Welcome to the Identity theft mini wiki at Scratchpad!
You can use the box below to create new pages for this mini-wiki. Make sure you type
[[Category:Identity theft]] on the page before you save it to make it part of the Identity theft wiki (preload can be enabled to automate this task, by clicking this link and saving that page. Afterwards, you may need to purge this page, if you still see this message).
Security of Personal and Private Information in the Hands of Others
Identity theft: an incident where a person possesses or uses, through any means, identifying information of another person without consent of that person to further any unlawful purpose.
This wiki is a study of identity theft as a result of lack of security, education and legislation. It challenges the notion of privacy, safety and trust. Identity theft has become a pervasive issue in all realms of American life, but perhaps most dauntingly in our government and military.
Our mission is to inform others of the perils of having their own private/personal information on databases that are out of their control, by outlining examples, ethics, legislation and prevention methods.
When a person registers for a college, applies for a credit card, submits information to a workplace, or sees a doctor, it is assumed that the personal and private information that is placed in the hands of a credible person, business or institution is safe. Unfortunately, that is simply not the case. Personal and private information that is stored on computers or information systems that are out of our own possession and control can be at grave risk. With the amount of personal information that organizations have and the way it is stored, everyone is at risk for having their personal information fall into the wrong hands. The computer or information system hardware is at risk for having hard drives stolen. Laptops and external hard drives are particularly vulnerable, because they are so portable and easily stolen. Computers and information systems that are connected to the Internet make internally stored data records vulnerable to hacker theft. Many organizations and employees are not taking the necessary precautions to protect the information they possess. The following are some incidents of what has happened to some very personal information that has been entrusted to professionals and organizations.
Examples of Computer Breaches
The U.S. Department of Veterans Affairs has had several incidents of losing data. In February 2007 a hard drive was stolen that contained 1.8 million veterans’ and doctors’ information. A portable hard drive also went missing that contained 48,000 veterans’ records. A computer was stolen from a subcontractor working for the VA during August of 2006 containing up to 25,000 records. In May 2006 a burglar stole electronic data on 26.5 million veterans from the home of a federal employee. (Which begs the question, why did the employee have that kind of information at home?)
In November 2006, a computer was stolen from the Veterans’ Hospital in Manhattan that contained 1,600 veterans’ sensitive records, including medicine information and social security numbers. It was a computer that was also used to store the results of a pulmonary testing device. So, all the testing results were gone. A laptop was stolen from a U.S. Marine Corps subcontractor at Camp Pendleton containing personal information on 2,400 marines. In July 2006 the U.S. Navy found that two laptops were missing. They were reported missing a month after the occurrence in case they happened to turn up somewhere. They contained personal data on 31,000 recruiters and prospective recruits. In October 2006 the U.S. Army found that 21 laptops were missing or stolen over a two-year period.
Colleges and universities in 10 states had computer information breaches. In California, a laptop with 3,020 students’ names and social security numbers was stolen from a professor’s home. In Colorado, two laptops disappeared from an office while being moved to a different location on the college campus. In health care centers and hospitals in seven states there were computer information breaches. A laptop was stolen from an employee’s vehicle that contained sensitive hospital information. One hospital just found important information missing from its information system databases.
Almost every government agency has experienced the loss of important data. The FBI had a laptop stolen. It didn’t know if there was classified information on it or not. In fact, the FBI doesn’t know which laptops agents have that contain national security information. In a study conducted by the FBI, a hired consultant tried to hack into the FBI’s system. This person managed to crack the FBI’s classified computer system, find the passwords of 38,000 employees, gain access to the Witness Protection Program, and access details on counterespionage activity. The consultant said that agents themselves had approved and aided the break-ins. Also, the Federal Trade Commission, the U.S. Department of Commerce, the U.S. Department of Education, the U.S. Department of Transportation, and the U.S. Department of Agriculture have all had data breaches. The IRS had 478 laptops lost or stolen.
State and local governments also have information contained on databases about people. The state of New York loaned a computer to a subcontractor with info from 540,000 injured workers on it.
In the private sector, the breaches of personal and private information also happen. Several insurance companies have lost lockboxes containing disks or tapes holding customer data. Several large corporations have lost employee and customer information, social security numbers, pension information, and medical information. Banks and investment companies have reported losses of data.
