Paul Venezia has written a nice article that talks about holding corporations accountable for identity theft. Basically, if somebody steals my data from TJ Maxx, then TJ Maxx should be held responsible for it.

Having had my credit card number stolen from a company before, I think he’s on to something here. There’s simply no recourse for me against a company who puts my identity out there for somebody to take. In my case, I joined a class action suit against the company and was mailed a check for $2. That’s what my identity was worth to this company - 2 measly dollars.

Almost every day we hear about laptops being stolen that contained thousands of social security or credit card numbers. Often times we learn that all of this data was sitting in excel spreadsheets somewhere on the computer.

There’s no valid reason that my social security number should be in an excel spreadsheet anywhere.

It’s bad enough that way too many companies require this number for non social security related purposes, but I shouldn’t have to even entertain the idea of my data sitting on somebody’s laptop in a coffee shop.

Paul’s proposed law calls for penalties for companies who don’t follow acceptable security practices, but I don’t think that’s enough. It may be time to examine some of our laws and add a clause about how we can store sensitive data.

There’s simply no reason that any of this information should be on a laptop, cell phone, memory stick, ipod, portable hard drive, or voice activated electronic diary. It should all be encrypted and password protected on a server that requires an authenticated user to access. It shouldn’t take a law to accomplish this, we should all be doing it already.

Having said that, now is a good time to look at your own business and how you store data. Are you storing data that you don’t really need? A good example is companies who store credit card information for 1 time sales. Having previously coded several e-commerce websites, I always made sure that we had no record of a credit card number on our server after we were done processing it.

What about social security numbers or drivers licenses? Are you storing them in a database in plain text format? What kind of information is on your employees’ laptops? Is it essential that they be able to take that information home with them? If so, how is it protected?

Asking yourself these simple questions can prevent you from suffering PR nightmares like TJ Maxx and Best Western are currently going through.

This entry was posted on Monday, August 25th, 2008 at 8:29 pm and is filed under Identity Theft. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.