Lost or Stolen Identities Make Waves

Recent incidents involving Bank of America and ChoicePoint have stirred legislative response and self-examination by industry participants.

In late February, Bank of America (Charlotte, N.C.; $1.11 trillion in assets) said it lost an undisclosed number of data-backup tapes while the tapes were being transferred. The tapes included Social Security numbers and charge card data for 1.2 million federal employees. According to Bank of America, specific hardware and software would be needed to read the data, and there's no evidence that data on the tapes has been accessed or misused. However, the bank wouldn't say if the data was encrypted.

This comes on the heels of the news that ChoicePoint (Alpharetta, Ga.), which maintains databases for identification and credential-verification services, may have revealed personal information about as many as 145,000 people in October when identity thieves used fake businesses to dupe the company into granting them access to consumer data. A similar scheme in 2002 allowed thieves to use data gathered from ChoicePoint databases to commit $1 million worth of fraud, the U.S. Attorney's Office in Los Angeles charged.

Rep. Bennie Thompson, D-Miss., and other democrats on the House Judiciary and Homeland Security Committees are pushing for investigations, including examinations of any homeland security risks raised by the ChoicePoint data lapses. Hearings are planned, and Sen. Dianne Feinstein, D-Calif., proposed a federal law similar to a California law that requires businesses to report data breaches.

When H&R Block (Kansas City, Mo.) CIO Marc West heard of Bank of America's troubles [Editor's note: For more on Bank of America's security efforts, see article, page 12.], he decided to check if the two companies had a relationship that might compromise any of H&R Block's 21 million customer records. There was none, but West wanted to be certain. "As good as we think we are, we need to make sure our business partners are equally good, because it's our customers' data that's at risk," he says.

H&R Block encrypts customer data before moving it to an off-site storage facility. "It's absolutely painful to do," West says, "but it's one way you know data's not going to get in someone else's hands." West says he's evaluating technologies to protect customer information, including Verdasys' (Waltham, Mass.) Digital Guardian platform, a desktop tool that monitors access to data and applications.

Gartner (Stamford, Conn.) analyst Avivah Litan believes companies push IT departments to deploy technologies too quickly for them to be properly evaluated for vulnerabilities, she relates. "CIOs have to be more aggressive in saying, 'I'm not going to do this project until I've had more time to consider security,'" Litan says. "There's too much information in these companies' hands - they're playing with people's lives, and they have to be more serious about that."

H&R Block's West says it is the CIO's job to make sure a company's information security efforts are coupled with an integrated risk management program. "It's very important that CIOs help drive the internal approach that security isn't just about technology," West says. "It really is about people, process and technology." -Courtesy of InformationWeek.