Laptop With Data Stolen? Announce It, Give 1-Year Free Credit Monitoring And Move On

from the yawn dept

Fri, Feb 1st 2008 10:47am — Mike Masnick

We've noted in the past that it's become somewhat standard for any company who has lost the private data of its customers/employees/partners/etc. to agonize for a little while and then offer one year of free credit monitoring as an apology. Apparently that formula has reached such a point that companies are doing it automatically. This way, the press can simply combine two stories into one. Horizon Blue Cross Blue Shield of New Jersey loses a laptop with data on 30,000 members? No big deal. With the announcement they immediately offer a year of free credit monitoring and everyone can forget about it and move on. At this point, you have to assume that anyone storing personal data is starting to mentally price in the cost of a single year's free credit monitoring as a cost of doing business. It's certainly cheaper than actually securing your data.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: credit monitoring, data leaks, security

20 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

John Duncan Yoyo, 1 Feb 2008 @ 10:51am

If all these years of free credit monitoring are additive we may never need to pay for credit monitoring again.
[ link to this | view in thread ]
Garrett, 1 Feb 2008 @ 11:08am

CT's response to lost data
I'd like to give some credit to the State of Connecticut when it comes to handling lost data. About a year ago I received a letter that they had lost an encrypted laptop with my data in it, the usual story. Except, I hadn't heard about this from the news at all. They took the initiative and contacted me.

They offered the free protection for one year. They also picked up an insurance plan to cover and losses. This wasn't the end of it though. They continued to update me about the situation. Eventually they upped the protection to two years free and made sure that the debt protection company could not auto-renew our accounts.

Overall, the entire situation hasn't really been a problem for me. The data was protected, the offer of coverage was generous and quick, and I wasn't tied into future services. Go CT.
[ link to this | view in thread ]
Ryan, 1 Feb 2008 @ 11:08am

weird
Why is it that every laptop out there seems to come pre-loaded with everybody in America's social security number. I bet it's part of that bloatware that coms with a new Dell.

I fail to see what's so important that some employee needs to be walking around with my SSN 24/7

Has anybody heard of a VPN?
[ link to this | view in thread ]
NSMike, 1 Feb 2008 @ 11:12am

Security Still a Priority
Maybe it is cheaper, but recently, the company I work for was transferring from a SQL-based payroll system to an Oracle-based payroll, and the engineer doing it left the payroll database on his laptop, on the front seat of his car, which was promptly stolen.

After that, our company implemented many costly security measures to prevent this from happening again. We got the free credit monitoring software, all that stuff. But they certainly didn't ignore the security problem. Of course, like all solutions, however, it relies on the employees following these new procedures outside of the office. Which is by no means guaranteed, but at least they have an excuse to fire the people without question now.
[ link to this | view in thread ]
Kate Jackson, 1 Feb 2008 @ 11:19am

How is irony spelled again?
LifeLock CEO was a victim of id theft too...
http://idtheft.about.com/b/2007/07/27/256753.htm

Remember the TV ads, and billboards with his SSN on it?
[ link to this | view in thread ]
BillGod, 1 Feb 2008 @ 11:45am

Sure
They just sign everyone up for freecreditreport.com
[ link to this | view in thread ]
I Watch Too Much TV, 1 Feb 2008 @ 12:03pm

They should have seen this comin at them like an atom bomb.
[ link to this | view in thread ]
Rich Kulawiec, 1 Feb 2008 @ 12:08pm

And that
1. Have you read the stories of people who've found errors in their credit reports (whether due to disclosure or just the ordinary bureaucratic malfunctions) and have tried to get them fixed?
2. Knowing that your credit report is unaltered doesn't tell you who has your data or how they're using it.
3. Not all data lost is financial in nature: how does monitoring your credit deal with loss of medical records?
4. Since whoever has the data will see the same announcement of free credit monitoring for 1 year (or 2 years, or whatever) as everyone else, they know that if they sit on the data and do nothing for 1 year (or 2 years etc.) then it's much less likely anyone will be watching then.
5. These problems follow the 1/10th of 1/10th rule that applies to any security disclosures: the number they know about is 10X the number they announce; the number that have actually happened is 10X the number they know about.
Not that any of this will change anything, of course. Nobody gets fired, nobody gets fined, no business gets shut down, not even in cases like TJX -- where the executives are busy arranging golden parachutes for each other.
[ link to this | view in thread ]
Jim (profile), 1 Feb 2008 @ 12:19pm

Laptops stolen - recovered - still no love.
We just had this happen in Nashville, TN with two election commission computers with our name/address/SSN on them. Yes we are now getting the free credit report but the local paper reports that the person who uses the laptop was told that there was no need to carry the entire SSN; all she really needed was the last four digits. She was also told by Metro IT that the data should be encrypted. She never did any of this because no one could make her.
This turns out to be more of an organizational problem than an IT or Security problem.

