A few days ago, customers of Baltimore-based Provident Bank received notification that their credit and debit card numbers may have been compromised in a theft described as potentially one of the largest personal data heists ever.
The culprit here was a piece of malicious software placed on the computer network of Heartland Payment Systems in Princeton, N.J., which processes 100 million transactions a month. Although officials don't know how many Provident customers or other consumers were victimized, the breach at Heartland is just one wave in a rising tide of data theft that suggests tough new federal controls are needed on how organizations handle the data they collect.
Businesses, governments and educational institutions reported nearly 50 percent more data breaches last year than in 2007, exposing the personal records of at least 35.7 million Americans, according to the Identity Theft Resource Center. But many others fail to report data thefts.
In Maryland, more than 200 security breaches involving state residents have been reported to the office of the attorney general since the state's security breach law went into effect one year ago. Among those reporting were banks, retailers and educational institutions.
Can the problem be contained? The Center for Democracy and Technology and other consumer groups believe so. They are proposing legislation to replace what they see as an outmoded federal regulatory regime. They say companies not only should keep people informed of a data security breach (45 states, including Maryland, require it) but also should be required to more securely store and use data. Firms that don't comply would face civil penalties. Others suggest the most effective way to combat identity theft is to minimize the amount of data available for stealing.
Federal Trade Commission rules scheduled to go into effect this summer require financial institutions to provide their customers with basic identity theft protection. But the scope of the problem in this era of rapidly evolving technology underscores the need for stronger institutional protections and consequences for failing to adequately secure private data. The extent of consumer information that is stored on computer networks makes everyone a potential victim.