How Large was IBM's Data Breach?
Identity Theft Looms For Millions

Drive-by Shootings, Data Breaches, and Knuckleheads

I'd like to share a story. It's relevancy to data breaches and identity theft becomes clear near the end.

Last Friday morning (Sept. 28), I woke up at at 3:25 am to the sounds of gunfire outside my first-floor bedroom window. I called Boston Police and several patrol cars arrived at 3:35 am. The street outside the house next door was littered with shell casings. A car in front of the house next door had several bullet holes and spent shells on it. My upstairs neighbors heard a couple shots at 2:25 am. Other neighbors saw a red car speed off after the 3:25 am gunfire.

The police taped off our street and CSI:Boston arrived shortly thereafter... and stayed until about 5:15 am. To make a long story short, there was a drive-by shooting next door probably involving the knuckleheads who live next door. (I can't say for sure because I didn't see people.) At least 2 guns were involved. A 9mm slug pierced our living room window and landed on the floor in front of my wife's computer desk. The police found more spent shells by the side door of the house next door. The police looked for blood trails, but didn't find any.

Obviously, we are working with neighbors and police to address the problem. Bottomline: nobody in our 3-condo building was injured. Everyone is safe and unhurt.

CSI:Boston uses little numbered cones just like they do on TV. So we had some little numbered cones in the street and in our condo, too. All of CSI reps looked like Gil Grissom clones. NONE of them looked like Sarah Sidle, Catherine Willows, or Sofia Curtis. (smile) They wouldn't let us take photos.

A few days later, one person was arrested next door and this person didn't live next door. Arrested for possession with intent to distribute. Up until this event, our street had been very quiet. A state rep's/politician's family lives across the street.

What does this drive-by have to do with data breaches and identity theft?

Plenty.

In life, bad stuff happens.

Sometimes this bad stuff is the consequence of another person's actions which affect you and me. This also applies to the actions of corporations. We don't know the knuckleheads who live next door (and obviously don't want to), but their actions affected my life when a 9mm slug found its way into our living room. Similarly, I've had no relationship with IBM until they notified me in May 2007 of their February 2007 data breach.

A long time ago I learned to control what I can (myself) and not try to control what I can't (other people, places, and things).

I can't control the knuckleheads who live next door and insist on shady habits. Similarly, I can't control when one company (IBM) acquires another company (Lotus), inherits my personal data, and decides to archive former employee personal data forever. I can't control when a corporation suffers a data breach, loses my sensitive personal data, and may not have implemented sufficient data security systems.

I can't control what others do, but I can do what I can to protect myself. My wife and I are working with neighbors and police regarding the drive-by on our street to protect ourselves from a repeat event; and to ensure that the knuckleheads experience the consequences of their actions. Regarding IBM's data breach, my first step to protect myself was to use the Fraud Alert tool with the national credit bureaus. Then, I read a lot to educate myself about identity theft and data breaches. The list of resources I found are in the right column. Then, I started this blog to continue learning, to chronicle my experiences after IBM's data breach, and to network with other affected former IBM employees. When the stronger Security Freeze tool becomes available soon in my state (Massachusetts), you bet I'll use it, too.

Nobody told the knuckleheads who live next door to participate in the shady actions they have chosen. But they now have an opportunity to experience the consequences of their actions. Similarly, IBM chose to store all former employer files forever and then suffered a data breach... details about which it refuses to entirely explain. Now, IBM now has an opportunity to experience the consequences of its actions.

It's human nature to try to avoid painful consequences caused by one's behavior. The knuckleheads in my neighborhood are trying to avoid responsibility. Similarly, when a company suffers a data breach, that's an opportunity for that company to experience the consequences of its actions, or lack of action: failure to protect the sensitive data it has chosen to archive. When corporate knuckleheads don't protect sensitive employee data with adequate data security processes, it's an opportunity for them to experience the consequences of their actions.

An offer of  one-year of free credit monitoring shouldn't be used to shift the consequences from the company to its identity-theft victims. The free credit monitoring offer should match the risk period, which is far far longer than one year. After a data breach, identity theft victims must monitor their credit files forever, because the risk period extends forever. The risk period is the time identity thieves could abuse their personal data. The free credit monitoring service should match the risk period.

One year of free credit monitoring is not enough. Not even close.

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

George

Update: our street formed a Neighborhood Watch group after this event. Our group meets monthly. Last summer, we produced a successful block party... and plan to do another in 2009.

And yes, the knuckleheads next door moved. One was arrested, too. Our street is now very, very quiet -- and safer.

George

The comments to this entry are closed.