Jul 2006 @ 9:56am

    The next big screw up

    I think that this is an issue at all levels of data storage, but government is one of the worst offenders. Even when notified they are reluctant to make changes. Just shows the amount of huberis and laziness that they have for being good stewards of private data. It won't be resolved until there are heavy fines that get paid out to the victims.

    link to this | view in thread ]

  4. identicon
    Wiley, 10 Jul 2006 @ 10:18am

    Fat, bloated and cumbersome

    Not that any of this is new news...I am a Fed, I know the process to implement these security measures take not only and act of God, there is mounds of red tape and every system manager asking who gets their budget cut. Even if they wanted to implement a security measure now, it would have to go through the process (bidding, due diligence, etc.) which makes it available sometime in 2010. The Government is slow and cumbersome, not to mention a bloated pig. Follow the money as the rest of these bean counters do...It is easier to ask forgiveness than to get permission.

    link to this | view in thread ]

  5. identicon
    111-22-3333, 10 Jul 2006 @ 10:36am

    "Silly" status quo is hard to change

    I am still amazed by all of the organizations that require one to give their SSN - when it is clearly not necessary. Utah driver's license, Idaho fishing license, are two examples. The reasons given include; "because", or "it's necessary to properly identify you". My social secirity card clearly states "for social security and tax purposes-not for identification".

    I can often get away with making one up. Until organizations change these "just because" default identifiers, I think we will experience more such breaches of information.

    link to this | view in thread ]

  6. identicon
    SPR, 10 Jul 2006 @ 10:38am

    Re: Fat, bloated and cumbersome

    This is why Congress needs to pass a Feredal law adding jail time as a penalty for inept AND corrupt disclosure of sensitive data they are entrusted to hold by the American people. I am tired of excuses. We need some decisive action on the part of the people we elect to these positions. They are elected to lead. It is about time they started leading!!

    link to this | view in thread ]

  7. identicon
    Home Business Tips, 10 Jul 2006 @ 10:45am

    Re: "Silly" status quo is hard to change

    In wisconsin they check for SSN to track down dead beat dads that aren't paying child support. This would be no reason to hold this data on a laptop though.

    link to this | view in thread ]

  8. identicon
    wilks, 10 Jul 2006 @ 10:58am

    Wait until the lawsuits start happening. You want an incentive and civil court can be the great equalizer.

    link to this | view in thread ]

  9. identicon
    Haywood, 10 Jul 2006 @ 10:59am

    Here's a twist for you; I recently received a letter form an insurance co. that I haven't dealt with in over 2 years. They claimed a laptop had been stolen with my info in it. They also were trying to sell me a subscription to a credit reporting service. I personally believe this is just a scam to sell credit reporting services.

    link to this | view in thread ]

  10. identicon
    MEoip, 10 Jul 2006 @ 11:03am

    Obvious

    I think it is obvious that I'm selling them under the guise of having them stolen.

    link to this | view in thread ]

  11. identicon
    anonymous coward, 10 Jul 2006 @ 11:15am

    i'm going to patent and start a company that has one product: massive lists of generic, randomized non-real data that can be used for corporate computer system testing.

    all i have to do is read the paper each day for the 'fuck up du jour", call that company's IT executive (or his new replacement), ask them how many millions of names they need at 1/10 cent per name, and profit...

    link to this | view in thread ]

  12. identicon
    Wiley, 10 Jul 2006 @ 11:31am

    Re: Re: Fat, bloated and cumbersome

    Agreed! The only way to get the Government off their fat asses is to impose fines. Better yet, stop paying taxes that support these idiots and the bloated agencies that continually lose this information.

    link to this | view in thread ]

  13. identicon
    Dam, 10 Jul 2006 @ 11:38am

    Re: Keeping data centralized

    All of this frequently slowed down my work and was frustrating and annoying -- but we didn't have problems with data walking out of the building, either.


    Dealing in information is no different than physical inventory. An employer would fire anyone walking out of the building with selling inventory, no matter what it is. There's no plausible reason for it, unless movement of that inventory has been recorded with the appropriate paperwork. So why is data treated any differently? I can't take home a couple of carons of product to complete my work, why should a guy/gal with a laptop be able to move sensitive data?

    Your employer was on top of things - mostly because they had to be. When other businesses have to be, under penalty of huge fines, this problem will be mitigated.

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 10 Jul 2006 @ 11:40am

    Maybe if these companies didn't try to squeeze their employees so hard that they *have* to take work home, this wouldn't happen.

    Novel idea... yes, I know.

    link to this | view in thread ]

  15. identicon
    Brian, 10 Jul 2006 @ 11:53am

    Re: Re: Fat, bloated and cumbersome

    They are elected to govern, we only wish they would lead.

    link to this | view in thread ]

  16. identicon
    Indelible1, 10 Jul 2006 @ 11:59am

    Haven't any of these companies heard about encrypting sensitive customer and employee information?

    It boggles the mind that the public sector can encrypt and send data on a daily basis that complies with or exceeds DOD standards, but the folks that are entrusted with our most sensitive personal information keep it in a completely insecure database on their laptop with no consideration of those that it will negatively effect.