The biggest problems involve important information being put on laptops that have the capability of being carried off the premises of the office or agency. Another big problem involves Internet connections with computers containing private, personal data. When are companies and the government going to realize this is a huge problem? When are companies and agencies going to treat the information that has been entrusted to them as if it were their own personal and private information? When are organizations going to correct the irresponsibility of their employees in how they handle personal data? After the occurrence of a breach, it is very, very expensive to recoup the lost information. A better way is to protect the information in the first place from being “lost” or stolen.
What should be done about it? Ethics and cyber-ethics
Ethics and cyber-ethics when dealing with the security issues as pertained to these incidents are basically one and the same: people shouldn’t steal the personal information of others. However, there have been personal opinions voiced in the news about how organizations, and specifically, the Veterans Administration, should have dealt with security breaches.
An opinion piece in The Herald Tribune said that “Congress should find out if telecommuters…are a factor in lax security,” and also that “Federal agencies must make it clear that data security rules will be strictly enforced and that violators will be punished.” Clearly, some think that the government's professional policies need to be more black-and-white, especially since several security breaches have happened in the past year. Perhaps this suggests, too, that government employees need to have stricter personal ethics.
Many research articles have focused on the need for educating school children on cyber-dangers, including protecting personal information. Perhaps it should be required of government employees, as well. If, in fact, telecommuters, who can take company laptops home to work, are the root of the security problems, then these people should be held responsible. However, the government, as well as any organization, should know better than to store personal information on easily accessible electronic devices, such as laptop computers and portable hard drives. Awareness is important when dealing with these issues because the many cases listed above illustrate how easily personal information can be compromised through the use of, or simply the acquiring of, technology.
Companies need to be aware that even though it may be simpler to store their clients’ information on portable devices, those devices can also be stolen more easily. Companies should then take extra measures to protect their clients from ending up as victims. Consumers also need to be aware that these situations can happen, and take extra measures to protect their information. For example, consumers can choose to only give personal information that is absolutely required of them—in other words, the bare minimum. The more consumers, companies and employees know about protecting personal information, the harder it will be for that information to be compromised.
What has been done about it? Legislation across the nation
- Federal Information Security Management Act(FISMA) of 2002: It requires every government agency to secure the information and information systems that support its operations and assets, including those managed by another agency, contractor or other source.
- The HR 5835, a.k.a. the Veterans Identity and Credit Security Act of 2006: It was introduced to address weaknesses in the management of the Department of Veterans Affairs in regards to the security breach of May 2006, where a laptop was stolen. It allows remediation of identity theft for a veteran or other individuals whose personal information is compromised by the VA. This includes credit protection services and fraud resolution services upon request of the individual. Although this bill was passed by the House, it still has not passed through the Senate.
- On Mar. 7, 2006, the Internet Safety Law was passed in Virginia: Virginia public schools will be required to teach students about Internet safety.
- ESS (Essential Security Software): The company is lobbying for the VA to adopt the company’s software. ESS provides software for data encryption and security.
Ideas for prevention of identity theft
The government and military should not place information on publicly viewed sites, should shred important documents, and should not discard computers without cleaning the hard drive.
Universities mostly need protection from hackers. They should consider hiring a person to make data airtight, keep firewalls updated, issue access pin numbers to students instead of using social security numbers, and conduct audits for Hacker Safe awareness.
Medical offices seem to have a problem with laptops being stolen. Therefore, they should not store information on laptops. Also, all patients’ data should be encrypted. They should be cautious of storing social security numbers, even though health care providers should stop using social security numbers all together. In fact, IBM has created software that does not require the recording of social security numbers. This software complies with regulations outlined by the Health Insurance Portability and Accountability Act of 1996.
We all need to remember where identity thieves steal information: from computers, trash, bank statements, and credit card statements or offers.
Finally, we all should not store our social security cards or numbers in our wallets; never give personal information to solicitors; take advantage of free credit reports; use our ATM cards wisely; and secure our personal information at home in a lockbox or other area that is safe.
