For the UPS hatahs...
 

UPS loses package containing data tapes with personal and financial data on almost 4M people

http://www.usatoday.com/tech/news/computersecurity/infotheft/2005-06-06-citifinancial-lost-data_x.htm

I've always wonder how they 'lose' packages. I've been to a UPS transfer facility, where they move packages from the big trucks to the little trucks, and while it's possible for packages to fall off conveyer belts, it didn't seem obvious where they could 'hide' from that point. Is the stuff falling off the trucks? Random thefts? Getting run over by a forklift and then sent to the dumpster?

Yeah, I think its a combo of theft and destruction all under the banner of "lost". It would be nice to see "loss" percentage stats for each carrier.

I guess you can pin this on UPS to some degree, but frankly I would hold CitiGroup 100% responsible as well.

There needs to be a law against such cavalier handling of personal information. Yet another way the government lets Corporate America screw the blind voting public.

What's really annoying is that the information on the tapes was not encrypted or password protected (from what I read). That is maddening. Granted it probably wouldn't stop a knowledgeable IT person from retrieving the personal info off the tape, it probably would stop 99% of the people who tried to access it and help Citibank cover their arse. How moronic...

This happened about a 2 months ago with Ameritrade as well.

Its like just shippping a few hundred thousand greenbacks through the mail...

Tapes should be shipped via a secure service (like an armored car) to a secure location (like a vault) for storage.

There is a poster on Fark who's husband works with the data transfers mentioned. He's been pushing to have it sent in electronic form and encrypted. His boss(es) keep shooting it down, since "only terrorists encrypt data like that".

There should be a law where the corporations are responsible for data security and liable for when it is broken.

I agree.

The data precautions I see taken by my employer make shipping tapes via UPS seem like gross negligence.

Any manager that shoots down encrypting PII (Personally Identifiable Information) for the reason stated above should be fired.
The cost for securing data is sometimes very high. That's why many executives have such a cavalier attitute. But look at the alternatives. You'd think something this obvious would be handled properly. Most responsible corps use a storage facility that transports in a secure manner. For example we use Iron Mountain for offsite storage.

Regarding laws and industry standards;

Visa and other card companies have banded together and instituted security guidelines that CC processors or merchants must follow....it's called Payment Card Industry or PCI (formerly CISP) and the fines and resultant costs are potentially very high. Your level of compliance is determined by the volume of CC transactions one handles.

California also has a law that requires any breach to be reported to all potential "victims".

The laws and industry self governance are coming...just very slowly.

Liability is the key - if you don't encrypt then you're 100% liable.

Working in the data security business myself these days if you for example loose a laptop and it wasn't encrypted and the data loss is significant - you're liable because you didn't make even reasonable attempts to protect the data. Encrytion is easy to do and hard to break - especially on fly encrypted file transfers - easy as freakin pie man...no excuses - ROI is instant good pr.

You're fired. End of story.

To be fair to UPS its possible the label came off & the item(s) are sitting in a warehouse waiting to be claimed;then again the belts that move the boxes to & fro generate tremendous force & would crush anything in its path if a blockage occured. Tape should have been encrypted imo.

Good point. That's why they ask shippers to put a copy of the "Ship to" and "from" info inside the package as well. I suspect most dont.