Monday, September 5, 2011

Who owns your data?


I just finished reading a fascinating book titled KINGPIN by Kevin Poulsen, who is a senior editor at Wired.com.  This non-fiction book explains how the underground market in stolen credit card numbers functions, and how one audacious hacker managed to seize control of the market for a time.

As I was reading, I reached a section describing the 2005 hack of the retail stores T.J. Maxx, Marshalls and HomeGoods that resulted in a loss of 45 million credit card numbers.  Poulsen brought up the interesting point that in the past, companies and federal law enforcement didn't tell consumers about large security breaches, which shielded companies from bad publicity and loss of customers.  But in 2003, the state of California passed a law (SB1386) which required companies to disclose these hacks.  Since then, 45 states instituted similar laws.

This caused me to think about the nature of our data--our banking data, our health data, our insurance data and so on.  Who owns the data? Who is responsible for protecting it? I do not have a complete answer, or an easy answer because so much data is shared.

For instance, in electronic banking, you have your account number, your login or member ID, and your password.  Your bank has the same.  Both you and the bank have access to details of your accounts.  And some information, like the bank's routing number or their loan rates, is public. 

In some situations, a bank or other company may tell you they will only make available records going back one year, and you are responsible for keeping earlier statements.  If your taxes are audited, I don't think one year of records will be sufficient.  So should you keep paper copies and store them? Or keep electronic copies on your computer? And then if you do, should you back up those electronic copies onto a portable hard drive?

What if lightning fries your hard drive? What if your computer is hacked? What if your house, with all your paper files inside, burns down? When you consider the awful possibilities, there is a temptation to simply leave it all in the hands of your bank, or insurance company, or health provider.  Because surely their security is better, right?

Not necessarily.  The underground market in stolen credit cards didn't operate just by stealing data from individuals, it worked by stealing from restaurants, and chain stores and mid-level banks, and massive credit card corporations.  They covered the entire spectrum of the business world, and individuals appeared to be the least of their targets.

My advice is to do your best to protect your end of the data stream.  Use a free online password generator to create strong passwords.  Shred bank or investment or health data before you put it in the trash.  Be cautious about revealing birth dates and other useful data on social networking sites like Facebook.  Keep your computer's operating system up to date, and learn the basics on using your anti-virus software and firewall.  Secure your home network and don't throw an open signal out there.  Make backups of important documents. 

Don't succumb to paranoia, but do be aware.  And realize that even with your efforts, a lot of your data's security is in the hands of your bank or doctor or insurance agent.  Unfortunately, for criminals stealing data, it may feel like a victim-less crime because there is no physical theft or violent confrontation.  But for the individual who loses their identity, their credit rating, their hard-earned money and their sense of security, these crimes are very personal.

(The picture above is of a server farm, where data is stored.  The pic is from uncommonthought.com.  I don't know what uncommonthought is, but the picture is very stark and kind of disturbing.  It made me think of vast, cold rooms of machines processing gigantic amounts of data.)

No comments:

Post a Comment