Women More Likely Than Men To Give Passwords To Strangers For Chocolate

When I read this news story, at first I thought that it was a humorous hoax. But, it's no joke. This is serious. According to InformationWeek:

"Women are four times more likely than men to surrender their computer passwords for chocolate, according to a survey of 576 office workers conducted outside Liverpool Street Station in London by Infosecurity Europe. According to the survey, 45% of women revealed their passwords to strangers posing as market researchers for a chocolate bar, compared to 10% of men. Apparently the overall percentage of password-yielding respondents this year (21%) represents an improvement over 2007, when 64% of respondents traded their security for a few moments of chocolaty goodness."

I spent part of a summer in 2004 living and working in London. I found the people there very friendly and a wide variety of great pubs. I'd love to visit London again. In fact, my photo in the right column is from my London Tube pass.

Claire Sellick, Event Director of Infosecurity Europe, emphasized the consequences of a lax attitude towards the security of personal data:

"... that promise of a trip could cost you dear, as once a criminal has your date of birth, name and phone number they are well on the way to carrying out more sophisticated social engineering attacks on you, such as pretending to be from your bank or phone company and extracting more valuable information that can be used in ID theft or fraud."

Is Your IP Address Personal Data?

FYI... this news story caught my attention, since government policy and legislation affects how companies protect (or not) consumers' personal data:

"An official of the European Union has contradicted Google Inc. and said IP addresses should, for the most part, be regarded as personal information, according to reports Monday. When someone can be identified by an Internet protocol address "then it has to be regarded as personal data,"AP quoted Germany's data protection commissioner, Peter Scharr, as saying. Mountain View-based Google disagrees, AP reported, and says an IP address identifies the location of a computer but not the individual user."

To learn more, see this Associated Press (AP) news story.

Treat Consumers Personal Data Like "Nuclear Fuel"

Since I started this blog in July 2007, I've consistently argued that the risk period for consumers is very long after their personal data has been exposed, especially after a corporate data breach. This includes breaches of birthdate and SS#, not credit card accounts. According to an article in the Guardian Unlimited:

"We should treat personal electronic data with the same care and respect as weapons-grade plutonium - it is dangerous, long-lasting and once it has leaked there's no getting it back."

While this description sounds extreme, I have to agree with it. When IBM lost my personal data in February 2007, the personal data of mine and all of the other identity-theft victims is just as valuable today as it was a year ago. Identity thieves can open accounts, get loans, or get government identification with it. This is why I also lobby for far longer periods than one or two years of free credit monitoring services from companies that have a data breach. The risk period is long.

In the article, Corey Doctorow write not just about the descriptive data (name, birthdate, SSN), but all of the usage data attached to it:

"Data is acquired at all times, everywhere. For example, you now must buy an Oyster Card if you wish to buy a monthly travelcard for London Underground, and you are required to complete a form giving your name, home address, phone number, email and so on in order to do so. This means that Transport for London is amassing a radioactive mountain of data plutonium, personal information whose limited value is far outstripped by the potential risks from retaining it... All these people could potentially be identified, located and contacted through the LU data. We may say we've nothing to hide, but all of us have private details we'd prefer not to see on the cover of tomorrow's paper."

You're probably wondering how long entities should be allowed to keep this personal data private. When should it be destroyed? Given the increasing capacity for digital storage, that seems to be a worthwhile conversation to have in the USA, too. Regarding privacy, Doctorow, argues:

"A century is probably a good start, though if it's the kind of information that our immediate descendants would prefer to be kept secret, 150 years is more like it. Call it two centuries, just to be on the safe side. If we are going to contain every heap of data plutonium for 200 years, that means that every single person who will ever be in a position to see, copy, handle, store, or manipulate that data will have to be vetted and trained every bit as carefully as the folks in the rubber suits down at the local fast-breeder reactor... And what's worse is that we, as a society, are asked to shoulder the cost of the long-term care of business and government's personal data stockpiles. When a database melts down, we absorb the crime, the personal misery, the chaos and terror. The best answer is to make businesses and governments responsible for the total cost of their data collection."

The last sentence above is key. Entities, corporations or government agencies, decide to store personal data for long periods of time because it benefits them -- financially or otherwise. If they are going to enjoy those benefits, then it's fair for them to also accept the risks and costs. And the cost includes credit monitoring for consumers after their data has been exposed during a data breach.

Free credit monitoring for one year is not acceptance of the cost, in my view. Not even close. 15 or 20 years of free credit monitoring is far closer to the goal.

Twice Bitten: Acts of Stupidity Can Lead to Identity Theft

Chris Soghoian has an excellent post in his C/Net Surveillance State blog:

"A British TV presenter has learned the hard way that identity theft is serious, and in the process, become the joke of the moment for privacy bloggers. More importantly, this is the second time in just one year that such a thing has happened."

