1- Script
and Recording
September 2006
Data protection, Hot data
June 23rd, 2005
Adapted from The Economist
IN THE information economy, data replace oil and steel as the central input, so information becomes a target for criminals. The theft of data, often involving personal information about customers and employees, is increasing dangerously fast. After data on 40m credit-card accounts were stolen from the computers of a data-processing firm based in Atlanta, Georgia, business leaders and politicians everywhere are taking notice.
Data theft accounted for over $50 billion in losses last year in America alone, according to the Federal Trade Commission. Lax information-security practices have left vulnerable the personal financial details, health records and Social Security numbers of around 50m Americans. Companies fail to install the latest security software or handle data recklessly. Earlier this month Citigroup, the world's biggest financial firm, had to admit that it had lost information on 3.9m current and former customers when some unencrypted computer tapes went astray while being handled by United Parcel Service, the firm that was shipping the data. The story left some worrying questions unanswered. Why were the tapes unencrypted? And why was such sensitive information being sent via UPS, without proper safeguards?
And it is not just financial-service firms which are at risk. With the web of interlocking business relationships that is the norm among modern firms, a fault at a big data-processing firm that never actually interacts with customers can damage the reputation of all sorts of companies who draw from and feed into this supplier. The companies who deal with customers are ones whose principal asset is brand- and customer-loyalty, so they are the ones that have most at stake.
One reason why firms don’t care is that data security seems like a costly and boring chore. There are no obvious rewards for being careful, nor penalties for being careless. But the rash of embarrassing cases has sharpened public awareness of the issue. And lawmakers need to keep the public informed about who is misusing their personal details.
Europe has avoided these spectacular data breaches because it adopted a set of rules from which America could benefit. The European Union's 1995 data-protection directive requires firms to assess their data-protection practices and to document how they handle sensitive information. But the biggest weakness of the European directive is that it does not require firms to report privacy breaches.
That leads to the second remedy. In America, many of the recent disclosures have been made only because California passed a law requiring firms to notify the people who have been affected by a breach of privacy. Scores of other states are thinking of introducing similar laws. At the national level, America's Congress is considering about 20 bills related to identity theft.
(444 words)
End of Recording
2- Opinion Question
After listening to the tape explain why stricter data-processing procedures are such a serious concern for companies and lawmakers. You should use both information discussed in class on the issue and specific examples to argue your point.
(Length†: 350 Words.)
•†This September exam was very close to last year’s September exam in contents. Papers nonetheless repeated the same age-old mistakes. What went wrong is basically the same, papers left out essential information from the tape. Students will get nowhere if they do not make sure they show they understood the tape first.
Marking was first determined by how much basic information from the tape found its way into the essay. We checked that the following information was mentioned:
- data security and major security breaches in financial–service companies.
- the colossal violation of 40 million credit-card accounts from an Atlanta-based company, a data-processing company.
- theft amounts to $50 billion in losses in the US per year.
- the intervention of the Federal Trade Commission (or FTC) which is an independent agency of the United States government, established in 1914 by the Federal Trade Commission Act. Its principal mission is the promotion of consumer protection and the elimination and prevention of anticompetitive business practices.
- 50m Americans are said to have vulnerable personal data.
- Citigroup admitted to mismanaging information on 3.9m customers and to overlooking the encrypting of computer tapes which were then negligently supervised by United Parcels Service.
- “interlocking activities”: data protection is outsourced to a third party company. Company A trusts Company B with the processing and storing of sensitive data. The tape describes the snowballing effect any breach of privacy has on interconnected companies. Brand names built on customer trust & loyalty suffer when the truth comes out.
- possible prevention: European Union's 1995 data-protection directive. However, privacy breaches go unreported, and it is impossible to assess damages.
- the fallout: federal and local measures have been initiated to fight identity theft.
It might have been useful here to notice the Economist offers a British perspective on an American phenomenon. The article is descriptive as it informs a British/European readership on the dangers of the commercial use of personal data. The question implicitly stated is how one defines commercial goods. Should personal data and other invisible goods be made an object of trade? The comparison with Europe was meant to pit the US free-market choice against a regulated European market. But, failings are clearly spelt out on both sides.
