September issue shows penalties rarely imposed on those who are

negligent



    YONKERS, N.Y., Aug. 4 /EMWNews/ -- Americans trust

government officials to safeguard sensitive personal and financial data but

government is among the biggest sources of ID leaks, according to a

Consumer Reports investigation.



    The report "ID Leaks, A Surprising Source is Your Government at Work,"

in the September issue points out that penalties are also rarely imposed on

those who are negligent.



    CR analyzed records of publicly reported data breaches compiled by the

nonprofit Privacy Rights Clearinghouse and found that more than 230

security lapses by federal, state, and local government from 2005 through

mid-June 2008 resulted in the loss or exposure of at least 44 million

consumer records containing Social Security or driver's license numbers and

other personal data.



    That represents almost one out of five ID breaches of all types

reported during that period. But even those statistics probably don't

accurately portray the problem. CR reports that a 2006 investigation by the

House Oversight and Government Reform Committee found that 788 breaches had

occurred in the three and a half years between January 2003 and July 2006

at 17 federal departments and agencies. Few of these incidents were

publicly disclosed.



    A 2007 report from the Treasury Inspector General for Tax

Administration revealed 24 incidents in which IRS laptops containing

sensitive data for 480 taxpayers were lost or stolen because IRS employees

put them in checked baggage at an airport, left them in unlocked cars, or

lost them on trains or buses. Only one of the employees was disciplined.



    What's more, according to the House Oversight Committee's annual

security report card, the government as a whole got a C for 2007, up from a

D+ two years earlier. And several federal departments including the

Departments of the Treasury, Veterans Affairs, Agriculture, Interior, and

the Nuclear Regulatory Commission got failing grades.



    "Only a small portion of data breaches get publicized, and with

government data breaches, even fewer get identified because the government,

unlike business, doesn't have a financial incentive to do so," said Robert

Tiernan, managing editor, Consumer Reports. "It's very important that the

government view citizens as their customers and place more value on

sensitive information."



    The full report is available in the September issue of Consumer Reports

on sale August 5 on newsstands and online at http://www.ConsumerReports.org.



    The problem is not limited to lost laptops. Social Security numbers are

visible on 40 million Medicare cards, as well as military identification

cards and public court records throughout the country. The number of data

breaches that result in ID theft is unknown because most victims don't know

how their personal information was obtained. And it might be a year or two

before the stolen ID is used.



    One Man's Nightmare



    CR recounted how Joe Protain, a 36-year-old surgeon from Warren, Ohio,

received a far greater penalty that the $150 fine he paid for speeding. He

discovered last year that traffic-court records publicly posted on the

Franklin County Municipal Court Web site, including his address and Social

Security number, enabled a ring of identity thieves to rack up more than

$11,000 worth of charges in his name. He is still trying to recover from

the fallout.



    One of the suspects confessed the ring used the Franklin County

Municipal Court Web site to enter random Social Security numbers, changing

one digit at a time until hitting a match with a number belonging to one of

the thousands of people whose court records had been posted online since

2001. The records revealed the victim's name, address, age, and in some

cases, driver's license numbers. That allowed members of the theft ring to

obtain a copy of the victim's credit report and take over existing accounts

or open new ones, with bills and purchases sent to a new address.



    Data breaches, like Protain's, in which identity thieves deliberately

seek personal information for fraudulent purchases, pose the highest risk

of identity theft. But congressional investigators found that unauthorized

use of data by government employees and stolen laptops and computer storage

devices were the most common sources of federal data losses.



    Even the Federal Trade Commission, the agency that imposed fines on

businesses for egregious data breaches, disclosed in June 2006 a

computer-theft incident: Two of its laptops containing sensitive

information for 110 people, including financial-account numbers and Social

Security numbers, were stolen when two of the agency's attorneys left them

in a locked car.



    How to protect yourself



    When a brokerage-firm or retailer has a data leak, consumers can take

their business elsewhere, as almost one-third of breach victims do. But as

customers of the government, consumers don't have a choice about giving

personal data to federal, state, and local officials. Consider taking these

measures to guard against identity theft:



    -- Monitor bank and credit-card accounts regularly to spot any

questionable charges and report them immediately.



    -- Order a copy of your credit report from a different credit-reporting

agency every four months. Consumers are entitled to a free copy from each

of the three federal agencies. Go to http://www.annualcreditreport.com.



    -- Consider putting a freeze on your credit files unless you are

currently seeking a loan or a credit card. A credit freeze effectively

prevents identity thieves from opening new accounts in your name. For a

list of instructions by state and other information, visit

http://www.FinancialPrivacyNow.org, a site from Consumers Union.



    -- If you are involved in a case, contact the court clerk to find out

how you can redact personal information before it is put online.



    -- Don't carry your Social Security card in your wallet and shred

documents with personally identifying information, such as driver's license

and financial account numbers, before discarding them.



    SEPTEMBER 2008



    (C) Consumers Union 2008. The material above is intended for legitimate

news entities only; it may not be used for commercial or promotional

purposes. Consumer Reports(R) is published by Consumers Union, an expert,

independent nonprofit organization whose mission is to work for a fair,

just, and safe marketplace for all consumers and to empower consumers to

protect themselves. To achieve this mission, we test, inform, and protect.

To maintain our independence and impartiality, CU accepts no outside

advertising, no free test samples, and has no agenda other than the

interests of consumers. CU supports itself through the sale of our

information products and services, individual contributions, and a few

noncommercial grants.