Wednesday, June 07, 2006

Physical security issues would exist even if there were no Internet

It is important to realize that the VA burglary (or similar losses of personal data from laptop computers or work diskettes or CD’s, as in transport) could have happened even without an Internet. This is an issue involving old-fashioned old school workplace security—especially in a high gas price world where telecommuting and working from home has been encouraged. Another issue is that when major financial implementations are tested, companies typically use copies of live production data for system parallels. To do QA testing without such copying of data would introduce enormous costs to many I.T. projects.

But there is a danger that someone who steals such data (indirectly, by stealing a "real world" laptop or data disks or CDs) would try to sell it on the Internet. That lure exists as long as credit grantors continue to give out easy credit without a system (such as a link to NCOA) to verify the real identity of an applicant for credit. In network broadcast interviews such as NBC Nightly News on June 7 2006, reporting about the VA issue, military servicemembers have expressed additional concerns about their personal and family security. These observations, already made on major media outlets and broadcast channels are important, because they could lead to calls for regulation of the Internet that would increase the barrier to entry; newbies could be construed as indirectly adding to the security hazards (of, for example, military personnel).

In mid June 2006 there was another major physical theft in Washington DC, a laptop from the home of an insurance agent in Washington DC for an international financial services company. The personal information of DC employees and retirees may be compromised. Now I worked in the insurance industry myself for years (in IT), and technology to allow agents to carry information to sell in the field (and upload and download as necessary) advanced rapidly in the 90s. Most of these issues involve the policyholder and contract information, not the Internet. Again, the practical consequences for ordinary citizens using financial services would be much less serious if credit grantors had and used regular verification systems before finalizing credit (as in the following entries).

The Internet does figure in to some of the events. In June 2006 the Navy reported that the personal information of sailors and their families had been posted from spreadsheets on a civilian website. The Defense Department appartently does sweeps of the public Internet for classified information or for personal information about military personnel. The information was removed immediately when it was found, and the site was removed. (Washington Post, June 24, 2006, p A5). Websites that capture credit card information could add to the risk under current systems.

One of the flaws of the Child Online Protection Act (COPA) is that it would encourage small website owners to process credit card information, and this could also pose security issues for the credit card holders.

1 comment:

Askinstoo said...
This comment has been removed by a blog administrator.