CAREFULLY GUARD YOUR social security number, the experts say. Don’t enter it in Web pages; don’t give it out to companies and watch your bank statements like a hawk. It’s all good advice. But for hundreds of thousands of victims who had their personal financial data stolen recently, it wouldn’t have helped. Even people who did everything by the book have seen their data exposed. Now it’s just a waiting game. Wait and see if their bank accounts are drained, if car loans are taken out in their names, if their homes are mortgaged and equity stolen right from under their roofs.
       About 750,000 people had their identities copied last year and suffered the consequences, said Rob Douglas, CEO of American Privacy Consultants Inc. The massive California case and other high-profile incidents suggest that number could be much higher in 2002. The crime is so easy and risk-free that even drug dealers are turning to ID theft as a safer way to make money, Douglas said.
       What’s can a concerned potential victim do? The truth is, not much.
       “The problem is a little bit in the intractable category,” said Larry Ponemon, CEO of the Privacy Council. “For the most part, we rely on the good intentions of companies (that have customers’ personal data). But the empirical evidence says you cannot rely on that any more. Bad things will happen. ... Sooner or later it’s going happen. I don’t know if there’s really much we can do.”
       
NOT ONLY FORD CUSTOMERS
       The recent spate of high-profile data thefts suggests just that. In Ford’s case, there was no way potential victims could have protected themselves — they didn’t even have to be Ford customers.
       Thieves were able to impersonate the company and order thousands of credit checks through Experian, one of the big three credit reporting companies. Experian thought Ford was requesting the data, and forked over 13,000 reports between April 2001 and February of this year before someone noticed the suspicious activity. Most victims weren’t customers of Ford Credit; the identity thieves simply used Ford’s name to get credit reports on victims living in affluent neighborhoods, according to the Detroit News, which first reported the theft. Ford sent letters to all the victims starting last month.

Advertisement

       There have already been victims connected to the Ford data leak. The CUNA Mutual Group sent a memo to its member credit unions on Wednesday warning about financial fraud connected to the incident.
       “At least one credit union has suffered losses from member account identity takeover because the member’s credit report was one of the stolen credit reports,” the memo said.
       
265,000 EMPLOYEES WARNED
       California state employees victimized recently couldn’t have done much, either. Corporations and government agencies push hard to convince employees to receive their paychecks through direct deposit. It’s cheaper for banks and companies, and often more convenient for employees. But that convenience meant all that personal financial information was kept in one place, and now, it’s likely in the hands of financial thieves.
       “My only consolation regarding the whole payroll screwup is that it affects everyone from the board members on down,” wrote one victim to MSNBC.com. “For 20 years I’ve never had a single late payment on anything but now my credit history could be toast due to some lowly paid state worker.”
       Both the Ford incident and the California problem stem from a computer mishap.
       
CORPORATE COVER-UP
       Bank One’s leak was much more old-fashioned, but equally as difficult for consumers to stop. In that incident, a 21-year-old former female employee of the firm’s Pewaukee, Wis., office sold hundreds of financial records to an identity theft ring. Tom Kelly, a Bank One spokesperson, said the firm only found 250 stolen records during an investigation. But WISN 12 News, which first reported the incident, suggested thousands more records were sold.

       The incident also highlights what privacy experts say as the biggest problem surrounding identity theft incidents — corporate secrecy. Bank One never told its customers about the problem. Disclosure only came eight months after the theft — when a victim received a call from the Secret Service, discovered someone had purchased a Jaguar in his name, and contacted WISN.
       “We were a little tardy in telling customers,” Kelly admits. “We should have told them sooner.”
       In fact, it’s common that consumer victims aren’t told about a break-in, as companies try to avoid the potential embarrassment and cross their fingers that no crimes will actually be committed with the stolen data. Bank One played that kind of Russian roulette with its customer data and lost. But Bank One is hardly alone.
       “Most of these still go unreported and are swept under the carpet,” Ponemon said. “God forbid, you lose confidence in your bank or insurance company.”
       
HEALTH CARE DATA SOLD
       Ponemon said he is currently engaged in a difficult conversation with a client, trying to convince it to come clean with a data leakage. The client is a small insurance company that gave customer information to “an organization developing a marketing database to people who have certain illnesses,” Ponemon said. An employee who didn’t understand the insurance firm’s privacy policies gave away thousands of records, he said. So far, the company is following legal advice not to disclose the leak.
       “They think we’ll open up a Pandora’s box to litigation,” Ponemon said. He’s still trying to convince the firm to come clean. “Those conversations are very difficult.”
       
PARTIAL DISCLOSURE NOT ENOUGH
       And sometimes, even the disclosures victims do receive are hardly complete. Douglas, from American Privacy Consultants, thinks California’s warning to state employees was too vague.
       A letter sent to employees says someone may have accessed a data center containing payroll information, but adds that “there is no indication the information contained in the database was targeted or will be used for any unlawful purposes.”
       That leaves employees wondering what really happened, what was really taken, and what to do. Should they close all their bank accounts, or just sit and wait for the bad news? What are the odds that a theft will occur?
       “I think the California government has a responsibly to be more forthcoming about what happened, what have they determined from the logs ... so employees can make an educated decision on what do to,” Douglas said. “Just making public statements released late on a Friday afternoon doesn’t cut it.”

       State officials say the data breach occurred on April 5, and was discovered during security checks on May 7. Computer logs and intrusion detection software can often indicate what files were taken from a computer and how long an intruder had access, but state officials and investigators haven’t revealed how much they know about the intruder in the case.
       One state employee who contacted MSNBC.com said she was frustrated by the advice she’d heard so far from state officials. She still hadn’t received official notice, but was told she’d receive a letter with the paycheck on Thursday.
       “Personally, the time lapse and lack of notification is very disturbing,” she wrote. “I’ve been following the recommendations, but until there’s something tangible, it seems pointless. Our bank put an alert on our account, they suggested we close the account and open a new one. Groan.”
       
LEGAL RECOURSE?
       Douglas said the state should go even further than full disclosure — its should fix the problem it created with sloppy security practices. He said he “yelled out loud” when he read that employees are being left to fend for themselves, told to order credit reports at their own expense.
       “Doesn’t the state have some obligation to do something for these people?” he said. “Their data is compromised .. and then they tell employees ‘Here’s all the things you should do to protect yourself.’ Why don’t they contact the credit agencies themselves? The state isn’t doing diddlysquat other than to go protect themselves.”
       Helpless consumers can only hope that ultimately companies and state agencies face some legal obligations when a data breach occurs, said privacy consultant Richard Smith, who operates ComputerBytesMan.com. Mistakes do happen, but in the world of computer security “very small mistakes can have really bad results,” he said.
       “This gets back to getting a liability system in place,” Smith said. “Now the state of California has some bad press. But if actually turns into identity theft, shouldn’t the state have liability?”
       Customers who find their credit reports marred by car loans or other illegal financial activity should have recourse against companies that failed to disclose a data breach, he said. “Like Bank One. The fact that they knew and didn’t tell customers, that’s inexcusable. There ought to be the threat of liability hanging over it.”