PGP INSIGHT
PGP Blogs
Subscribe to CEO Blog via RSS.
The 2007 Seasons Greeting: "We've lost your data. Happy holidays!"
19 Dec, 2007
Back on January 2 of this year, I wrote that 2006 would be remembered as the "Year of the data breach," and expressed my hope that 2007 would be remembered as the "Year of Secure Data." Proving the utter folly of making predictions about the future, 2007 didn't exactly turn out that way. As 2007 draws to a close, it's clear that it was a far worse year for data breaches than 2006. In fact, we didn't even make out of January before T.J. Maxx announced it had lost the personal information of 93 million people, making this the largest loss of personal information in history. The company disclosed last week that it expects to spend at least $500 million dealing with the breach because it now faces 19 separate law suits and investigations by the FTC and 37 state Attorneys General.
As the year progressed, we saw announcements of material data breaches from the U.S. Department of Veteran's Affairs (48,000 records), Johns Hopkins (135, 000 records), the U.S. Census Bureau (246 laptops containing personal information), Neiman Marcus (160,000 records), Merrill Lynch (33,000 records), and dozens of others. For a complete list of data breaches disclosed in 2007, go to the Privacy Rights Clearinghouse.
Then to put an exclamation point on the year, the British government disclosed that its Treasury department had lost extensive personal information of 25 million subjects. This time, the culprit wasn't a lost laptop, but two CDs that a tax office employee put in the mail…and the disks haven't been seen since. As the Economist observed, "To err is human, but some blunders are so egregious that they fall into the ‘you couldn't make it up’ category."
What's clear—based on the number of disclosures and the broad range of private and public institutions that have experienced them—is that no enterprise is immune. A new study recently released by the Ponemon Institute proves this fact beyond any doubt. According to a summary of the report in Dark Reading, 85 percent of surveyed enterprises have experienced at least one reportable data breach in the last 12 months. More troubling is the discovery that more than 60 percent of these enterprises experienced more than a half-dozen breaches.
This revelation seems to indicate that not all enterprises that have experienced reportable breaches are taking the required actions to prevent or at least mitigate the damage being caused by the growing army of identity thieves. Just to be clear, many that did suffer data losses have taken exactly the right steps to prevent further breaches, and they are to be commended. Given the continued increase in reported breaches, however, I'm beginning to wonder who doesn't want to steal my identity. The only good news for consumers is that they can probably stop worrying if any of their personal information has fallen into the hands of criminals. We can now safely just assume it has.
I believe that institutional attitudes about protecting personal information will need to change before we see a reversal in this trend. PGP Corporation will continue to assist those enterprises that are serious about protecting the personal information of employees, partners, and customers. However, we all have a role to play in preventing identity theft from becoming the defining crime of the century. I've written previously about things you can do to avoid becoming an identity theft victim, and today I'll add one more.
If you don't feel like signing up and paying for a credit monitoring service, the other thing you can do that is extremely effective in preventing identity theft is to freeze your credit reports. In the U.S., there are separate credit monitoring agencies and all allow you to freeze your credit report for a $10 fee (or free if you’ve been already been victimized). With a frozen credit report, financial institutions that might need a copy when an identity thief attempts to open an account in your name are informed they cannot access your credit history. No reputable institution will open an account under these circumstances, and your action has disabled one of the identity thief’s best tools to monetize your personal information.
If you want to open a new account or apply for a new credit card, you can easily unfreeze your report for a specified period of time or for a specific institution. To learn how to freeze your credit report, go to the state of California's website. The state has posted all the rules, instructions, and even templates of the letters you need to send to the credit reporting agencies. Note that if you're married, you need to file separate requests for you and your spouse. If you have children, experts now recommend you consider freezing their credit reports as well.
And with that suggestion, I would like to wish you and yours a very happy holiday season and best wishes for a data-safe 2008.
19 Dec, 2007
Back on January 2 of this year, I wrote that 2006 would be remembered as the "Year of the data breach," and expressed my hope that 2007 would be remembered as the "Year of Secure Data." Proving the utter folly of making predictions about the future, 2007 didn't exactly turn out that way. As 2007 draws to a close, it's clear that it was a far worse year for data breaches than 2006. In fact, we didn't even make out of January before T.J. Maxx announced it had lost the personal information of 93 million people, making this the largest loss of personal information in history. The company disclosed last week that it expects to spend at least $500 million dealing with the breach because it now faces 19 separate law suits and investigations by the FTC and 37 state Attorneys General.
