PPI Risks on the Rise – Should the Feds Intervine?

Recently, the Identity Theft Resource Center (ITRC) reported that more than 35 million data records were breached in the United States in 2008, covering 656 breaches from well-known US firms and government agencies who lost documents and data that were neither encrypted or password-protected. That’s a 47-percent increase from 2007; the ITRC Report underscores both the increasing risk and the difficulty in managing personal private information (PPI).

Further, earlier this year, IBM reported that many corporations aren’t taking reasonable precautions to protect their consumer visitors from becoming victims of malware attacks. Poorly-secured websites are increasingly a concern to IBM’s customers and second-tier providers. And compounding this, yesterday, researchers found a massive botnet of 1.9 million infected computers belonging to consumer and government entities in the Ukraine.

Truly, consumer PPI is at increasing levels of risk yet – as a society – we’ve been very slow to take the threat of data compromise in a digital economy seriously. The federal government has historically been slow to respond forcing states to take up their own legislation on PPI breach: approximately 31 states have data breach notification laws and those requirements vary by state, and there isn’t a comprehensive dialog on government-mandated security precautions to be placed over the private sector. HIPAA, for example, classifies protected health information and dictates required security precautions under threat of civil and criminal penalty – aside from education records, the PPI of the federally-employed, consumer financial records, and the PPI of children under the age of 13, there are no other mandated forms of electronic security protection over PPI. That “due care” obligation is left to the expertise and foresight of the business owner which is often, sadly, incomplete.

The risk is great. All it takes is a mom-and-pop store to swipe a credit card to an insecure PC or wireless network, and the consumer’s PPI is at risk for potentially years – so long as that hard drive is online. My question is: given the dependency we have on e-commerce, should the federal government create a required guideline (like HIPAA’s Security Ruling) that mandates base-level security precautions for all businesses and their use of consumer PPI? What do you think – a practical approach to an increasing problem or just another big-government, unfunded mandate? Go ahead and reply tothe blog – I’d love to hear your comments.

In the meantime, while you’re pondering that, a bit of advice. If you have a network server in your office running Microsoft Windows, take a few minutes to download Microsoft’s Baseline Security Analyzer and run it against the machine. This is a handy utility that inspects your system for known vulnerabilities and recommends courses of action to secure the server. Further, the MBSA tool can also be ran against WindowsXP and Windows Vista to identify similar vulnerabilities.  Also, if you own a PC that doesn’t have access to professional management, read my tips on troubleshooting PC performance for suspected malware.  Both of these steps are practical ideas you can take now to limit your risk of PPI theft.

R