Why Keep Personal Information On A Laptop, When It's Much Easier To Steal On A CD?
from the good-work,-idiot dept
In story after story about data leaks stemming from a lost or stolen laptop, one question that's never answered very well is why people are carrying so much personal information on portable devices anyway. But why bother with the inconvenience of a laptop, when you could just put the social security numbers and other information of 75,000 of your customers on a CD without any encryption and make things so much easier for would-be identity thieves? That's what a boneheaded subcontractor for a health insurance company did, and now -- surprise, surprise -- the disc has gone missing. The insurance company is making the standard offer of a year of credit monitoring to those whose information was on the CD, but since the offending party didn't work directly for it, rather for another contractor, it sounds as if it won't be able to take any action against the subcontractor. So, it sounds like nothing's changing, and companies are remaining careless with personal information because there's no reason for them to protect it.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Smart Thieves...
You would think the legislation would quit passing stupid laws, like banning MP3 players while walking around, and make some laws that actually are enforceable and have an effect, like requiring all sensitive/personal information stored on any kind of device to have GOOD/effective encryption strategies. I guess it is too much to ask we have some smart legislators though...
Then again, maybe the CD fell behind one of the desks. I sure know I've found many of mine back there.
[ link to this | view in chronology ]
Re: Smart Thieves...
First of all, how would you write a law like that if you were a politician? Do you specify a particular encryption level? Does it apply to every piece of data that can be linked to a person? Wouldn't that effectively give the government the right to come in and look at any data a company has, without a warrant or other legal notice, in the name of making sure this new hypothetical encryption law is being followed?
As a side note, the insurance industry already has rules regarding data protection that they can be fined against in this instance, it's called HIPAA.
[ link to this | view in chronology ]
Re: Re: Smart Thieves...
With small, easy words the other politicians could understand.
Do you specify a particular encryption level? Does it apply to every piece of data that can be linked to a person?
I suppose you would have to specify an encryption level, and I say any data an identity thief could use, like your birth-date and social security number. Name and address aren't really that important as far as stealing someone's identity.
Wouldn't that effectively give the government the right to come in and look at any data a company has, without a warrant or other legal notice, in the name of making sure this new hypothetical encryption law is being followed?
Well now that's just plain silly. Of course the government would have to have a warrant if they suspected a company was not upholding the encryption law. I mean, the cops can't bust down your door without a warrant for your computer (assuming they do not expect someone is about to be hurt inside your residence and even then they can only get the other person out and not collect any evidence).
[ link to this | view in chronology ]
There is one reason...
[ link to this | view in chronology ]
Re: There is one reason...
[ link to this | view in chronology ]
Problem is the laws
[ link to this | view in chronology ]
Not only that, but UCLA is a school. Because it is a school, it has the right to use means that are illegal for commercial companys to track you down and to sell your information. The law states that you must contact UCLA and ask them not to sell your information, or they may do it.
I hate that UCLA tracks me down wherever I move within about 1 month. I hate that they hold onto my information. I hate that their data gets compromised so often.
These companies, and non profit institutions should be held fully accountable for these information leaks due to negligence.
[ link to this | view in chronology ]
I'm curious - why has no one done that yet?
And hey - that's worse than death for a big company - 100,000 lawsuits
[ link to this | view in chronology ]
Easy Solution
[ link to this | view in chronology ]
Personal Info...
That's the only way to keep the thought police at bay.
[ link to this | view in chronology ]
Why not make laws to protect SSN
[ link to this | view in chronology ]
Re: Why not make laws to protect SSN
[ link to this | view in chronology ]
HIPAA
No wonder I lie about my SSN, etc. these days. I'm sure someone else will collect my benefits but I don't really pay into social security anyway so what are they gonna get an extra $4/month?!!?
[ link to this | view in chronology ]
Re: HIPAA
What about credit card companies and such? What happens when the FBI screws up? Nothing.
Also, the company that lost the information was a subsidiary company under a Health insurance company. I'm not sure they can legally be fined using HIPPA, those rules apply to 1st party companies as far as I know.
[ link to this | view in chronology ]
Re: Re: HIPAA
[ link to this | view in chronology ]
Re: Re: HIPAA
HIPAA was written in such a way as to create a "chain of custody" for your information. Basically any recipient or handler of information that was acquired under HIPAA must be HIPAA compliant.
[ link to this | view in chronology ]
Re: Re: HIPAA
[ link to this | view in chronology ]
Benefit of the doubt
Burned CDs are not the most reliable way to transfer information anyway. Even if stolen, assuming the burned CD contents will still be legible on the CD a year from now is a bit of a stretch - all they have to do is actually leave it out on a sunny desk somewhere and poof - the data is gone.
[ link to this | view in chronology ]
Why only 1 year of
[ link to this | view in chronology ]
[ link to this | view in chronology ]