“Stupid is as stupid does,” to borrow from Forrest Gump.
In this case it”™s “Stupid is as Department of Revenue Services does.”
So as to not just place blame on the ineptness at the DRS, which last month had one of its laptops stolen from, according to news reports, an employee who decided to take it on vacation to Long Island and thus place some 100,000 residents at risk of ID theft, the pronoun can be filled in with a number of “stupids.”
The DRS doesn”™t have the corner on the “stupid” market.
Witness pharmaceutical maker Pfizer, which over two months earlier this year twice had two laptops swiped, putting at risk the privacy of 17,000 current and former workers and 950 contractors. The pharmaceutical company was taken to task by State Attorney General Richard Blumenthal for its tardiness ”“ about two months”™ worth ”“ before reporting the incidents.
Some 283,000 pensioners”™ information was compromised when it was stolen from a consultant eating at a restaurant, according to the New York City Office of the Comptroller. “CGI AMS must act swiftly to combat any potential identity theft,” Comptroller William C. Thompson Jr. said. “This is an extremely serious crime, and I am outraged that the consultant created a situation in which such a theft could even take place.”
CGI AMS was hired by the city”™s Financial Information Services Agency to work on the city”™s pension payroll management system.
DRS and CGI AMS are in good company; Boeing (161,000 affected), AT&T (19,000), University of California at Berkeley (98,400), U.S. Department of Justice (80,000), Verizon Communications (“significant number”), Fidelity Investments (196,000), MCI (16,500), VeriSign (unknown), California Department of Health Services (21,600), Oklahoma State University (37,000), Ernst & Young (38,000), Eastman Kodak (5,800), Bank of America (18,000), North Fork Bank (9,000), Maryland Department of the Environment (unknown), Florida Department of Transportation (unknown), and who knows how many others that have failed or not yet reported thefts.
One of the largest so far reported was by the U.S. Department of Veterans Affairs; a staggering 28.6 million. In August 2006, two teens were arrested and the FBI said that no data had been stolen from the computer.
Overall, as of Sept. 11, 165,937,599 records containing personal information were affected by security breaches that also include theft of paper documents, according to Privacy Rights clearinghouse, a nonprofit consumer organization whose aims include raising awareness of how technology affects personal privacy, responding to specific privacy-related complaints from consumers and advocating for consumers”™ privacy rights.
Â
We have talked before on these pages of holding people accountable for their actions, which has become more and more synonymous with stupidity. We applaud Blumenthal for firing off a letter to Pam Law, commissioner of the DRS, and telling her that the department should do one better for the taxpayer than proposed. He wrote that the department should provide those affected by the breach with free credit freezes in addition to the credit alerts proposed by DRS; cover the cost of credit protection for two years instead of one; provide those affected with $25,000 in identity theft insurance instead of the proposed $5,000 and “protect taxpayers against risks of misuse of confidential financial information given to Debix One Inc., an identity theft warning service hired by DRS, and stop automatic renewals at each taxpayer”™s expense of the Debix service.”
Gov. M. Jodi Rell last week also wanted to make good for the department”™s lack of oversight and did so in announcing a security policy governing laptop and other mobile computing devices as well as storage devices. She also told all agencies to remove all sensitive data currently on laptops that have no need to belong on them.
“This new policy puts strict requirements and controls on the use of restricted or confidential data on mobile computing devices, including not only laptops but palm-sized devices such as BlackBerries and on all sorts of storage media such as floppy disks, ”˜jump drives”™ and CDs,” she said.
Developed by the state Department of Information Technology, the policy takes effect immediately and applies to all executive branch agencies. Some important features of the policy include the immediate reporting of a missing or stolen laptop; the restricting of placing sensitive data on laptops and portable devices; and expanding the use of secure data access “to enable field workers and other state employees to remotely access sensitive data rather that downloading data onto laptop hard drives.”
She hit the nail on the head when she said, “The bottom line is very simple: Personal information should not leave the security of state facilities except under certain carefully controlled circumstances ”“ and then it should be safeguarded in every way.”
As technology has shrunk the ability to carry vast amounts of data, the importance and worth of the data has unfortunately shrunk as well. Take, for example, the gas station owner who affixes a large piece of wood to the key to the bathroom door. The oversize key fob serves as a reminder to the customer that he or she needs to return it to the cashier. It”™s low-tech but effective.
The actual worth of the key is less than dollar, and yet the owner wants to ensure its return so he doesn”™t have to head to a locksmith to buy another.
Perhaps the mindset of the gas station owner should be adopted by government agencies and anyone who handles large amounts of personal data.
Either that or just attach a large piece of wood to that laptop.
Â
Â
