There has been a rash of data losses as a result of theft that included significant personal financial information (PFI), the most recent being the VA and Fidelity/HP Retirees.  There is quite a brouhaha revolving around the fact that the VA theft incident was not reported for 2 weeks + 3 days after it was first known within the agency.  While the reason for the delay is not yet known, the reality is that the delay is a favor to all veterans.

I know, there is the Freedom of Information act which I fully support; however, at the same time there are situations where a delay in release to the public is appropriate.  Those in doubt about the value of this incident being delayed should take a close look at the prior incidents involving the private sector.  There have been numerous incidents over the past two years yet there is not any public record of those data loses resulting in identity theft.  I anticipate the same for the VA and HP and, by the way, I am impacted by both.  This does not mean that I am not more diligent in monitoring my credit record as a fool and his money are soon parted.  However, let us take a look at the typical data loss.

A typical data loss involves a notebook computer containing PFI that is not adequately protected and is lost or stolen.  Yes, I know that some of the losses have been backup tapes and in the case of the VA it has been revealed that the VA PFI was on a portable drive.  As for the tapes that is a horse of a different color and in all likelihood, the portable drive was treated in the same manner that most stolen notebooks are treated.  Unless a thief targets a notebook for its data content which is most likely for corporate secrets rather than PFI, such losses are the result of a thief seeking compensation for the physical device's value on the secondary market.  Such thieves are not interested in the content; rather they want to fence the item as quickly as possible and distance themselves from it.

The fence also wishes to turn over the item quickly and normally formats the drive and reinstalls an operating system prior to reselling the device into the used computer market.  At this point, unless the purchaser has some idea of the device's former content, the likelihood of the information ever being recovered is nil.  Thus, the time delay prior to reporting such losses/thefts allows this process to be completed, protecting the information from compromise.

Am I advocating that sensitive information including PFI does not need to be better managed and protected?  Certainly not.  Am I advocating that those responsible for such lapses should not be punished/prosecuted?  No.  All those responsible should be punished/prosecuted.  Much more must be done within both the public and private sector to protect sensitive information.  However, the fact remains that a sensible approach to reporting such losses should be to delay public notice for at least two weeks.  Once public notice is made, benefits should be extended to all whose information has been potentially compromised.  Those benefits should as a bare minimum include free credit reports and monitoring ones credit information for at least three years without cost.  If later information reveals that the data has been compromised and used for the purpose of identity theft, those benefits should be automatically extended for ten years.

 

What did you think of this article?

Liked
Disliked
No Opinion