Soghoian wrote:

"Jeremy Clarkson, host of the BBC show Top Gear, recently wrote an article for the U.K.'s Sunday Times in which he ridiculed the uproar that had occurred after the British government admitted to losing two compact discs containing the personal information on 25 million people. To prove his point that there was no risk of financial fraud for those consumers, he published his bank account details, and instructions on how to locate his address."

Clarkson quickly changed his opinion of identity theft after an identity thief used Clarkson's data to create an automatic bank transfer to the Diabetes UK charity.

Recently, a friend in Oakland called to ask me about Lifelock. Soghoian has clearly "connected the dots," since he also wrote about Lifelock in the same post:

"Todd Davis is the CEO of LifeLock, a company that offers a mostly useless $10 per month identity theft protection service. In an effort to eat his own dogfood, and promote his company's service, Mr. Davis includes his social security number in all of the company's advertisements--see here. A full page ad in this week's USA Today had his SSN listed in big letters. Making a mockery of LifeLock's identity theft protections, a Texas man in 2006 was able to secure a $500 payday loan with Mr. Davis' social security number."

If you are considering Lifelock for a credit monitoring service, I also encourage you to read this Phoenix New Times article before making a decision.

Doctors May Be Fined For Not Protecting Patients' Data

From the ZDNet U.K. site:

"Doctors who lose confidential patient information should be held accountable for the loss, according to the Information Commissioner's Office. Information commissioner Richard Thomas, giving evidence at a House of Lords Constitution Committee inquiry into data collection and surveillance on Wednesday, proposed that a doctor who is found to be "flouting data-protection principles" should be fined £5,000 by magistrates, or alternatively face an unlimited fine in a Crown Court."

I agree 1,000 percent. Given the problems with identity theft in the healthcare industry, this should be the law here in the USA, too.

When Heads Must Roll (UK Data Breach)

Last week, and the BBC News reported:

"Two computer discs holding the personal details of all families in the UK with a child under 16 have gone missing. The Child Benefit data on them includes name, address, date of birth, National Insurance number and, where relevant, bank details of 25 million people."

Yes, you read that correctly. Not some families, but all families with children under 16. The missing (probably stolen) data covers sensitive details about 7.25 million families. The disks were lost during transport from HM Revenue and Customs (HMRC) to the National Audit Office (NAO). According to the New York Times:

"... the disks lost in Britain contained detailed personal information on 40 percent of the population: in addition to the bank account numbers, there were names, addresses and national insurance numbers, the British equivalent of Social Security numbers. They also held data on almost every child under 16."

While this data breach was not as big as the TJX/TJ Maxx breach, it was still a catastrophic data security lapse. The delivery package was not recorded nor registered. The data was password protected but not encrypted. The timeline reported by the BBC:

"The data was sent on 18 October and senior management at HMRC were told it was missing on 8 November and the chancellor on 10 November. Mr Darling said banks were adamant that they wanted as much time to prepare for his announcement as possible."

It would seem that both companies and government agencies in the United Kingdom are slow to inform their identity theft victims, just like in the United States. Gil Sever, the CEO of Safend, described clearly the HMRC data breach:

"This is a glaring and unfortunate example of what happens when organizational policy is not followed and enforced and adequate technological safeguards are not utilized...HMRCs data security issue was twofold: first the information was stored on a vulnerable medium with inadequate protection. Secondly, there was no monitoring procedure to track or record where the data was going or how it was being accessed.

Gee, that sounds a lot like IBM's data breach. Appropriately enough, heads began to roll at the HMRC:

"HMRC chairman Paul Gray resigned earlier after the latest incident came to light."

To my knowledge, nobody at IBM lost their job after IBM's data breach. Not even the delivery vendor that lost IBM's data tapes was fired. Where's the accountability? The consequences?

Data Security is Key to UK Consumers' Trust

Consumers' concerns about data security are growing in Europe just like in the USA. A recent ZDNet's UK Security Management Toolkit article reported:

"Safeguarding customer data should be a priority for UK companies — because consumers here place great store on how businesses treat their information, according to research."

The supporting statistics:

"Out of eight European nations, UK nationals stand out as the most concerned their data is kept safe. Eighty-one per cent of Britons polled by Unisys said an organisation's ability to keep their data safe is a key trust-building attribute. This compares to 42 percent of French respondents, 40 percent of Belgians and 35 percent of German consumers."

More importantly, consumers' trust is affected by how well companies protect consumers' personal data:

"The UK also leads the way in believing inadequate data privacy protection leads to an erosion of customer trust. Seventy-six percent of Brits feel this is the case, followed by 62 percent of consumers in Spain and 58 percent in France."

We Americans are not alone with our data security concerns. Safeguarding customer, employee, and former employee data should be a priority not only for UK companies, but also for multinational corporations and their partners/contractors. We live in a global economy. Money moves globally. Personal data moves globally, too.