After my experience with IBM's data breach, I first questioned why IBM archived all former employee data forever. Then I began to wonder what types of data companies archive about their employees and former employees -- not just about their customers.
The SearchSecurity.com site has a good summary article about the types of information companies archive:
Social Security numbers
Home phone numbers
Ethnicity and citizenship
Veteran and disability status
Drivers' license numbers
Medical record numbers
Health plan numbers
Certificate or license numbers
Device identification/serial numbers
Bank account numbers
Credit card number and Exp. Date
This is a wealth of information. A virtual gold mine! What identity thief wouldn't want access to this? And, if you and I are aware of the wide range of information companies archive, you can be sure that identity thieves are aware, too.
What I like most about this article is that it clearly explains many of the key State and Federal US laws and standards that require companies to protect this personal data:
- California SB-1386
- PCI Data Security Standard
- Gramm-Leach-Bliley Act (GLBA)
- Federal Information Security Management Act (FISMA)
I was amazed while reading this article that some privately-held companies don't think that these laws and standards apply to them:
There is a huge misconception among information security professionals today that data privacy laws are not applicable to private companies, but are only designed for publicly traded companies, government organizations or financial institutions. This is not the case. Whether your company is public or private, large or small, today's information privacy regulations may affect you and your organization on many different levels, not just financially and legally.
This definitely clarifies the problem among companies.