Much has been written over the past two days about the theft of the laptop from a government worker's home that contained SSNs, birthdates and names for 26.5 million U.S. veterans. 

What concerns me is a recurring, almost a lackadaisical...and in some cases flippant or dismissive...attitude about these types of incidents.

One in particular on CNET News, "Veterans' data swiped in theft" captures the essence of some of the recurring themes in these incident reports.  For example:

"The good news for Veterans Affairs is that the crooks may not know what they have.  "It is possible that (the thieves) remain unaware of the information which they posses or of how to make use of it," Veterans Affairs said on the Web site.  Gartner's Litan agrees. Studies have shown that thefts of computers storing sensitive data have resulted in only a small percentage of identity theft, she says. And she added that information on millions of veterans would not necessarily yield much loot.  "Frankly, veterans don't have a lot of money," Litan said. "They aren't typically wealthy people. Criminals aren't going to be taking out 26 million loans (in the names of the veterans whose information was stolen). That's a lot of information, and the thieves have time constraints just like everybody else. They want information on the wealthiest individuals.""

Wow, this certainly is good spin from the PR department.

I don't believe such studies of computers stolen provide any type of conclusive evidence.  SSNs, names and birthdates could potentially be used YEARS after a theft to do bad things.  Just because nothing bad has BEEN DETECTED YET does not mean bad things will never be done with that information. 

Additionally, there are so many ways that this type of information can be misused by the crooks and fraudsters who have this information in hand that it is very possible that the people about whom the information applies will not find about about nefarious activity until years later.  And it doesn't matter how much money the people involved make...this seems a rather insulting statement to the victims, doesn't it?  You're too poor to worry about anyone wanting to do crime with your information?  C'mon now...individuals don't need to make anything to have their lives made a mess by identity theft!

A great example is a story I read recently in Reader's Digest about child identity theft.

"Seventeen-year-old Randy Waldron, Jr., was shocked when he applied for his first credit card and was denied. He was even more shocked by the reason: He was delinquent in repaying thousands of dollars in debt.  Waldron's identity had been stolen by his estranged father, who left when Randy was a toddler. From 1982 to 1999, Randy Waldron, Sr., used his son's Social Security number to obtain credit from various merchants and lenders, then racked up tens of thousands of dollars in debts. He declared bankruptcy in his son's name, which resulted in default judgments against the younger Waldron. It has taken Randy Jr., now a 24-year-old flight attendant, years to untangle the mess."

This identity theft...criminal use of another's SSN and name...occurred for around 18 years without the victim's knowledge!  And then, the victim, who was not even making money during this criminal activity, was severely impacted for years.  And apparently this type of crime is not uncommon.

The fact is, there are no time constraints on using this type of information.  The fact is, most people are not going to change their names, SSNs or birthdates to make the data invalid.  The fact is, if nothing bad has happened within a few weeks, many, perhaps most, of the organizations that caused the mess...by poor data handling practices, lack of encryption, lack of controls, lack of awareness and training, lack of policies...are not going to step up and do what they should to protect the individuals, which at the least is to enroll them into credit monitoring services.

The fact is, once this much information has been stolen, chances are the culprits are not going to perform the crimes themselves...they possess very valuable information that they can sell...to 1000's and perhaps millions of other criminals throughout the world...to use at their own leisure.

This particular statement hit a nerve: 

"Criminals aren't going to be taking out 26 million loans (in the names of the veterans whose information was stolen). That's a lot of information, and the thieves have time constraints just like everybody else. They want information on the wealthiest individuals.""

What?  Crime with personal information can occur in so many other ways than just taking out loans.  The names, SSNs and birthdates are valuable items...they can be exploited in many ways, and over a course of time by many, many criminals.  It's just not true that criminals only want information on the wealthiest individuals.  What data supports this?  If you know someone who has been a victim, or at least read the news on a daily basis, you know this.  The most frequently scammed and violated people are those that are not wealthy.  Very rarely do you read about the wealthy that have been victims.  According to various FTC studies and reports this is a widespread problem, and definitely not limited to only the wealthy.  The September 2003 Federal Trade Commission – Identity Theft Survey Report indicates that identity theft, and other criiminal use of personal information, impacts people of all income levels.

When an incident occurs, organizations need to be pro-active, not reactive...not waiting until bad things happen to the individuals involved.

Of course, prevention is the best course of action.

• Encrypt mobile data
• Implement strong policies that are enforced
• Provide training...awareness...more training...more awareness...more awareness...more awareness...almost all incidents involve people who did not know any better, but should have.

Technorati Tags
identity theft
information security
personal data protection
corporate governance
laptop theft
awareness and training
IT compliance
privacy