Ubiquitous Technology, Bad Practices Drive Up Data Theft

Some critics say companies don't have enough financial incentive to safeguard sensitive data. (By Mark Lennihan -- Associated Press)

But many firms argue that while data protection is a top priority, such measures could make online commerce too inconvenient for consumers without adding appreciably to security. And security already is a large business expense.

Companies must monitor their computer networks and "patch" vulnerabilities in software that are discovered regularly.

That can be especially complex when firms merge and one company's system needs to be incorporated into another's, said David Thomas, head of the FBI's computer intrusion section.

"It's very, very difficult to stay on top of it," Thomas said.

Moreover, said Mark Rasch, a former federal prosecutor who works for an Internet security firm, "The company has to try to protect against every kind of attack. The intruder only needs to find one."

Some breaches, such as mortgage data from General Motors Acceptance Corp. that was stored on a laptop stolen from a car, leave consumers wondering how seriously companies take information security.

Sen. Dianne Feinstein (D-Calif.), one of several on Capitol Hill sponsoring identity theft legislation, said the CardSystems incident last week "is a clear sign that industry's efforts to self-regulate when it comes to protecting consumers' sensitive personal data are failing."

Thomas F. Holt Jr., an attorney who represents companies involved in breach cases, said he expects things to change when large class-action suits begin to get filed against firms for improperly protecting information.

"When that game is afoot . . . companies will begin to redouble their security efforts and reexamine a lot of assumptions they have regarding the gathering and storing of sensitive data," Holt said.