Since I started this blog in July 2007, I've consistently argued that the risk period for consumers is very long after their personal data has been exposed, especially after a corporate data breach. This includes breaches of birthdate and SS#, not credit card accounts. According to an article in the Guardian Unlimited:
"We should treat personal electronic data with the same care and respect
as weapons-grade plutonium - it is dangerous, long-lasting and once it
has leaked there's no getting it back."
While this description sounds extreme, I have to agree with it. When IBM lost my personal data in February 2007, the personal data of mine and all of the other identity-theft victims is just as valuable today as it was a year ago. Identity thieves can open accounts, get loans, or get government identification with it. This is why I also lobby for far longer periods than one or two years of free credit monitoring services from companies that have a data breach. The risk period is long.
In the article, Corey Doctorow write not just about the descriptive data (name, birth date, SSN), but all of the usage data attached to it:
"Data is acquired at all
times, everywhere. For example, you now must buy an Oyster Card if you wish to buy a monthly travel card for London Underground, and you are required
to complete a form giving your name, home address, phone number, email
and so on in order to do so. This means that Transport for London is
amassing a radioactive mountain of data plutonium, personal information
whose limited value is far outstripped by the potential risks from
retaining it... All these people could
potentially be identified, located and contacted through the LU data.
We may say we've nothing to hide, but all of us have private details
we'd prefer not to see on the cover of tomorrow's paper."
You're probably wondering how long entities should be allowed to keep this personal data private. When should it be destroyed? Given the increasing capacity for digital storage, that seems to be a worthwhile conversation to have in the USA, too. Regarding privacy, Doctorow, argues:
"A century is
probably a good start, though if it's the kind of information that our
immediate descendants would prefer to be kept secret, 150 years is more
like it. Call it two centuries, just to be on the safe side. If we are going to contain every heap of data plutonium for 200
years, that means that every single person who will ever be in a
position to see, copy, handle, store, or manipulate that data will have
to be vetted and trained every bit as carefully as the folks in the
rubber suits down at the local fast-breeder reactor... And what's worse is that we, as a society, are
asked to shoulder the cost of the long-term care of business and
government's personal data stockpiles. When a database melts down, we
absorb the crime, the personal misery, the chaos and terror. The best answer is to make businesses and governments responsible for the total cost of their data collection."
The last sentence above is key. Entities, corporations or government agencies, decide to store personal data for long periods of time because it benefits them -- financially or otherwise. If they are going to enjoy those benefits, then it's fair for them to also accept the risks and costs. And the cost includes credit monitoring for consumers after their data has been exposed during a data breach.
Free credit monitoring for one year is not acceptance of the cost, in my view. Not even close. 15 or 20 years of free credit monitoring is far closer to the goal.