Private vs. Public Sector Responses to Data Security Breaches

Daniel Solove
Founder of TeachPrivacy

Data Breach

I just blogged about the massive data security breach by the Veterans Administration, affecting 26.5 million veterans. Bob Sullivan has a terrific post comparing the government’s response to its data security breach to that of the businesses that have had such breaches in the past:

It’s become standard practice for data leakers to offer free credit monitoring to victims, so they are able to watch their credit reports daily for signs of misuse. The services are available from the credit bureaus, and cost about $10 a month. Corporations that leak data and foot the bill usually get big discounts.

So far, the vets haven’t been offered credit monitoring. Instead, the VA is reminding victims that they are entitled to a free copy of their credit report every year, and then basically wishing them good luck.

That’s insufficient. . . .

Meanwhile, a single peek at their credit report today would probably reveal very little. Fraudulent accounts can take weeks or months to appear, meaning it would be better to take that one peek in a month or two. But even that’s a tepid step at best to spy signs of identity theft after a data leak like this.

The only way to know something bad is happening to your credit is to look at it repeatedly, at about the same frequency that you look at your checking account statement. It’s hardly a perfect solution and doesn’t catch every instance of ID theft, but it’s a solid start. Credit monitoring services give consumers that kind of access. ChoicePoint, LexisNexus, and nearly all other commercial entities that have lost data have offered credit monitoring to victims for 3, 6, even 12 months.

The VA should do the same. Anything less is neglectful.

Bob Sullivan is exactly right. More at Sullivan’s excellent post.

Originally Posted at Concurring Opinions

* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.

Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum and International Privacy + Security Forum, annual events designed for seasoned professionals.

If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
*
LinkedIn Influencer blog
*
Twitter
*
Newsletter

TeachPrivacy Ad Privacy Training Security Training 01