At the end of the day, these failures occur because policies and procedures are missing or ignored. They result from failures of leadership and management.
In October, it was revealed that more than 75% of South Carolina residents had their Social Security numbers, credit card numbers, and other personal information breached in August after someone stole credentials from one of 250 state employees with access to the South Carolina Department of Revenue (DOR) database.
Amazingly, that data was not even encrypted.
[Related Article: 8 Signs Your Identity Has Been Compromised]
If you think that was stupid, wait till you hear the governor's excuse. Encryption is "complicated and cumbersome technology." Interesting point, but here's the thing: encryption is not hard! It's actually pretty simple. What's hard is having your identity stolen, your accounts emptied, your credit ruined and your life turned upside down because bureaucratic brain surgeons in your state government thought encryption wasn't worth the trouble.
Still, I'm sure South Carolinians will sleep much better having heard the governor's subsequent suggestion --- now that it's too late --- that encryption might be a good idea after all.
There's no shortage of dumb decisions in the political sphere, but it's worth asking just how badly our current cost cutting budgetary obsessions are warping our ability to make intelligent cost-benefit choices --- especially in such high-stakes situations. From identity theft to cyber-warfare, our inability to weigh risks in a rational way is costing us big time --- and may ultimately be our undoing. Example: In the past 24 hours, we've learned that the entire South Carolina disaster could have been avoided by spending as little as $25,000 for a dual password system to keep hackers out of that database. "I almost fell out of my chair," said the co-chairman of the cyber-security subcommittee investigating the debacle. "For $25,000, we wouldn't be here." Would it have been worth it? 6.4 million consumers and businesses --- given the chance --- obviously would have said yes.
Frankly, this level of incompetence and disregard for the public good should be criminal. People in positions of public trust who allow such acts should be held accountable. Lose their jobs. Go to jail. Or both.
And we must mandate encryption of databases containing personal identifying information, from SSNs on down --- and set criminal penalties for failing to do so.
When I said "we ignore identity theft at our peril," I simplified too much. Too often, those who ignore these risks ignore them at other people's peril --- despite a clear fiduciary responsibility to defend the public.
Adam Levin is chairman and cofounder of Credit.com and Identity Theft 911. His experience as former director of the New Jersey Division of Consumer Affairs gives him unique insight into consumer privacy, legislation and financial advocacy. He is a nationally recognized expert on identity theft and credit.