I would like to know everyone’s opinion on whether it is possible for the police to determine if the laptops were in fact not accessed.
[ link to this | view in thread ]
Jack Bmg, 1 Feb 2008 @ 12:41pm

Why would anyone think that one year of free credi
Once the ssn is out there, it's out there. You can ask for a credit watch for 30 days at the three reporting agencies if you think you've been compromised. What happens here is that if you apply for credit somewhere, it will be come back as "call agency" or something like that. It won't be approved until you the consumer actually talk to someone at the credit agency. Since you're in the presense of the merchant, then I guess that's good enough for the agency. Not sure what will happen with online credit apps. I guess the premise here is that if your identity is good enough for the merchant, it's good enough for the credit agency.
So, why don't the credit agencies just permanently do this? It's somewhat a hassle for the consumer, but I'll take that over getting my id stolen.
[ link to this | view in thread ]
Anonymous Coward, 1 Feb 2008 @ 12:54pm

I see a market for "creditreportpal.com". Everyone sets up an account and if a company you deal with loses data with your private info, the company deposits a year of free credit reporting to your creditreportpal account!
[ link to this | view in thread ]
Steve R. (profile), 1 Feb 2008 @ 1:18pm

The Free Service Come-on
We received one of these notices, we didn't subscribe. The reason, too many "free" offers that silently metamorphize into a paying obligation that you don't realize until the bill arrives.

Out of curiosity, has anyone subscribed to one of these offers and what happened when the free period expired?????????
[ link to this | view in thread ]
Amanya Wannahearfrom, 1 Feb 2008 @ 2:46pm

Pow! Now you've go' it!
Keep em coming junior- good job!
[ link to this | view in thread ]
Rich Kulawiec, 1 Feb 2008 @ 2:49pm

Re: Laptops stolen - recovered
It's impossible to prove that the data was not accessed. A minimally-competent person seeking to extract the data won't boot the system from its own disk drive(s) -- which would likely leave a trail (e.g., timestamp modifications). They'll boot it from either an external disk, or a CDROM/DVD, or a USB key, and simply vacuum all the data off the disk(s). Alternatively, they may take it apart and remove the disk(s), reading them elsewhere, then replacing them. (This latter method has the advantage that it's not necessary to power the laptop up at all -- just in case there's a counter in there that tracks minutes-of-operation.)
So the only prudent assumption is to make is that ALL data has been read by parties unknown and may soon become available on the open market. Of course that's not what we hear most of the time: what we hear is "there's no proof it's been accessed". That statement is worthless.
[ link to this | view in thread ]
Anonymous Coward, 1 Feb 2008 @ 5:17pm

Re: Re: Laptops stolen - recovered
Only thing you can really do is to seed the database with bogus entries.
You'll only know when the whole database has hit the open market.

A silly idea. If the database is for personal information, seed the database
with the personal information of the executive staff, IT staff and anyone who
handles/access the data...
[ link to this | view in thread ]
Eric the Grey, 1 Feb 2008 @ 6:43pm

The whole thing needs to be re-defined.
This is criminal negligence, IMO and should be treated as such. There is no valid reason fro this amount of information being taken from secure systems. These days, VPN (as mentioned above) and other forms of accessing the information from home are readily available.

EtG
[ link to this | view in thread ]
Rich Kulawiec, 2 Feb 2008 @ 4:03am

Re: The whole thing needs to be re-defined...
You're correct, Eric -- and the use of reasonably strong encryption, as we've had available for free for many years would help as well.
So would the seeding of data with known-bogus, known-trackable entries that would at least provide some hope of detecting a breach, possibly even identifying its method and giving some indication of how the data's propagating.
But all of these are just band-aids. The same problem underlies this symptom as underlies others (spam, DDoS attacks, phishing, etc.): miserably poor security. Because that's so systemic, even the countermeasures suggested here won't truly address the issue. For example, suppose VPNs were used: any attacker in control of the VPN's termination point, e.g., the laptop of the person working with the data, has full access to the VPN connection and thus whatever's on the other end of it.
The problem isn't that far better security isn't available: it is. The problem is that people/companies won't invest the time/effort/money to use it. After all, why should they? It's not their data; why should they care?
[ link to this | view in thread ]
Michael Evans, 2 Feb 2008 @ 5:23am

Keep the data secret for a year, sell it?
What's to stop someone from waiting until the company publishes the free credit monitoring, pad that out a little, and sell the data for use after that point. Sure there will be some changed data, but anyone with real cash is still living in the same places with the same profile numbers, right?
[ link to this | view in thread ]
Rich Kulawiec, 2 Feb 2008 @ 7:50am

Oh, and further stupidity
One of the best sites to track this ongoing parade is Pogo Was Right.

And one of the numerous incidents covered there today mentions a set of four desktops that were stolen -- and which contain information on several thousand people. Their former owners point out that "the desktops were password protected", either (a) unaware or (b) cynically refusing to admit that when an attacker has physical possession of the disk drives that password protection is irrelevant.
[ link to this | view in thread ]
Private, 2 Feb 2008 @ 8:34am

Privacy Statement
Consumers should begin handing out "Privacy Statement" documents when asked to give out their SSN or other private credentials.

The statement should be worded so that the party requesting the data is held responsible for the loss of said data in the event of theft, or any other type of data loss.

I've actually done this in one instance (a car rental agency) where they wanted to make a copy of my driver license. They signed my statement in return for my allowing them to make a copy of the license.

The idea behind this is simple. You're forcing the data requester to hold themselves legally accountable and responsible for your data. The best part of this is that you don't need the backing of any state or federal law to do this.
[ link to this | view in thread ]