    Why not just put in an archive, encrypt it, and be done? It would be just as easy to access for the end user, but the common thugs that abscond with the laptop that was carelessly left in a vehicle wouldn't be able to access it with ease, due to lack of knowledge.

    link to this | view in thread ]

  17. identicon
    Jose, 10 Jul 2006 @ 12:06pm

    Not hard to get at all

    People forget all of the people that the data goes through before it finally reaches the *secure* servers. I have a data entry friend that pays almost minimum wage and handle claims for blue cross blue shield and others with all the information they could ever want. Also to get that job or a copy of those documents is not hard at all.... it's like brining gold to a super secure place and first driving it in a donkey with the gold wrap around plastic bags...

    link to this | view in thread ]

  18. identicon
    The Truth Is Out There, 10 Jul 2006 @ 12:13pm

    Look in the mirror, sys admins

    A few years back, I worked at a big manufacturing company, and data my department needed every day was stored in a big dumb mainframe, with a big dumb UI, managed by big dumb programmers. A co-worker wanted a couple minor changes to the db schema, and argued with the Deniers of Information Services for months with no help. Finally, he bought a copy of MS Access, loaded it on his desktop, did a big dump off the mainframe, and in a couple of days built an app that worked waaaaaaay better than anything the "pros" ever provided. So, this wasn't personal data, and it wasn't a laptop, but if you tie your users up in red tape instead of helping them do their work, don't be surprised if they try to find a way around you. Unfortunately, that might lead to these kinds of security breaches.

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 10 Jul 2006 @ 12:18pm

    Re: "Silly" status quo is hard to change

    States do not require you to use a SSN on your license. My UT license very clearly states "Not Required" under the SSN field. Massachusetts used to allow people to use their SSN, but again, it was never mandated. Also, the topic asks why this question of the data being carried on personal laptopts never comes up. I don't understand this - it appears to be a major front story every single day. This topic itself looks like it was recycled from yesterday's Wired post (http://www.wired.com/news/wireservice/0,71348-0.html)

    link to this | view in thread ]

  20. identicon
    Prescott, 10 Jul 2006 @ 12:24pm

    Re: "Silly" status quo is hard to change

    "I am still amazed by all of the organizations that require one to give their SSN - when it is clearly not necessary. Utah driver's license"

    Nitpicking, but Utah doesn't demand you put in on. They can leave the field blank. As I did.

    Back to the topic, I think we need a new social number, one that is for the federal government and a citizen only. That could be, you know, secure.

    When my healthcare account number is my social security number, it proves we have lost focus of what a social security number is.

    link to this | view in thread ]

  21. identicon
    jdw242, 10 Jul 2006 @ 12:26pm

    what am I doing?

    apparently I am not working at a company with an IT manager that has a G.D. brain!

    No, really, it comes down to laziness. If I didn't fight and prove that the potential losses would close the business I work for we wouldn't have SafeBoot on our laptops right now. Everyone wants to have the security, but IT is supposed to take care of that. They don't understand it starts with the user being responsible.

    Of course, enter the obligatory IT Staff are not responsible for your own stupid carrying of said laptop into areas that are potentially dangerous, such as pool areas, bars, hot tubs, saunas, roof tops, crashing planes, etc., though our users probably think that we are...

    link to this | view in thread ]

  22. identicon
    jdw242, 10 Jul 2006 @ 12:33pm

    almost forgot

    when they do lose their laptops, they usually come to the IT staff and ask for their data back.

    WTF? We're not your storage racks; we keep you working!

    link to this | view in thread ]

  23. identicon
    Jimmy Z, 10 Jul 2006 @ 1:19pm

    Re: anonymous coward

    Please refrain from the use of free thought and discontinue the formulation of ideas or I will be forced to take legal action.

    link to this | view in thread ]

  24. identicon
    111-22-3333, 10 Jul 2006 @ 1:38pm

    Re: Re: "Silly" status quo is hard to change

    Point of clarification ... one may opt out of displaying their SSN on their driver's license, but not on obtaining the license (unless they have changed the policy in the last year).

    link to this | view in thread ]

  25. identicon
    the IT Manager, 10 Jul 2006 @ 2:24pm

    Shrugged Off

    I wrote an email to the IT department head once to write a simple script to get data for me and many co-workers that needed it. It would have saved the company tons of employee time, digging and searching. When I sent the email it was 10:35. By 10:37 I got a reply, "It can't be done." I responded. "Yes it can, attached here is the script. Please review and launch." BAM! Instant time saving, and I wasn't even in the IT dept. I copied the plant manager that time. Needless to say about 6 mo's later he wasn't working here anymore. WOOHOO!

    link to this | view in thread ]

  26. identicon
    Anonymous Coward, 10 Jul 2006 @ 6:09pm

    Re: "Silly" status quo is hard to change

    "I can often get away with making one up."

    Well, thats great, but while you managed to provide yourself a modicum of security, you did it while committing a felony.

    Providing a FALSE Soc Sec Num is a felony. Do not do that. Simply refuse to provide it.

    link to this | view in thread ]

  27. identicon
    jeff, 11 Jul 2006 @ 8:52pm

    Re: Re: "Silly" status quo is hard to change

    Only if the intent is to defraud.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.