When Data Theft Hits Home
Today I received the letter that I had been expecting for the last couple of weeks. It was from the Veterans Administration, which informed me that I was among the 26.5 million veterans and active duty military personnel whose data had been on a laptop computer stolen sometime earlier this spring. Despite the many reports of accidental or intentional loss of personal data, it was the first time that I had ever received official word that I was one of the victims. It was inevitable once the scale of this loss became known, as it covers just about everyone who has served or is serving in the last thirty years.
The letter is long on rhetoric and short on apologies or solutions. It tells me to check my credit history and watch out for fraudulent activity in my accounts. If I expected the VA to take any action on my behalf beyond sending me that letter, I was sadly mistaken.
While neither myself nor any of the other victims have experienced identity theft as a result of this loss, there are many lessons to be learned in this experience. First, though my military service is long since behind me, it seems that I still carry its baggage in the form of my electronic personnel records. There is no telling where else my personal data may be residing, waiting to become a part of yet another news story.
Second, as Sergey Brin, president and co-founder of Google, said recently (http://money.cnn.com/2006/06/06/technology/google_congress.reut/index.htm) during a trip to Washington DC, Internet users have expectations about privacy that are not in accordance with the direction the Net is going. The Veterans Administration theft was not an Internet problem, of course, but the principle is similar. We have expectations that our credit and accounts should not be misused, and are unpleasantly surprised when they are. The problem is as much with our perceptions as it is with others' systems.
Last, it seems foolish worry about the NSA having records of our land-line telephone calls when any GS-9 in the VA or other Federal agency can wreak more havoc by accident than the NSA possibly can by design. I know there are those who would disagree with that position, but it remains clear that our privacy and identities are most at risk through accidents or theft than through specific government or commercial activity.
I began to systematically monitor my credit history and look at account activity only last year. Because each of the three credit agencies provides a free credit report once a year, every four months I download a report from one of them in succession. I feel fortunate that the VA doesn't have my current address (they used IRS records to coordinate the mailing, which is also troubling, albeit in a different way), but they certainly have my full name, date of birth, and Social Security number.
Don't get me wrong – I'm furious that the Veterans Administration has failed to take responsibility for this theft, and is only warning me to watch out rather than taking action to protect me against its own blunder. I think that laws against data theft, intentional or accidental, should be strengthened to make sure the holder of that data is accountable, because it only requires commitment to properly protect such data.
But all of us have a responsibility here, too. We are the ultimate watchdogs of our financial and personal data. Playing dumb with our own data was never a good idea, and today can have drastic consequences.
Posted by Peter Varhol on 06/08/2006