This article is reprinted from TEQ Magazine, a publication of the Pittsburgh Technology Council.
Since we last wrote about stemming the tide of identity theft in the workplace in the July/August 2005 issue of TEQ, the news of incidents of serious security breaches involving personal information has not subsided. In fact, identity theft has continued its rapid and dangerous rise to the detriment of both businesses and consumers.
For example, on December 16, 2005, ABN AMRO notified their customers that a tape containing information about residential mortgage customers was lost while being transported by DHL courier service to a credit reporting company.
The computer tape presumed lost subsequently was located and returned to their data processing center a few days later. Nonetheless, ABN AMRO is continuing to investigate the circumstances surrounding the time elapsed until recovery of the tape with DHL and whether or not any personal information was taken during that time period.
The popular Atlantis Hotel in the Bahamas issued a statement on January 9, 2006 that names, addresses, social security numbers, credit card numbers and driver's license numbers had been compromised from a database containing personal information for approximately 55,000 guests.
Pittsburgh has not emerged unscathed from the rash of news regarding the theft of personal information. On January 1, 2006, the Pittsburgh Post-Gazette reported that a UPMC-owned Squirrel Hill family medical practice began notifying approximately 700 patients that personal information may have been compromised when six computers were stolen from the doctors' offices.
In fact, computer experts have noted that 2005 was the worst year on record for computer security breaches, with approximately 130 reported breaches that exposed more than 55 million Americans to potential identity theft. Identity theft has become big business.
One U.S. Treasury Department official commented to USA Today that cybercrime proceeds in 2005 were $105 billion - greater even than those of illegal drug sales! Keep in mind, those are just the reported breaches. In response to this alarming number of incidents of corporate security breaches involving personal information, the Federal Trade Commission has begun taking a hard line stance toward businesses whose policies and procedures do not adequately protect personal information.
On January 26, 2006, the FTC announced that ChoicePoint, Inc., a company that buys and sells personal information of consumers (including Social Security numbers, employment records and credit histories), agreed to pay a record $10 million civil penalty and $5 million for consumer redress to settle the FTC's charges that ChoicePoint's lax security and record handling procedures violated the Fair Credit Reporting Act (FCRA) and the FTC Act. Specifically, the FTC alleged that ChoicePoint violated the FCRA by providing credit histories to individuals who did not have a legitimate purpose for using such reports and violated the FTC Act by making false and misleading statements about its privacy policies which ultimately led to the compromise of consumer financial data for more than 160,000 individuals.
The final order also requires ChoicePoint to establish, implement and maintain a comprehensive information security program that protects consumers' personal information.
To ensure that ChoicePoint's policies are adequately protecting consumer information, ChoicePoint must be audited every two years to meet the standards of the settlement. The following statement from FTC Chairwoman Deborah Platt Majoras issued in connection with the ChoicePoint settlement is a clear indication of the aggressive stance that the FTC intends to take toward companies who fail to protect consumer data: "The message to ChoicePoint and others should be clear: Consumers' private data must be protected from thieves. Data security is critical to consumers and protecting it is a priority to the FTC, as it should be to every business in America."
With the value of personal information to cyber thieves at an all-time high, and with a clear enforcement initiative at both the Federal and state levels, Pennsylvania businesses need to take steps to ensure that data security is a top priority before it is too late. In the second part of this article, which will appear in the next issue of TEQ, we will discuss Pennsylvania's and New Jersey's different legislative responses to this problem and will suggest certain steps that businesses can take to reduce the risk of identity theft.