The Federal Trade Commission (FTC) on Thursday became the latest agency to acknowledge that personal data had been placed at risk due to a lost laptop computer, part of a trend that underscores the wide range of threats facing consumers’ personal information.
The FTC said it would provide free credit monitoring for 110 people whose names, addresses, Social Security numbers and possibly financial account numbers were stored on a laptop taken from the locked car of an FTC attorney.
Ironically, many of those impacted were involved in investigations of identity theft cases, the FTC said, including suspects in earlier instances of ID theft.
The FTC’s admission came on the heels of the theft of a Veterans Administration employee’s laptop, which put the personal information of some 26.5 million veterans at risk. The VA has since enrolled veterans in credit-monitoring services to protect them against ID theft.
Private enterprises have also been hit with similar laptop theft problems in recent weeks. Hotels.com said a laptop containing customer data was taken in February after an Ernst & Young employee left it inside a locked vehicle.
More recently, the consumer credit-tracking firm Equifax also acknowledged that a laptop containing employee names and Social Security numbers had been stolen, though the company emphasized that consumer data was not at risk. Also, ING disclosed the theft of a laptop that may have contained information on some 13,000 people employed by the District of Columbia.
New Type of Threat
The rash of laptop-related incidents is a reminder of the inherent difficulty of protecting data. Many organizations have become much better at protecting data when it is at rest on corporate networks with strong firewalls and other measures that prevent active hacking, but those protections break down if data is removed from the network.
In the case of the VA incident, the employee who had taken home a laptop loaded with personal files apparently violated agency policy. The other cases highlight the risk of allowing even trusted employees to carry data outside a secure network.
In most cases, laptops are stolen not for whatever data they may contain, but for their intrinsic value, as thieves can often resell them quickly. However, there is the worrisome possibility that more organized efforts to cull data — which in the “right” hands can be far more valuable than the machines themselves — will surface.
According to the Privacy Rights Clearinghouse (PRC), 88 million consumer records have been compromised in various types of database breaches and leaks since early 2005. The incidents run the gamut from database hacks to lost backup tapes and inadvertent printouts of consumer information.
The fact that data is getting out in more and different ways accentuates the need for additional protections for consumers, said PRC Executive Director Beth Givens. The PRC has called for a national law requiring that anyone affected by a database breach be notified directly. Currently, several states have such notification laws on the books.
“The problem with technology and with the human element is there is always a problem in the system,” Givens said. “There needs to be additional safeguards so that these thefts and breaches don’t become widespread ID theft and consumer fraud.”
There is growing concern that the rising tide of ID theft could eventually put a damper on e-commerce as well, as people become increasingly reluctant to expose their personal and financial information.
Opportunities for Tech Firms
The trend could drive technology adoption in new areas. For instance, firms such as Vontu — which enables enterprises to set parameters for data use, alerting a network administrator when a sensitive file is attached to an e-mail or moved onto an unsecured computer — may start attracting more interest.
“The fact of stolen laptops just underscores that data is going to find ways to get out,” Todd Davis, the CEO of LifeLock, told the E-Commerce Times.
LifeLock offers an active ID protection service; it seeks out unusual activity that credit-monitoring only catches after-the-fact, according to Davis. “If it’s not a laptop being stolen, it’s someone e-mailing an employee pay list by mistake — or someone misplaces files that were supposed to be sent to the shredder or to storage.”
Other firms, such as Absolute Software, offer programs that enable laptop owners to remotely erase their data if their laptops are stolen or misplaced.