New York Times Data Breaches article

The New York Times pubished an article yesterday which has a kind of tongue-in-cheek approach to the data theft which has been taking place at companies around the United States and Canada.

A survey of 484 United States-based information technology departments within business or governmental organizations…found, among other things, that more than half of corporate laptops contained unprotected sensitive data, that one in 10 laptops is stolen and that 97 percent of those are never recovered. The study also found that 81 percent of firms reported that an “electronic storage device such as a laptop” specifically containing sensitive or confidential information had been lost or stolen in the past year.

If nothing else, the Commerce Department can be comforted by the fact that its loss of 1,137 laptops over the last five years is hardly unusual.

This kind of toungue-in-cheek comment is sort of the way I approach identity theft. The problem is so big, and the misinformation in the marketplace so prevalent, that, as the NYT states; “the volume of lost consumer data remains almost comically epidemic.”
The biggest problem is that our social security numbers are so valuable, and so universally used.
But that’s not going to change any time too soon. The lobbies for insurance, credit, and the banking industry as a whole are simply too large, and too powerful, for any smaller initiative to achieve any really valuable change in the way our social security numbers are used. (I will be talking about an interesting patent tomorrow though.)

The article goes on to say that Joseph Ansanelli, the chief executive and founder of Vontu, who has testified before Congress on privacy problems, says that although that is necessary for companies to have passwords and encryption technologies in place, the more important thing to do is to establish a policy for your company on how to deal with data.

“Only by focusing on understanding where data is stored and where it is going can organizations better protect information and prevent it from being carried or sent insecurely,” Mr. Ansanelli said. “Taller fences or more locks on the doors won’t help.”

I couldn’t agree more.
What’s confusing is that the article points out that if companies don’t start doing this on their own, then the government may be forced to step in and start requiring companies to create policies for data protection.
Well, here’s the thing that they seem to have missed.
Congress has already stepped in.
There is a law called FACTA. I’ve written several articles on FACTA (which have been widely plagaried), and done a FACTA video presentation, explaining that under the FACTA disposal provision, if you don’t destroy information, and it leads to Identity Theft, then there are federal fines of up to $2,500.00, and state fines up to $1,000, per employee, per incident. The business is liable for any damages the individual suffers as the result of a breach of information, and can be taken to court for this.
HIPAA (Expansion of the original happened in April 2006)
This refers to Health Information – but for any employer who loses employee information, the penalties can be up to $250,000/employee/incident, AND those responsible can actually serve jail time.
Gramm-Leach-Bliley Safeguards Rule
For any employer who loses employee information, the penalties can be up to $1,000,000/employee/incident, those responsible for losing the information can actually serve jail time, AND they can be held criminally liable for the actions committed by the Identity Thief.
I don’t know about you, but these seem like some pretty intense penalties to me. So it’s confusing that the New York Times published a respected expert on Identity Theft saying that :

“if organizations do not stop the insanity of data loss, Congress will be forced to act and mandate new protections for all this information”

Congress has already put the mandates in place. The problem is that most small to medium-sized companies don’t know that the mandates exist. If they lose the information and are taken to court, they will likely no longer be in business.
To ask questions on how this affects your company, click here.