The following text is copyright 2005 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.
A personal touch
by: Scott Bradner
Well that did not take long. Just after the window on last week's column closed came the announcement that Bank of America had lost some backup tapes containing personal information for a large number of federal employees, including some of the Congresscritters I ended last week's column with. Now that they have been personally impacted maybe Congress will actually get tough with the businesses that toss around your and my personal information like so much used dog food.
The Bank of America announced that some tapes had gone missing while being shipped to a backup data center last December. (http://www.bankofamerica.com/newsroom/press/press.cfm?PressID=press.20050225.04.htm) The tapes contained information, including Social Security numbers, on 1.2 million accounts. Press reports said that Senator Charles Schumer (D-NY) reported that he had been told that the tapes were likely stolen by baggage handlers. The bank's press release said that they had seen no unusual activity in the accounts so far. The bank also said that it would be sending letters to everybody whose account information might have been on the missing tapes.
There are a couple of things kinda funny about this story. I will admit that I do not know any baggage handlers, but I find it hard to imagine that computer backup tapes would be the first thing that a thieving baggage handler would go after. Also, the bank's press release said "the privacy of customer information receives the highest priority at Bank of America, and we take our responsibilities for safeguarding it very seriously." If that were actually true the tapes would, at the very least, have been encrypted. If the tapes were encrypted using a good encryption algorithm I would expect the bank to have quickly said that. So maybe the bank was not doing all it could to safeguard the information. This should be an object lesson to all of you who ship unencrypted private data via insecure transport (including the Internet).
Senator Schumer also complained that the Westlaw People Finder commercial service could be easily exploited to get personal information, including SSNs, for more than 160 million people. He said that his staff used the service to get SSNs for Vice President Dick Cheney and Internet video star Paris Hilton (who had her own problems with the release of private information the same week). As I pointed out last week, I can understand why Westlaw might want to support looking someone up using a SSN but I see little reason to report back SSNs unless your purpose is to facilitate identity theft.
Congress passed a quite strict law protecting the privacy of video tape rental records (http://assembler.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00002710----000-.html) after the rental records of someone that a number of people in Congress felt strongly about, Supreme Court nominee Robert Bork, were published in the press. Just maybe now that some Senators are directly threatened by a breach in date protection caused by poor practices by the third largest bank in the U.S. they will pay attention and do something serious. The chances are far better this week than last when the threat was just to 145,000 non-Congress people.
disclaimer: Harvard has not expressed an opinion on the ability of Congresscritters to understand things that do not happen directly to them so the above speculation is mine.