Keep data secure


Opinion: December 13, 2011 at 12:00a.m.

By James Cole

McClatchy-Tribune

As consumers, we transmit valuable personal information to the companies with which we do business. In doing so, we trust that information will remain secure. Over the past year, however, we have learned of a number of instances in which vast quantities of personal data have been compromised. Last spring, for instance, breaches at Sony Corp. affected more than 100 million customers, putting their credit card numbers, email addresses and passwords at risk. Another recent breach exposed email addresses of customers of companies such as Best Buy, Citibank, Disney, JPMorgan Chase, the Home Shopping Network, Hilton, Marriott and the College Board.

Although we often think of credit card numbers as being among the most sensitive personal information, disclosure of email addresses and passwords can in some cases allow identity thieves to do us more harm. Because many people use the same passwords for different accounts — an inadvisable but common practice — knowledge of an email address and password for one account may give an identity thief access to other accounts, to social network profiles, or even to the contents of email accounts. With one breach, identity thieves may gain access to nearly all sensitive information that a person stores electronically.

Strengthen passwords

When companies disclose breaches of personal data, as Sony did, consumers can take steps to reduce the damage caused by the breach. They can strengthen passwords, change credit card numbers, put fraud alerts on their credit reports, and keep a close watch on their bank accounts. A 2006 study commissioned by the Federal Trade Commission found that the earlier consumers discovered the identity theft, the less time it took to resolve the crime, and the less money thieves were able to steal. Early notification can mean the difference between a few hours of effort or months of stress and worry for identity theft victims.

Prompt notification also enables law enforcement officials to more swiftly and effectively investigate and prosecute the perpetrators of the identity theft. Last year, law enforcement officials successfully prosecuted an individual who stole more than 90 million credit and debit card numbers by hacking the payment systems of several U.S. retailers. He was sentenced to 20 years in prison — the lengthiest sentence imposed in the United States for identity theft. Such successful prosecutions not only provide justice to victims, but also may deter would-be identity thieves from stealing personal data in the future.

Identity theft

Forty-seven states have laws that require companies to notify consumers in the event of a breach of their personal information. These laws have helped consumers mitigate the risks of identity theft and have created incentives for companies to improve their cybersecurity. But this patchwork of state laws is not enough. Not all states require data breach notification.

In May, the administration proposed a broad-ranging cybersecurity bill that would address this problem by imposing a single notification standard for companies nationwide.

We need Congress to act promptly. ... When breaches occur that put personal information at risk, notification helps protect consumers and punish identity thieves who undermine society’s trust in cyberspace and put our economic prosperity at risk.

James Cole is U.S. deputy attorney general. Distributed by McClatchy-Tribune Information Services.

Copyright 2011 Associated Press. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.

By using this site, you agree to our privacy policy and terms of use.

» Accept
» Learn More