Privacy violations point need for care to protect

DAVID CANTON - For the London Free Press - April 2, 2005 Read this on Canoe

There have been a number of recent high-profile incidents involving the violation of personal information.

Bank of America, ChoicePoint and T-Mobile, to name a few, have had to explain to customers how others were able to access personal information.

We -- meaning any person, business, organization or government that touches personal information in any way -- must do a better job of keeping information secure, allowing access only to those who need it and keeping only the bare minimum information necessary.

Individuals are as bad at this as government and business. Studies have shown that half of the used hard drives bought on EBay still contained personal and commercially sensitive information -- some of it blackmail material.

A recent survey in London, England, showed most people would unwittingly give away enough information to enable the questioner to commit fraud or identity theft. All in return for free theatre tickets.

In February, Bank of America lost backup tapes that included financial information of government employees. This loss affected about 1.2 million individuals.

ChoicePoint provides customer data services to business, government agencies and insurance companies. The personal data of more than 145,000 customers was recently accessed by hackers who passed themselves off as legitimate customers.

The hackers obtained customers' personal data, including names, addresses, social security numbers and credit reports. So far, 750 cases of identity theft have been directly attributed to this incident.

Another recent high-profile incident involved heiress Paris Hilton. Her information on her T-Mobile Sidekick device and service was hacked.

The hacker posted on the Internet phone numbers and e-mails of several of her famous friends -- along with photos that were not family album material.

In a separate incident, an online hacker gained access to T-Mobile's network late last year. The names and social security numbers of 400 customers was accessed. The hacker has been arrested.

Unless a story breaks in the news, one may not know if one's personal information has been accessed by someone who was not supposed to have it. Legislation requiring companies to notify individuals when their personal data has been compromised is rare.

The U.S. does not have any generally applicable privacy laws as we do in Canada, but it is being considered.

Any entity that has personal information should take steps such as conducting security or privacy audits for every process that touches personal information, including how it is backed up and how it is disposed.

Laws are not enough. We all must deal with the issue, whether it is by the manner in which we protect information in our control or by insisting on higher standards.