RealTime IT News

Data Breaches: New Year, Old Story

A new year and an old story: Americans fall prey to data theft. A new year and another old story: Congress does nothing about it, not even requiring companies to inform consumers of the breaches.

According to the Privacy Rights Clearinghouse, 2005 saw more than 100 reported breaches involving the personal data of more than 50 million Americans. Most of the breaches occurred after Congress got riled at ChoicePoint in February and swore action to protect consumers.

This year, although barely two weeks old, ID thieves are already off to a rousing start. Breaches have already been reported at the University of Pittsburgh Medical Center, H&R Block and the Atlantis hotel in the Bahamas.

In the absence of action by Congress, the Atlantis breach represents a new, more ominous threat: data breaches on foreign soil. While details of the breach are still sketchy, more than 50,000 personal records are in ID thieves' hands, including names, addresses, credit card numbers, driver's license numbers and bank account data.

"It was frightening enough for American consumers when major corporate database breaches here at home started exposing the potential vulnerability of their personal information," said Paul Kurtz, executive director of the Cyber Security Industry Alliance (CSIA).

With the Atlantis breach, Kurtz said, "It's all the more important that we get our own house in order and move on to improving international law enforcement cooperation."

To Atlantis' credit, the hotel is informing the affected customers of the breach, although it is under no legal obligation to do so. Nor are Bahamian law enforcement officials bound under any international laws to cooperate with the United States.

It doesn't have to be that way.

After all, the United States is a signatory to the Convention on Cybercrime, the first and only international, multilateral treaty aimed at global cooperation between law enforcement officials in the investigation and prosecution of computer network crimes.

The U.S. signed the treaty in late 2001. But there is one small problem: four years later, the U.S. Senate has yet to ratify it.

"By providing for broad international cooperation in the form of extradition and mutual legal assistance, the Cybercrime Convention would remove or minimize legal obstacles to international cooperation that delay or endanger U.S. investigations and prosecutions of computer-related crime," President Bush wrote to the Senate in 2003.

The treaty requires the signatories to criminalize conduct that is committed through, against or related to computer systems, including offenses against the "confidentiality, integrity and availability" of computer data and systems.

In addition, the treaty calls for countries to outlaw conduct that would otherwise be criminal outside the cyber world (forgery, fraud, child pornography and certain copyright-related offenses).

"[The treaty] would help deny 'safe havens' to criminals, including terrorists, who can cause damage to U.S. interests from abroad using computer systems," Bush wrote.

Late last year, the Senate Foreign Relations Committee finally gave its approval, four full years later, to the treaty, but a full Senate vote is still nowhere in sight.

Of course, this is the same Senate that piously rails against U.S. data breaches, holds high-profile hearings that play well back home and, ultimately, does nothing.

"We can't let the criminals get any farther ahead of the cops than they already are," Kurtz said.

Indeed.