Laptop With Data Stolen? Announce It, Give 1-Year Free Credit Monitoring And Move On
from the yawn dept
We've noted in the past that it's become somewhat standard for any company who has lost the private data of its customers/employees/partners/etc. to agonize for a little while and then offer one year of free credit monitoring as an apology. Apparently that formula has reached such a point that companies are doing it automatically. This way, the press can simply combine two stories into one. Horizon Blue Cross Blue Shield of New Jersey loses a laptop with data on 30,000 members? No big deal. With the announcement they immediately offer a year of free credit monitoring and everyone can forget about it and move on. At this point, you have to assume that anyone storing personal data is starting to mentally price in the cost of a single year's free credit monitoring as a cost of doing business. It's certainly cheaper than actually securing your data.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: credit monitoring, data leaks, security
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
CT's response to lost data
They offered the free protection for one year. They also picked up an insurance plan to cover and losses. This wasn't the end of it though. They continued to update me about the situation. Eventually they upped the protection to two years free and made sure that the debt protection company could not auto-renew our accounts.
Overall, the entire situation hasn't really been a problem for me. The data was protected, the offer of coverage was generous and quick, and I wasn't tied into future services. Go CT.
[ link to this | view in chronology ]
weird
I fail to see what's so important that some employee needs to be walking around with my SSN 24/7
Has anybody heard of a VPN?
[ link to this | view in chronology ]
Security Still a Priority
After that, our company implemented many costly security measures to prevent this from happening again. We got the free credit monitoring software, all that stuff. But they certainly didn't ignore the security problem. Of course, like all solutions, however, it relies on the employees following these new procedures outside of the office. Which is by no means guaranteed, but at least they have an excuse to fire the people without question now.
[ link to this | view in chronology ]
How is irony spelled again?
http://idtheft.about.com/b/2007/07/27/256753.htm
Remember the TV ads, and billboards with his SSN on it?
[ link to this | view in chronology ]
Sure
[ link to this | view in chronology ]
[ link to this | view in chronology ]
And that
1. Have you read the stories of people who've found errors in their credit reports (whether due to disclosure or just the ordinary bureaucratic malfunctions) and have tried to get them fixed?
2. Knowing that your credit report is unaltered doesn't tell you who has your data or how they're using it.
3. Not all data lost is financial in nature: how does monitoring your credit deal with loss of medical records?
4. Since whoever has the data will see the same announcement of free credit monitoring for 1 year (or 2 years, or whatever) as everyone else, they know that if they sit on the data and do nothing for 1 year (or 2 years etc.) then it's much less likely anyone will be watching then.
5. These problems follow the 1/10th of 1/10th rule that applies to any security disclosures: the number they know about is 10X the number they announce; the number that have actually happened is 10X the number they know about.
Not that any of this will change anything, of course. Nobody gets fired, nobody gets fined, no business gets shut down, not even in cases like TJX -- where the executives are busy arranging golden parachutes for each other.
[ link to this | view in chronology ]
Laptops stolen - recovered - still no love.
This turns out to be more of an organizational problem than an IT or Security problem.
I would like to know everyone’s opinion on whether it is possible for the police to determine if the laptops were in fact not accessed.
[ link to this | view in chronology ]
Why would anyone think that one year of free credi
So, why don't the credit agencies just permanently do this? It's somewhat a hassle for the consumer, but I'll take that over getting my id stolen.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
The Free Service Come-on
Out of curiosity, has anyone subscribed to one of these offers and what happened when the free period expired?????????
[ link to this | view in chronology ]
Pow! Now you've go' it!
[ link to this | view in chronology ]
Re: Laptops stolen - recovered
It's impossible to prove that the data was not accessed. A minimally-competent person seeking to extract the data won't boot the system from its own disk drive(s) -- which would likely leave a trail (e.g., timestamp modifications). They'll boot it from either an external disk, or a CDROM/DVD, or a USB key, and simply vacuum all the data off the disk(s). Alternatively, they may take it apart and remove the disk(s), reading them elsewhere, then replacing them. (This latter method has the advantage that it's not necessary to power the laptop up at all -- just in case there's a counter in there that tracks minutes-of-operation.)
So the only prudent assumption is to make is that ALL data has been read by parties unknown and may soon become available on the open market. Of course that's not what we hear most of the time: what we hear is "there's no proof it's been accessed". That statement is worthless.
[ link to this | view in chronology ]
Re: Re: Laptops stolen - recovered
You'll only know when the whole database has hit the open market.
A silly idea. If the database is for personal information, seed the database
with the personal information of the executive staff, IT staff and anyone who
handles/access the data...
[ link to this | view in chronology ]
The whole thing needs to be re-defined.
EtG
[ link to this | view in chronology ]
Re: The whole thing needs to be re-defined...
You're correct, Eric -- and the use of reasonably strong encryption, as we've had available for free for many years would help as well.
So would the seeding of data with known-bogus, known-trackable entries that would at least provide some hope of detecting a breach, possibly even identifying its method and giving some indication of how the data's propagating.
But all of these are just band-aids. The same problem underlies this symptom as underlies others (spam, DDoS attacks, phishing, etc.): miserably poor security. Because that's so systemic, even the countermeasures suggested here won't truly address the issue. For example, suppose VPNs were used: any attacker in control of the VPN's termination point, e.g., the laptop of the person working with the data, has full access to the VPN connection and thus whatever's on the other end of it.
The problem isn't that far better security isn't available: it is. The problem is that people/companies won't invest the time/effort/money to use it. After all, why should they? It's not their data; why should they care?
[ link to this | view in chronology ]
Keep the data secret for a year, sell it?
[ link to this | view in chronology ]
Oh, and further stupidity
One of the best sites to track this ongoing parade is Pogo Was Right.
And one of the numerous incidents covered there today mentions a set of four desktops that were stolen -- and which contain information on several thousand people. Their former owners point out that "the desktops were password protected", either (a) unaware or (b) cynically refusing to admit that when an attacker has physical possession of the disk drives that password protection is irrelevant.
[ link to this | view in chronology ]
Privacy Statement
The statement should be worded so that the party requesting the data is held responsible for the loss of said data in the event of theft, or any other type of data loss.
I've actually done this in one instance (a car rental agency) where they wanted to make a copy of my driver license. They signed my statement in return for my allowing them to make a copy of the license.
The idea behind this is simple. You're forcing the data requester to hold themselves legally accountable and responsible for your data. The best part of this is that you don't need the backing of any state or federal law to do this.
[ link to this | view in chronology ]