There’s a lot of information going around about data breaches and identity theft. Even your Guide has been known to draw a close parallel between the two. But what, exactly, is a data breach, and what is the relationship between data breaches and identity theft?
The literal definition of “breach” is to make a hole or opening, to break or violate. It is also the word for a hole or opening that shouldn’t be there, as a result of a breach. So a data breach would be a hole in the data. But the term is really used more to describe the loss of data, usually confidential data that is protected by law or that is required by Federal regulation to be protected.
The phrase “data breach” conjures images of hackers or spies for most of us, and these really are ways that personal information can be compromised, but they are not the only ways. As a matter of fact, some data breaches are complete accidents. For example, in July of 2006, St. Francis Health Services in Indianapolis had an accidental data breach. They had an outside source working on their computers. As part of the upgrade process, the contractor did a test to make sure the system would back up data to a CD. With the test complete, the contractor put the CD in her computer bag to give to her boss. But, as we all know, sometimes we forget things, no matter how important they are. In this case the contractor forgot about the CD, and later returned the bag to the store where she purchased it. Over a quarter of a million patients, employees, board members and doctors had personal information “somewhere”… for quite a while.
The Saint Francis breach was not malicious, and nobody was trying to sell the information to anyone for nefarious purposes. It was just an oversight. It could happen to anyone, and most of us can probably identify with the contractor. But it was still a breach, and Saint Francis had to notify everyone whose information may have been compromised that there was a risk of identity theft, even if it was a small risk.
That same year the Veteran's Administration reported a data breach involving a stolen laptop. An employee was simply taking work home with him, nothing unusual there. But the laptop was stolen in a home robbery, and over 26,000,000 veterans, as well as their spouses and dependents had their information compromised. The VA eventually recovered the laptop, and decided none of the information had been compromised, despite the fact that experts said there were ways to thwart detection.
However some breaches are definitely intentional, and these are usually the ones that should be of more concern to us. For example the biggest breach to date is probably Heartland Payment Systems, affecting 130,000,000 consumers. This was the result of a hacking attempt that was wildly successful – from the hacker’s point of view anyway. Heartland processes credit card payments for businesses, taking a small fee for each transaction. This meant they had financial information, which is pure gold to an identity thief. But their customers were other businesses, not the everyday consumer. So every business that uses Heartland to process payments had to scramble, because of the loss on the part of their vendor.
Of course there are laws that require companies to protect personal information when they collect it, laws such as FACTA, COPPA, or the Red Flags Rule. Experts that deal with helping companies comply with these laws know that well over half of all the businesses in America still have no idea that these laws even exist, or that these laws apply to their company. But even if a business is fully aware of laws and regulations, and makes the effort to comply with them, it’s easy to see that data breaches continue to happen at an alarming rate.
As for the relation to identity theft, if your information is lost any data breach, experts say that you are six times more likely to become a victim of identity theft, because your information has been compromised. And unfortunately, there is no reset button… nobody gets to start over with a clean slate when it comes to their personal information.
This means that it is not only important to be careful about what information you give to businesses, but also that should you make sure that they know what their responsibilities are to protect it if you have to give it to them. And even if you make sure that all the bases are covered, it’s a good idea to have a backup plan, because data breaches happen every day.
And every year sets a new record for how many people lose their information because of a data breach.