As the year progressed, we saw announcements of material data breaches from the U.S. Department of Veteran's Affairs (48,000 records), Johns Hopkins (135, 000 records), the U.S. Census Bureau (246 laptops containing personal information), Neiman Marcus (160,000 records), Merrill Lynch (33,000 records), and dozens of others. For a complete list of data breaches disclosed in 2007, go to the Privacy Rights Clearinghouse.
Then to put an exclamation point on the year, the British government disclosed that its Treasury department had lost extensive personal information of 25 million subjects. This time, the culprit wasn't a lost laptop, but two CDs that a tax office employee put in the mail…and the disks haven't been seen since. As the Economist observed, "To err is human, but some blunders are so egregious that they fall into the ‘you couldn't make it up’ category."
What's clear—based on the number of disclosures and the broad range of private and public institutions that have experienced them—is that no enterprise is immune. A new study recently released by the Ponemon Institute proves this fact beyond any doubt. According to a summary of the report in Dark Reading, 85 percent of surveyed enterprises have experienced at least one reportable data breach in the last 12 months. More troubling is the discovery that more than 60 percent of these enterprises experienced more than a half-dozen breaches.
This revelation seems to indicate that not all enterprises that have experienced reportable breaches are taking the required actions to prevent or at least mitigate the damage being caused by the growing army of identity thieves. Just to be clear, many that did suffer data losses have taken exactly the right steps to prevent further breaches, and they are to be commended. Given the continued increase in reported breaches, however, I'm beginning to wonder who doesn't want to steal my identity. The only good news for consumers is that they can probably stop worrying if any of their personal information has fallen into the hands of criminals. We can now safely just assume it has.
I believe that institutional attitudes about protecting personal information will need to change before we see a reversal in this trend. PGP Corporation will continue to assist those enterprises that are serious about protecting the personal information of employees, partners, and customers. However, we all have a role to play in preventing identity theft from becoming the defining crime of the century. I've written previously about things you can do to avoid becoming an identity theft victim, and today I'll add one more.
If you don't feel like signing up and paying for a credit monitoring service, the other thing you can do that is extremely effective in preventing identity theft is to freeze your credit reports. In the U.S., there are separate credit monitoring agencies and all allow you to freeze your credit report for a $10 fee (or free if you’ve been already been victimized). With a frozen credit report, financial institutions that might need a copy when an identity thief attempts to open an account in your name are informed they cannot access your credit history. No reputable institution will open an account under these circumstances, and your action has disabled one of the identity thief’s best tools to monetize your personal information.
If you want to open a new account or apply for a new credit card, you can easily unfreeze your report for a specified period of time or for a specific institution. To learn how to freeze your credit report, go to the state of California's website. The state has posted all the rules, instructions, and even templates of the letters you need to send to the credit reporting agencies. Note that if you're married, you need to file separate requests for you and your spouse. If you have children, experts now recommend you consider freezing their credit reports as well.
And with that suggestion, I would like to wish you and yours a very happy holiday season and best wishes for a data-safe 2008.
- Phil
Sample Privacy Policies Links
Privacy Rights Clearinghouse Economist Offline Identity Theft Office of Privacy Protection
Privacy Rights Clearinghouse Economist Offline Identity Theft Office of Privacy Protection
Archives
Recent Posts
Cold Boot Attack Commentary
24 Mar, 2008
Metrics that Matter
08 Feb, 2008
Smile When You Say That.
05 Oct, 2007
Why You Need Enterprise Data Protection
14 June, 2007
Media Contacts
North America
Christina Grenier
PGP Corporation
+1 650 543 3697
cgrenier@pgp.com
Tom Rice
Merritt Group
+1 703 856 2218
rice@merrittgrp.com
Germany
Ingrid Daschner
Johnson King
+49 (0) 89 8940 8511
ingridd@johnsonking.de
Japan
Kyosuke Wakairo
Powered Communications Inc.
+81 3 5211 7899
pgp@powered-communications.com
United Kingdom
Jacqui Depares
Johnson King
+44 (0)20 7401 7968
jacquid@johnsonking.co.uk