•†The other essential component is the way the line of arguments is presented. Grading was also based on
-the use of varied linguistic structures: think of using the Structural sheet included in brochures and on this website. For example: “Citygroup is charged with being negligent, and consumers went up in arms when they learned how UPS had handled sensitive data. No matter why this happened, such a breach of privacy is unacceptable.”
-the way ideas were explained without being repeated.
•†Last, we always insist on students’ using some examples from class. Here are a few we found in papers. They were rewarded accordingly:
in March 2006, “ChoicePoint informed customers that computer files containing their names, addresses, Social Security numbers, driving and credit records, real estate sales data, mortgage borrowing levels, political affiliation or other matters of public record had been inadvertently sold to hackers posing as legitimate business customers”.
“Other companies involved in such large-scale disasters are LexisNexis and Bank of America”.
“Congressmen introduced bills in Congress that call for the banning of the sale of Social Security numbers, and increased regulation of data companies” .
3- For Further Reading:
Papers singularly lacked information on the FTC. This topic is usually covered by AN 221 American economy course. Students were expected to know its mandate is to protect consumers against unfair competition, deceptive or fraudulent practices. It enforces federal law related to consumer affairs and rules promulgated by the FTC. Telemarketing fraud, privacy and identity protection are some of its areas of concern.
For further information on the FTC, see
http://www.ftc.gov/bcp/conline/pubs/general/guidetoftc.htm
For further information about the FTC Division of Privacy and Identity Protection
http://www.ftc.gov/bcp/conline/pubs/general/guidetoftc.htm
[†…]†The Division also operates the Identity Theft Data Clearinghouse, which houses the federal government’s centralized repository for consumer identity theft complaints. The Division analyzes identity theft trends, promotes the development and efficacy of identity fraud prevention strategies in the financial services industry, and identifies targets for referral to criminal law enforcement. The FTC operates a call center for ID theft victims where counselors tell consumers how to protect themselves from identity theft and what to do if their identity has been stolen (1-877-IDTHEFT [1-877-438-4338]; TDD: 1-866-653-4261; or www.consumer.gov/idtheft).
For the latest on data protection, see
http://www.ftc.gov/opa/2006/09/idtheft.htm
[For Immediate Release: September 19, 2006
Identity Theft Task Force Announces Interim Recommendations
Recommendations Come in Advance of Final Report Set for November
WASHINGTON – The President’s Identity Theft Task Force has adopted interim recommendations on measures that can be implemented immediately to help address the problem of identity theft, Attorney General Alberto R. Gonzales and Federal Trade Commission Chairman Deborah Platt Majoras announced today. The Identity Theft Task Force, which was established by Executive Order of the President on May 10, 2006, and is now comprised of 17 federal agencies and departments, will deliver a final strategic plan to the President in November.
The interim recommendations of the Identity Theft Task Force were announced following a meeting of the Task Force today at the Justice Department.
“As with any crime, victims of identity theft suffer feelings of violation and stress, but in these cases, victims have the added burden of cleaning up the mess that the identity thieves leave behind,” said Attorney General Gonzales. “The President created the Identity Theft Task Force to oversee the implementation of real and practical solutions at the federal level to defeat this ongoing intrusion into the lives of law-abiding Americans. Today’s recommendations move that process forward.”
“Conquering identity theft demands that we work as a team to develop tools that strengthen law enforcement, practices that enhance data security, and programs that help consumers in prevention and recovery,” said FTC Chairman Majoras. “Through these initiatives, we are taking solid steps toward eradicating this persistent consumer problem.”
The Identity Theft Task Force’s interim recommendations to the Administration include the following:
Data Breach Guidance to Agencies: In light of several, large data breaches suffered in recent months by government agencies, the Task Force recommends that the Office of Management and Budget (OMB) issue to all federal agencies a Task Force memorandum, which covers the factors that should govern whether and how to give notice to affected individuals in the event of a government agency data breach, and the factors that should be considered in deciding whether to offer services such as free credit monitoring. Such guidance is the first comprehensive road map of the steps that agencies should take to respond to a breach and to mitigate the risk of identity theft.
