This story appeared on Network World Fusion at
Privacy: A personal touch
By Scott Bradner
Network World, 03/07/05
Well, that didn't take long. Just after the window closed on my column last week about ChoicePoint's identity theft problems came the announcement that Bank of America had a problem of its own.
The company lost some back-up tapes containing personal information for a large number of federal employees, which include some of the Congressional critters in last week's column. Now that its members have been affected personally, maybe Congress actually will get tough with the businesses that toss around our personal information like so much used dog food.
Bank of America announced that some tapes had gone missing while being shipped to a back-up data center in December. The tapes contained information, including Social Security numbers (SSN), on 1.2 million accounts. Press accounts said Sen. Charles Schumer (D-N.Y.) was told that baggage handlers likely stole the tapes. The bank's press release said it hadn't seen any unusual activity in the accounts so far. It also said it would send letters to everybody whose information might have been on the tapes.
A couple of things are kind of funny about this story. I don't know any baggage handlers, but I find it hard to imagine that computer back-up tapes would be the first things a thieving one would go after. Also, the bank's press release said "the privacy of customer information receives the highest priority at Bank of America, and we take our responsibilities for safeguarding it very seriously." If that was true, the tapes would, at the very least, have been encrypted. If the tapes were encrypted using a good algorithm, I would expect the bank to have quickly said that. So maybe the bank wasn't doing all it could to safeguard the information. This should be an object lesson to all of you who ship unencrypted private data via insecure transport (including the Internet).
Schumer also complained that the Westlaw's People Finder commercial service easily could be exploited to get personal information, including SSNs, for more than 160 million people. He said his staff used the service to get SSNs for Vice President Dick Cheney and Internet video star Paris Hilton (who had her own problems with the release of private information the same week). As I pointed out last week, I can understand why Westlaw might want to support looking up someone using a SSN, but I see little reason to report back SSNs unless your purpose is to facilitate identity theft.
Congress passed a quite strict law protecting the privacy of videotape rental records after the records of someone that a number of people in Congress felt strongly about - Supreme Court nominee Robert Bork - were published in the press. Just maybe, now that some senators are directly threatened by a breach in data protection caused by poor practices by the third-largest bank in the U.S., they will pay attention and do something serious. The chances are far better this week than last, when the threat was just to 145,000 non-Congress people.
Disclaimer: Harvard has not expressed an opinion on the ability of Congressional critters to understand things that do not happen directly to them, so the above speculation is mine.