The private data theft, which touched all of adult USA population got a lot of publicity in the end of February. ChoicePoint, Georgia, USA, allowed a leak of confidential data about 145 000 USA residents, in all 50 states of the country. This way, the hackers got names, addresses, social insurance numbers, driver's license numbers, credit card usage information, and other public information, collected by ChoicePoint from open sources. The damage could have been a lot worse, since the company had access to 19 million entries, and, according to reports, kept data on every adult resident of the country.
The incident was made public in the end of February, although the leak occurred in October of 2004. Company representatives alerted Los Angeles police, because they believe that the leak occurred there. In November of 2004, California officials asked ChoicePoint to not make the affair public, because it could hurt the investigation. It is still unknown how the criminals gained access to the confidential data.
ChoicePoint collects personal data about USA residents to control the quality of their financial transactions, such as operations with credit cards. Electronic Privacy Information Center (EPIC) representatives, who speak for protection of private electronic information, already accused ChoicePoint of spying on potentially innocent people and improper use of acquired information. For example, in December of 2004, the company's lawyers appealed to United States Federal Trade Commission and asked to investigate the company's activity.
Despite the scale of the incident, USA public organizations are disturbed for another reason: if the stolen data did not include entries about California citizens, ChoicePoint would be allowed to not even notify the owners that their data was stolen. In other words, no one would even known about the theft. The exceptional role of California is in the law that obligates any company, which does business in the state, to notify the owners of private information when somebody gets unauthorized access to it. This law was passed in July of 2003.
The last incident was like a catalyst, forcing EPIC and Center for Democracy and Technology (CDT) to begin a campaign for lobbying a federal law, which would somehow regulate the actions of business representatives regarding the storage of information and regarding leaks of private information. The defenders of private data are demanding for companies to at least notify the clients of such incidents. The proposal for a hearing in Congress regarding the bill, entitled “Notifications of Risk to Personal Data Act” was sent on January 24th, 2005, by a California senator, Dianne Feinstein. If this bill is passed, all organizations, both commercial and governmental, will be obligated to inform their clients about leaks of their confidential information as soon as there is enough evidence to suspect the leak.
There is no known perspectives regarding ““Notifications of Risk to Personal Data Act” in 2005 so far. The bill's author stresses the fact that passing the bill in Congress is a long and complicated process, but the fact of theft of 100 thousands' personal data may speed it up. Meanwhile, no one has any doubts that confidential information leaks will happen in the future as well, so the problem needs a lot of attention.
Law initiatives are very important in questions regarding the storage of confidential information and organizations' actions in case of leaks of said information. Citizens' private data belongs to them no matter whether they are clients of some commercial or governmental organization. This is why, the victims, which are always people, whose data was stolen, must be informed of the fact of the leak as soon as possible. “The problem of data leaks is a lot more serious than it can seem from an official brief: you can never forget about the high level of latency of such incidents. To stimulate the security of confidential information, it is necessary to think about the introduction of national standards of security and necessary bills (such as the Sarbannis-Oxly Act), which regulate the storage of individual citizens' private information”, — comments Evgeny Preobrazhensky, the director-general of InfoWatch.
Indeed, the known cases of information leaks are only the tip of the iceberg. The rest is hidden underneath of a shockingly high violation latency level in this sphere. For example, in USA, information technologies crime concealment reaches 80%, 85% in United Kingdom, 75% in Germany and 90% in Russia.
While extrapolating this data, one could say that the statistics only reflect 10% of committed crimes. In case of such an incident, most of the organizations prefer not to make the affair public, because they are afraid of the fact that it might damage their competitive placing, as well as negatively affect the cost of company shares on the market.
Every week, serious cases of information leaks are present all around the globe, which damages both companies and private citizens. The problem definitely needs to be taken seriously and needs certain legal initiatives. Sooner or later, even Russia will have to get on the path of governmental regulation and creating national standards of security.