IN FEBRUARY, Bank of America Corp. acknowledged that computer tapes with personal information on federal employees had been put on an airplane in December and then lost, putting 1.2 million people at risk of identity theft. In May, Time Warner Inc. announced that it had shipped similar information by truck and lost it, too, compromising data on 600,000 employees. The next month it emerged that a unit of Citigroup Inc. entrusted computer tapes with information on fully 3.9 million customers to United Parcel Service Inc.; the tapes never showed up at their destination. What's more, losing tapes in transit is only one way that companies can compromise personal data. In the most recent security failure, credit card companies admitted that hackers had penetrated the database of a payment-processing firm. As many as 40 million credit card numbers may have fallen into the hands of criminals.
This is serious business. Once your name, date of birth, address and Social Security number go astray, you are permanently at risk. The bad guys have what they need to take out a loan or order up a credit card in your name -- now, next year or whenever they get around to it. Individuals may have to get used to this facet of wired life: Just as you don't leave home without checking that the door is locked, you may have to check with credit bureaus to ensure that no unwanted pseudo-you is out there borrowing money. But the recent spate of security breaches demonstrates that banks and corporations could do much more than they are bothering to do now. Shipping unencrypted tapes by UPS is an unacceptably careless way to treat sensitive information.
Some of the obvious legislative fixes are already in place. Federal law requires financial institutions to safeguard personal data. Several state legislatures have passed laws requiring that potential victims be notified if their information is compromised, and other states are following. But these efforts clearly aren't enough. The federal requirement to safeguard personal data didn't stop Bank of America and Citigroup from suffering breaches, and notification requirements have drawbacks. They may usefully prompt people to check that loans aren't being taken out in their names by criminal impostors. But because some new laws force disclosure of even trivial breaches, consumers may soon receive so many tedious warnings that they ignore the whole lot. Disclosure may also change an instance of incompetence into something worse. If a carton of computer tapes loses its label and languishes in some corner of a shipper's warehouse, alerting potential bad guys to the value of that dusty box makes abuse of lost information likelier.
What's needed is not extra regulation but a bigger effort to give that regulation bite. Tougher enforcement by the Federal Trade Commission and other regulators would be a start. Legal liability might be another helpful weapon: Courts in Michigan and New Hampshire have ruled that corporations can be held liable for the damages resulting from lost information, and other jurisdictions will probably follow. Regulators should also address the anomaly that leaves stores and merchants to pick up the cost of credit card companies' negligence. At present, if a fraudster steals your credit card number and uses it to buy six large TVs, the credit company that allowed your number to be stolen may refuse to reimburse the TV store.
Incentives like those help to explain why financial firms and others have been so slow to take obvious steps to safeguard sensitive information. Couldn't companies encrypt data before shipping it elsewhere? Couldn't they transmit it over secure networks? Yes, they could. But they need stronger reasons to do so.