20111121

If you can't protect it, don't collect it

Chez Fûz just received two identical letters from a company that does IT work for TriCare. One addressed to Her and one addressed to Him.

We are sorry to inform you that a backup tape of many healthcare transactions, while being transported by one of our employees, was stolen from the employee's vehicle. This tape includes sosh-scurty numbers, addresses, names, and piles of other information prone to compromise. Your information may be among those records lost, we aren't sure. Because we feel so very very very very very sorry, we're telling you about it more than 2 months after our employee notified us of the theft, and encouraging you to monitor your credit reports very carefully for the foreseeable future, in case the guy who went to such extraordinary effort to steal this data tries to use it.

And by the way, we have arranged for a fourth party company to watch your credit reports for you, for free, for one year. All you have to do is send them your sosh-scurty number, name, address, and much of the other data that we already have, but have allowed to become stolen. Just fill out the attached form and put it in the postage-paid envelope.


If I were the guy reading this letter, my first thought would be that this is a mother-schtupping phish. Sainted wife will call TriCare tomorrow to rule that out.

My next thought would be, DOD cannot transition from the SSN to a randomly-assigned service number fast enough. As the DOD's successes, failures, and lessons-learned accumulate, the rest of the Fed Gov should be compelled to follow suit.

The next thought after that would be, let's adjust all future contracts between DOD and TriCare to require them and their subcontractors to apply the same risk management practices over these records that GIs are required to use when they plan anything more dangerous than the company picnic. Make them liable for costs plus penalties for the abuse of the lost data. The dollar signs will probably tell them that they should catalog and encrypt every backup volume that ever leaves their data center, and use a courier service to transport those volumes.

Then let's require TriCare and their subcontractors to identify the clients whose records were on the lost volume, and notify only those clients. Within 48 hours of the loss.

And I was the guy reading that letter. How many thousands of other letters just like it have been read tonight?

No comments: