Firms careless with privacy?

NEW YORK — Stealing Social Security numbers and other sensitive data isn't always a cloak-and-dagger, ultra-sophisticated operation: It's often a low-tech job made easier by carelessness and flimsy safeguards.

Plenty of inexpensive measures can protect data from the large-scale theft that big banks, data merchants and other companies have recently disclosed.

But "security and privacy, for a lot of large organizations, are an afterthought, not a priority," said Evan Hendricks, who publishes the newsletter "Privacy Times."

Consider the latest headache for some large banks: Wachovia Corp. and Bank of America Corp. said Monday that they have notified more than 100,000 customers that their accounts and personal information may be at risk after former bank employees allegedly sold account numbers and balances to a man who then sold them to data collection agencies. Nine people have been arrested in New Jersey in the case.

Or consider MCI Inc.'s privacy problem: An MCI laptop containing the names and Social Security numbers of 16,500 current and former MCI Inc. employees was stolen last month from the car of an MCI financial analyst in Colorado. The car was parked in the analyst's home garage. The computer was password-protected; the company would not comment on whether the data was encrypted.

Encryption, which is relatively inexpensive, would make all those records all but impossible to access.

After a previous embarrassment, Bank of America Corp. is testing different encryption methods. It lost backup tapes in December containing the Social Security numbers and account information for 1.2 million federal workers, including senators and 900,000 Defense Department employees.

Such losses go to the heart of information technology security, whose importance is magnified as more data is concentrated in ever smaller packages.

That the backup tapes in the Bank of America case were shipped as commercial air cargo shows the bank didn't understand their worth, said Jim Harper, director of information policy studies at the Cato Institute think tank.

"That's like shipping stock certificates in an envelope," he said. "Personal data is cash money. If you leave it sitting out on a sidewalk, you're making a mistake."

Companies should also clean up their data before sending it to an outside party, said Jim Stickley, chief technology officer at TraceSecurity Inc., a Louisiana security company. Credit unions in San Diego sent their customer databases, including Social Security numbers, to a marketing firm. When the marketing firm was robbed, the numbers were stolen, he said.