LAW&TECHNOLOGY: The Year of the Data Valdez?

By Deborah Pierce

THE LAST FEW weeks have seen an epidemic of “Data Valdez” events: “spills” of large amounts personal data, in some cases affecting millions of people. Most of these recent events are quite serious and can lead to significant increases in identity theft.

Government, corporations, and even individuals have the capabilities to gather large amounts of personal information about other people. In many cases we want others to have information about us. For example, we want a doctor to know about our medical conditions so that they can treat us. But when data gatherers don’t use adequate security to secure the information that they are holding, the result can be unfortunate.

I view a Data Valdez event as occurring when information that has been gathered is accidentally made available on the Internet or in some public space, and becomes accessible to those who should not have access to the information.

February is the Month for Sharing—Your Personal Information!

• February 4, 2003: an information management company in Canada lost a computer disc containing the personal information of more than 1,000,000 people. A class action suit has been filed.

• February 7, 2003: a Kentucky state computer that had been marked as surplus (and was about to be sold) was found to contain files on thousands of individuals, many of whom were diagnosed with AIDS. Fortunately, the computer was never out of state custody.

• February 14, 2003: in Seattle, a Boeing machinist bought a disc for $1 that turned out to contain the names, workplaces, salaries and social security numbers of about 800,000 people.

• February 14, 2003: FTD.com (the florist) had to fix a security flaw that allowed others to view contact information and possibly credit card information of customers.

• February 18, 2003: a hacker breached a security system to get access to as many as 5,600,000 VISA and MasterCard credit card numbers.

And February isn’t even over yet. The biggest Data Valdez of the month may have happened on February 21, the personal information of 35 million AOL customers may have been exposed. Hackers apparently accessed AOL’s “Merlin” database by a variety of methods, including tricking AOL employees into accepting files containing Trojan Horses.

Requiring Companies to Inform You of Security Breaches

You would think that at the very least you’d be notified when your data has been exposed. However, many companies, fearing negative publicity, decide to delay notification to people, or they deny the breach altogether. Last year, over 200,000 California state workers had their personal information compromised, including their social security numbers, but were not notified about the situation until weeks after the breach occurred.

California has now passed a law to prevent this type of occurrence from happening again. SB1386, which will take effect on July 1, 2003, would require that companies that suffer a security breach must inform California residents that a breach has occurred. In order to trigger the law, the breach must involve not only customer names, but social security numbers, driver’s license information, or credit card information. Companies that fail to disclose the breach face civil liability.

On the other hand, the Homeland Security bill passed last year grants companies anonymity if they report breaches to the Federal government. Given the current administration’s penchant for secretiveness, it would seem that this law would allow companies to hide their security flaws from the public, and thus limiting the recourse that individuals have when they have been harmed in this way.

Although I’d like to think otherwise, with more and more information online, no effective penalties for companies that fail to secure it, and no recourse for consumers, 2003 could easily be the year of the Data Valdez.

What you can do

• Contact VISA and/or MasterCard to see if any of your credit cards have been compromised.

• When doing business with brick and mortar companies, ask them about security - - let them know that you take protection of your information very seriously. Related to this, don’t hand over personal information to companies unless they absolutely need it. Be firm.

• Read privacy policies carefully – if you don’t feel comfortable about the level of security that a company is using, don’t do business with them.

• California is the only state that has a law that requires companies to disclose that they’ve suffered a security breach. Contact your representatives and let them know that you’d like to require that companies disclose this important information to individuals.

Reader Comments

Discuss this article in the forums!