US losing battle against identity theft

A US pressure group has identified systemic computer security problems

There have been at least 104 serious "data incidents" in the US since 1 January which represent just the "tip of an iceberg" in serious systemic computer security problems.

The incidents potentially affect more than 56.2 million individuals, according to the US-based non-profit Identity Theft Resource Center (ITRC).

Congressional committees are waging a turf war over a security breach notification law, while companies, governmental agencies and educational facilities are "mishandling information on a daily basis and putting all of us at risk of identity theft".

"We have been given a loud wake-up call. Is anyone planning to pay attention to the true problem, or will companies be allowed to continue to disregard the importance of your future and your financial identity?" warned the ITRC.

"How many breaches don't make the front page or are even reported to consumers because a company has deemed the breach not to 'cause significant risk of harm' to the individual or has buried it to avoid additional problems?

"We will never know. What we do know is that security breaches are not new - they have been occurring for years. What is different is that now you are hearing about them."

However, the pressure group admitted that any notification law is only a bandage to cover the more significant problem of personal information leakage, a subject that the ITRC believes industry would rather Congress did not address.

The ITRC noted that security breaches fall into a number of easily recognisable categories, including lost or stolen computers, unprotected backup tapes lost in transit, hackers breaking into systems and virus attacks.

The pressure group also identified additional risks including employees stealing information or allowing access to confidential information, poor internal corporate security policies and improper disposal of sensitive information.

While it may be impossible to stop some hackers, most of these breaches could have been avoided by following safe information handling practices, the ITRC claimed.

"Something has to change or we might as well give up the battle against identity theft and protecting the privacy of our information," the group warned.

"Congress needs to take action, not at the expense of consumers but in creating laws and assisting companies to better control their information.

"Under pending [US] legislation, the only time you will hear of a breach is when a company believes there is significant harm that may occur.

"Responsible corporate lawyers, fraud investigators, computer security specialists and members of law enforcement will tell you that no-one can predict the future or say how a thief might use illegally obtained information."