Development of Universal Police Report for Identity Theft Victims: To ensure that identity theft victims have easy access to police reports documenting the misuse of their personal information – which are necessary in order for the victims to, for example, request that fraudulent information on their credit report be blocked, or to obtain a seven-year fraud alert on their credit file – the Task Force recommends the development of a “universal police report” that an identity theft victim can complete online, print and take to a local law enforcement agency for verification and incorporation into the police department’s report system. The use of universal police reports will also ensure that identity theft complaints will flow into the FTC's ID Theft Data Clearinghouse, and thereby will assist law enforcement officers in responding to such complaints.
Extending Restitution for Victims of Identity Theft: To allow identity theft victims to recover for the value of the time that they spend attempting to make themselves whole – for example, the hours spent disputing fraudulent accounts with creditors that may be compromised or spent correcting credit reports – the Task Force recommends that Congress amend the criminal restitution statutes, 18 U.S.C. 3663(b) and 3663A(b), to require that defendants pay identity theft victims for the value of their lost time.
Reducing Access of Identity Thieves to Social Security Numbers: In order to limit the unnecessary use in the public sector of Social Security Numbers (SSNs) – which are the most valuable pieces of consumer information for identity thieves – the Task Force recommends the following:
- The Office of Personnel Management (OPM) should accelerate its review of the use of SSNs, and take steps to eliminate, restrict or conceal their use, including assignment of employee identification numbers where practicable.
- OPM should develop and issue policy guidance to the federal human capital management community on the appropriate and inappropriate use of an employee's SSN in employee records, including the appropriate way to restrict, conceal and/or mask SSNs in employee records and human resource management information systems.
- OMB should require all federal agencies to review their use of SSNs to determine where such use can be eliminated, restricted or concealed in agency business processes, systems and paper and electronic forms.
Developing Alternative Methods of “Authenticating” Identities: Developing reliable methods of authenticating the identities of individuals, such as “biometrics,” would make it more difficult for identity thieves to misuse existing accounts or open new accounts using other individuals’ information. The Task Force recommends that agencies gather together academics, industry experts and entrepreneurs who are exploring ways to encourage greater development and use of authentication systems, and hold a workshop or workshops focused on developing and promoting improved means of authenticating the identities of individuals.
Improving Data Security in the Government: To ensure that government agencies improve their data security programs, the Task Force recommends that OMB and the Department of Homeland Security (DHS), through the interagency effort already underway to identify ways to strengthen the ability of all agencies to identify and defend against threats, correct vulnerabilities, and manage risks: (a) outline best practices in the areas of automated tools, training, processes, and standards that would enable agencies to improve their security and privacy programs, and (b) develop a list of the top 10 or 20 “mistakes” to avoid in order to protect government information.
Improving Agencies’ Ability to Respond to Data Breaches in the Government: In order to allow agencies to quickly respond to any data breaches, including by sharing information about those who may be affected with other agencies and entities that can assist in the response to the breach, all federal agencies should publish a “routine use” for their systems of records under the Privacy Act that would allow for the disclosure of such information in the course of responding to a breach of federal data.
Anyone wishing to ask a question about identity theft or to report identity theft may call 1-877-ID-THEFT, or visit the FTC’s Web site, http://www.ftc.gov/idtheft, or the Department of Justice’s Web site, http://www.usdoj.gov/criminal/fraud/idtheft.html.
(http://www.ftc.gov/opa/2006/09/idtheft.htm)
Download
To listen to these files I suggest you download them, ie. save them
to your hard disk first, before listening to them. Choose a location
on your hard disk that you will remember easily. After you have
successfully downloaded them, choose the audio player (Real Player,
Media Player, Winamp) you wish to use to listen to the audio file.
Once you have chosen your player, open the audio file and listen
away.
Data protection, Hot data
Streaming
If you have a high speed connection, listen to these audio files
while you are connected to the Internet. If you do not have a default
audio player, after clicking on the link, choose a player (Real
PLayer, Media Player, Winamp) and listen away.
Data protection, Hot data
created by: Geneviève Cohen-Cheminet
|