The Data Companies Often Keep, And Should Protect Vigorously
Monday, October 15, 2007
After my experience with IBM's data breach, I first questioned why IBM archived all former employee data forever. Then I began to wonder what types of data companies archive about their employees and former employees -- not just about their customers.
The SearchSecurity.com site has a good summary article about the types of information companies archive:
Employee | Health | Financial |
Name Social Security numbers Birth dates Home phone numbers Health records Home addresses Ethnicity and citizenship Veteran and disability status Email addresses Drivers' license numbers |
Medical record numbers Health plan numbers Account numbers Certificate or license numbers Device identification/serial numbers Facial photographs |
Account balances ACH numbers Bank account numbers Credit card number and Exp. Date Credit rating Income data Payment data Account numbers Expiration dates |
This is a wealth of information. A virtual gold mine! What identity thief wouldn't want access to this? And, if you and I are aware of the wide range of information companies archive, you can be sure that identity thieves are aware, too.
What I like most about this article is that it clearly explains many of the key State and Federal US laws and standards that require companies to protect this personal data:
- California SB-1386
- HIPAA
- PCI Data Security Standard
- Gramm-Leach-Bliley Act (GLBA)
- Federal Information Security Management Act (FISMA)
I was amazed while reading this article that some privately-held companies don't think that these laws and standards apply to them:
There is a huge misconception among information security professionals today that data privacy laws are not applicable to private companies, but are only designed for publicly traded companies, government organizations or financial institutions. This is not the case. Whether your company is public or private, large or small, today's information privacy regulations may affect you and your organization on many different levels, not just financially and legally.
This definitely clarifies the problem among companies.
Comments