Citing the recent incident in which identity data was used to defraud the Internal Revenue Service (IRS), Treadaway says: “This is a wake-up call for anyone who views identity theft as a low risk crime. Now that personal documents such as payslips, tax returns and bank statements are available online, you cannot be too careful about protecting your highly valuable personal information.”
The IRS incident involved a 3-step scam in which the perpetrators allegedly used information such as social security numbers, birth dates and addresses stolen from unknown sources to access tax returns on the IRS document archive. The tax returns were then used to claim fraudulent refunds.
Says Treadaway, “While the IRS’s financial loss is grave at $50million, the real public interest issue is the 100,000 individuals whose identities, including earnings and asset information, have been horribly compromised. This should be ringing global alarm bells as a definite warning about the dangerous combination of reckless information sharing and bad security practices in the data chain.”
While the origin of the stolen identities is not clear in the case of the IRS fraud, Treadaway sees this as evidence of multiple parties in the chain being too casual about data protection including, possibly, the data owner.
“Data security starts with you. You cannot expect your bank, employer or government to be solely responsible for protecting your personal information. Just like you wouldn’t leave your bank statement lying in a public place, don’t give your personal information to an organization or individual you don’t know and trust.”
Why this incident reinforces the need for the PoPI Act (South Africa)
“Although viewed as onerous by some, the Protection of Personal Information Act (PoPI) is designed to reduce the likelihood of disasters such as the IRS breach, by forcing organizations to tighten their data security or face penalties. Consumers should welcome this legislation as it affords each individual rights over the use of their personal information, and recourse in the event of a breach.”
But, Treadaway highlights that government has to date, only set guidelines and quantified penalties. “We need follow-through on the establishment of a Regulator, a deadline for compliance and then we must start seeing active policing of risky or unlawful processing of data.”
The PoPI Act is very clear on what is required from organizations, but with the absence of time pressure, some may delay the interventions that are needed to adequately secure the data they gather, store and process. A casual attitude towards implementing the necessary policies and procedures extends the window of opportunity for data theft and exposes more individuals to fraud.
“A more digital world has fostered a more sophisticated criminal,” says Treadaway, “and only with a concerted effort from all stakeholders – government, business and individuals – can we keep our personal information safe.”