Private vs. Public Sector Responses to Data Security Breaches
I just blogged about the massive data security breach by the Veterans Administration, affecting 26.5 million veterans. Bob Sullivan has a terrific post comparing the government’s response to its data security breach to that of the businesses that have had such breaches in the past:
It’s become standard practice for data leakers to offer free credit monitoring to victims, so they are able to watch their credit reports daily for signs of misuse. The services are available from the credit bureaus, and cost about $10 a month. Corporations that leak data and foot the bill usually get big discounts.
So far, the vets haven’t been offered credit monitoring. Instead, the VA is reminding victims that they are entitled to a free copy of their credit report every year, and then basically wishing them good luck.
That’s insufficient. . . .
Meanwhile, a single peek at their credit report today would probably reveal very little. Fraudulent accounts can take weeks or months to appear, meaning it would be better to take that one peek in a month or two. But even that’s a tepid step at best to spy signs of identity theft after a data leak like this.
The only way to know something bad is happening to your credit is to look at it repeatedly, at about the same frequency that you look at your checking account statement. It’s hardly a perfect solution and doesn’t catch every instance of ID theft, but it’s a solid start. Credit monitoring services give consumers that kind of access. ChoicePoint, LexisNexus, and nearly all other commercial entities that have lost data have offered credit monitoring to victims for 3, 6, even 12 months.
The VA should do the same. Anything less is neglectful.
Bob Sullivan is exactly right. More at Sullivan’s excellent post.