Karen Dillon reports that mortgage loan documents from Pulaski Bank that included applicants’ tax returns and other sensitive information were stolen from an unattended vehicle in September. The documents had reportedly been stolen from a loan official’s car while it was parked at a gym.
This type of breach is certainly not new… I’ve been covering these types of breaches since the beginning of PogoWasRight.org in 2006 and even then, this type of breach infuriated me. If you want to risk your own personal data by leaving it in your car, that’s your business and lookout. But if you’re the guardian of other people’s information, you have a duty to protect it diligently. Leaving it in an unattended vehicle does not meet my criteria for “diligent.”
Yet entities still suffer these types of breaches and states have yet to deal with paper records or require greater security. Dillon reports:
Both Missouri and Kansas have been addressing the issue and both have laws that require that consumers be notified of data breaches in most cases. But the law is silent when it comes to paper records.
The bank seems to believe it was fully compliant:
Kevin King, general counsel for Pulaski Bank, said bank officials would have no comment because Overland Park police are still investigating.
“Pulaski Bank has followed all applicable internal policies in adherence to regulatory guidelines,” King said in a statement.
So what does that mean? Do their internal policies permit loan officers to leave customer financial data in an unattended vehicle while they work out a gym? Or is the bank telling us that the state and federal regulators really do not prohibit such behavior?
Read more on Kansas City Star while I go pour some more coffee and mutter to myself.
Clearly, the mishandling of personal data is on the rise. Companies just do not have the due diligence or governance to manage personal data effectively. And to the point of the writer, Federal and State laws are lacking. HHS took the lead and created a “wall of shame” several states followed. Their goal was to make people report data breaches on a web site with the hopes that public humiliation will make them want to do better. Well, it is not working very well, now people just don’t report, HHS does not enforce, and once again the looser is the victims of data breaches.
Legislators forget the basic guidelines in which American businesses and non-profits operate. Do things that make money, don’t do things that will impact the bottom line, and do the right thing if it will improve the margin. So, how do we get companies to secure information in an effective manner? The solution is simple and it helps the Federal and State deficient situations. Levy fines at the State and Federal Levels, and establish a per record damages amount for the victims. Do this, and give it 2 years, and the breaches involving mishandling and mismanagement will go away. This will also reduce the number of electronic breaches, a large number of breaches involved lost or stolen tapes which were not encrypted. You have to ask yourself, why are they not encrypted when this happens over and over again?
There are lots of questions I ask myself and my readers – and Congress – over and over again. In my next life, I will be reincarnated as a broken record, no doubt.
HHS didn’t take the lead on “wall of shame,” though. Their site went up in 2010, after states like New Hampshire, New York, and Maryland had already started publicly disclosing breach reports. Unfortunately, NYS stopped doing that. I wish more states did make the reports freely and readily available to the public.
The notion of statutory per record damages has been kicked around for quite a while in the privacy advocacy community. So far, it hasn’t gained any traction where it counts, though.