This particular data, covering 3.9 million people, was on tapes being shipped via UPS. Citigroup said the tapes were lost by UPS Inc. "in transit to a credit bureau." So, three things to note:
- Misplacing data is nothing new--it's been happening for years--but the public has rarely heard about it before now. The fact that they are hearing about it now is mainly due to California's groundbreaking SB1386 notification law.
- Misplacing data tapes should not be a problem. All data tapes that leave the secure environment of the data center should be encrypted by default. That so many big companies are apparently shipping unencrypted tapes via ordinary shipping services is a disgrace, and definitely a failure to meet a reasonable standard of due care.
- Until one of these companies gets sued big time, this needless exposure of consumers to the risk of identity theft will continue.
The reality is that IT has delivered massive gains in productivity and profits over the last ten years. The nature of businesses and humans is that the true cost of achieving these gains lags behind the gain curve. It is time for corporate America to accept that data about customers requires way more protection than it has so far been afforded. Smart companies will maintain their edge by increasing security in smart ways. It doesn't have to cost the earth, but it does cost, therefore some will cut corners and lose customers (if I had a Citi account right now I'd be closing it).