Examples of Computer Breaches
West, Jim. "Stealing data the old-fashioned way: a recent rash of laptop thefts is a reminder that security breaches are not just the result of "cybercrime."." Find Articles. 15 Oct 2006. Risk & Insurance. 3 Mar 2007 <http://findarticles.com/p/articles/mi_m0BJK/is_13_17/ai_n16808698>.
Raiford, Dave. "Cyberthreats: Computer system breaches come in many forms." 23 Nov 2001. Nashville Business Journal . 3 Mar 2007 <http://www.bizjournals.com/nashville/stories/2001/11/26/focus2.html>.
"More T.J. Maxx, Marshall's shoppers at risk from computer system breach." 21 Feb 2007. Detroit News. 3 Mar 2007 <http://www.detnews.com/apps/pbcs.dll/article?AID=/20070221/UPDATE/702210431>.
Trounson, Rebecca. "Major breach of UCLA's computer files." 12 Dec 2006. LA Times. 3 Mar 2007 <http://www.latimes.com/technology/la-me-ucla12dec12,0,5352062.story?track=rss>.
Weiss, Eric M. "Consultant Breached FBI's Computers." 6 July 2006. Washington Post. 3 Mar 2007 <http://www.washingtonpost.com/wp-dyn/content/article/2006/07/05/AR2006070501489_pf.html>.
Akron Children's Hopital. 3 Mar 2007 <https://www.akronchildrens.org/cms/site/16e6640c0d4a89d8/index.html>.
Radnofsky, Mary L. Ph.D.. "Corporate and Government Computers Hacked by Juveniles." The Socrates Institute. 28 Feb 2007 <http://www.socratesinstitute.org/>.
“Data Security Risks.” HeraldTribune.com. 11 June 2006. Sarasota Herald-Tribune. 6 Mar. 2007. <http://www.heraldtribune.com>.
"Congressman Lungren Supports the Security of Veterans Personal Information." 13 Feb. 2007. <http://www.house.gov/list/press/ca03_lungren/VAITsecurity.html>.
“Federal Information Security Management Act.” AICPA.org. 2007. The American Institute of Certified Public Accountants. 15 Feb. 2007. <http://infotech.aicpa.org>.
“Federal Information Security Management Act Implementation Project.” Computer Security Division. 8 Mar. 2006. US Commerce Department. 15 Feb. 2007. <http://csrc.nist.gov/sec-cert/>.
Helderman, Rosalind S. “Law Tells Schools to Teach Students about Online Safety.” Washingtonpost.com. 2 Apr. 2006. The Washington Post Company. 15 Feb. 2007. <http://www.washingtonpost.com>.
I Want My ESS. 2006. Essential Security Software, Inc. 20 Feb. 2007. <http://www.iwantmyess.com/?p=165>.
“Veterans Affairs Committee Considers Legislation to Protect Veterans from Data Theft, Authorizes New VA Medical Centers, Promotes ‘Hire a Veteran’ Week.” 20 July 2006. House Committee on Veterans Affairs. 15 Feb. 2007. <http://veterans.house.gov/news/109/7-20-06.html>.
“How Can You Decrease Your Risk of Becoming a Victim of Identity Theft?” Identitytheftcenter.org. 24 Jan. 2003. Identity Theft Resource Center. 6 Mar. 2007. <http://www.idtheftcenter.org/html/prevention_tips.htm>.
Identity Theft Prevention. 2006. Identity Theft Refuge. 6 Mar. 2007. <http://www.identitytheftrefuge.com/>.
Powell, Eileen Alt. “Federal Laws Protect Consumers’ Savings.” FoxNews.com. 20 July 2006. Associated Press. 6 Mar. 2007. <http://www.foxnews.com/wires/2006Jul20/0,4670,BizOntheMoney,00.html>.
“Protect Yourself from Identity Theft!” Identitytheft.org. 2005. Porpoise Press, Inc. 6 Mar. 2007. <http://www.identitytheft.org/protect.htm>.
“The Ultimate Guide to Identity Theft Prevention.” Ask the Advisor. 13 Oct. 2006. Your Credit Advisor. 6 Mar. 2007. <http://www.yourcreditadvisor.com/blog/2006/10/the_ultimate_gu.html>.