You Down With OPD?
This is not really a data breach per se, nor is it a one-off type of problem. A breach is when an unscrupulous person nefariously gains access to data. It usually involves hacking into a site that is not properly protected or stealing equipment with unprotected data on it. But in this case we have data exposed over the web for anyone to just pluck.
I believe this story to be indicative of the cavalier attitude taken with other people’s data. I think I’ll coin a new term here – OPD – Other People’s Data. Hence the title of this little piece. (Hey, I am a product of the 1980's and I still remember Naughty By Nature's song, don't you?)
Now who wouldn’t get upset to find their personal data/information exposed on the web for all to see... but OPD, nah, who cares? I’m not exaggerating; here is a quote pulled directly from the Computerworld article:
Until there are enforceable penalties in place for any organization that exposes data, this will continue. And I mean any type of organization – public or private; corporation or government agency. The penalty may not be the same, but a stiff penalty is needed. For example, fining a government agency wouldn’t work because the collector of the fine would also be the government. But perhaps a mandatory impeachment for any elected in charge – or mandatory firing for non-elected officials would get some attention.
If information such as birth dates, Social Security numbers, images of signatures, passport numbers, green-card details and bank account details are freely available for the taking over the web, is it any wonder why identity thieves are so successful? An individual can do everything in their power to protect their personal information but when that information becomes OPD because it has to be shared with a government agency, financial institution, etc. then all bets are off.
I say "crisis" because the amount of personal data that is exposed is overwhelming. If one studies this topic, one quickly comes to understand that we are indeed in a crisis.
Here are just two examples I've run into this week (and it's only Tuesday!)--
1- The state of Minnesota sells all personal drivers license information to anybody who wants it for $1,500. They've made 800 sales so far. (Source- this month's Harper's magazine).
2- Hundreds of US companies outsource data overseas to countries with less strict data-protection laws than the US. There is no legal requirement that they inform their customers of this. Much of this data is virtually unprotected from misuse (source- http://redtape.msnbc.com/2006/04/are_people_warm.html#posts)
Bottom line-- we very badly need new laws to protect the public.
Just as you say, many companies and individual will otherwise treat other people's data (OPD) very differently than they would their own.
I think it is incumbent on all of us database professionals to educate themselves about this crisis.
The least we can do is advocate for good data-protection policies and practices where we work.