Acid Test

evmori, Go to this page and have a look at the numbers affected: http://www.idtheftcenter.org/artman2/publish/lib_survey/ITRC_2008_Breach_List.shtml Question: How many large breaches have there been and how many people have been potentially affected? In 2007, ITRC documented 446 paper and electronic breaches, potentially affecting more than 127 million records. This is a significant increase from 2006 which listed in excess of 315 publicized breaches affecting nearly 20 million individuals. In 2005 there were 158 incidents affecting more than 64.8 million people. Based on ITRCs categorization, the 2007 breaches break down as follows: 24.5% government/military agencies, 24.7% from educational institutions, 29.3% from general businesses, 14.5% from health care facilities / companies, and 7% from banking / credit / financial services entities. I guess I don't understand what you don't understand. Even if these numbers are not entirely accurate, the magnitude of the problem or potential problem is staggering.

With the continual decline or stagnet enrollment in scouting since the 1970's, the BSA should be more open to alternative solutions that solve problems (in this case, performing a background check without a SSN) than flexing their "one size fits all" muscles.

Beavah, Just an excellent post!!! I spoke directly with the local council executive regarding my situation. He mentioned that there are several others taking a similar position as mine due to a recent change in the BSA's policy of grandfathering leaders prior to 2003 needing background checks. The change affected ~4000 volunteers locally with dozens refusing to provide their SS numbers. He has a large issue to get through. BTW, the executive was very polite and understanding. I very much appreciated his demeanor. Regardless of the final decision, I will not lose focus of the prize - my son. He will continue to be a highly encouraged scout with plenty of parental interaction - you still have to play the ball game regardless of how the officials are calling it.

I contacted our council registrar and she agreed to allow me to come in and provide my SS number. Then she told me that the information would be kept within their computer system where 5-6 people would have access. The computer system is connected to the outside world. Here are the risks: 1) The information is available to more than the people who need the information 2) The system is susceptible to outside hackers 3) How are the servers and hard drives disposed of? 4) Does the information reside on laptops? 5) Is the information encripted? Password protected? 6) Is the information tied into a larger set of servers? All offer areas of compromise. 7) Is the information backed up systematically? How are the backups secured? 8) Could the information reside on USB flash or harddrives? 9) What antivirus, spyware, and firewalls are employed? I understand that at the end of the day, I have to decide what is right for me. I have decided to write a letter to the council requesting an appeal to the national council for an exception instead.

This is who the BSA uses to perform thier background checks. http://www.law.harvard.edu/students/orgs/jol/vol44_2/stamant.pdf From page 508: But the industrys comprehensive inltration of our lives is not costless; as evidenced by the widespread impact of the recent database breaches, weaknesses in industries that constitute society-wide systems can have profound consequences.25 Database giant ChoicePoint exemplied these dangers in February 2005 when it mistakenly disclosed the personal information of 145,000 Americans to scam artists and failed to inform the public for three months.26 Revelations soon surfaced that other database businesses, as well as nancial institutions and merchants, had also disclosed sensitive data.27 By the end of 2005, over 50 million individuals personal information had been compromised.28 The nancial implications of such breaches are signicant. The Federal Trade Commission (FTC) estimates that the wrongful use of data, some of which can be traced to poor data security practices,29 costs businesses and consumers $55 billion annually.30 Data insecurity also imposes non-pecuniary losses by impairing citizens ability to participate meaningfully in society:31 inaccurate or misused data can restrict an individuals ability to secure employment, obtain a mortgage, or purchase a car.32 Also: ChoicePoint Settles Data Breach Lawsuit Will pay $10 million to settle class action By Martin H. Bosworth ConsumerAffairs.com January 27, 2008 ChoicePoint Lexis-Nexis Parent To Buy ChoicePoint ChoicePoint Settles Data Breach Lawsuit More ChoicePoint Identity Theft Victims Identified ChoicePoint Settles With Attorneys General Over Data Breach FTC Finally Sets Up Redress For ChoicePoint Victims ChoicePoint Names a "Consumer Advocate" FTC Fails To Pay Victims Of ChoicePoint Data Breach ChoicePoint Gets a Makeover Data Blunders Cost ChoicePoint $15 Million Guilty Plea in ChoicePoint Data Theft ChoicePoint Finds More Cases Of Illegal Data Access ChoicePoint Responds PATRIOT Act Further Empowers ChoicePoint Previous Data Thefts Went Unreported Consumers Will Be Able to See Their ChoicePoint Records, Company Says Nigerian Sentenced to Prison in ChoicePoint Theft State Tally of ChoicePoint Victims ChoicePoint Breach Worse Than First Reported Is National Security Compromised by ID Theft? States Demand ChoicePoint Notify ID Theft Victims Private Information Stolen from Nationwide Consumer Database Data broker ChoicePoint has agreed to pay $10 million to settle a class-action lawsuit brought against it over the 2004 theft of 163,000 personal information records by a ring of Nigerian identity thieves. The company also said the Securities & Exchange Commission (SEC) has concluded its investigation into the sale of ChoicePoint stock by Chief Executive Officer Derek Smith, and Chief Operations Officer Doug Curling, after the discovery of the data breach in 2004, but prior to the breach being made public in 2005. Smith and Curling made over $16 million in profit over the stock sale, but the SEC declined to recommend any enforcement action against them. ChoicePoint said the settlement would have no impact on its financial results, as the money was to be paid from a reserve insurance fund already set aside to cover expenses and costs relating to the breach. However, the company's quarterly earnings statement registered losses for the fourth quarter of 2007, losing $32.32 million, or 47 cents a share, compared with a profit of $23.67 million, or 30 cents a share, for the previous year. The ChoicePoint theft vaulted the mysterious world of data brokers and information selling to the forefront of the public consciousness, and made the Alpharetta, Georgia company synonymous with the phrases "data breach" and "identity theft." While not the first or the largest of breaches of personal information, the ChoicePoint incident prompted new scrutiny and calls for greater oversight of the data sales trade. ChoicePoint itself went on a makeover P.R. blitz in the wake of the breach, evangelizing its new transparency and openness to privacy advocates. It hired former Transportation Security Administration head Carole DiBattiste as its privacy officer, and legal counsel Katherine Bryan as its "consumer advocate." The company earlier paid $15 million in civil and consumer penalties to the Federal Trade Commission and agreed to tighten its security procedures and submit to random audits to ensure it was properly protecting personal information. It coughed up another $500,000 to settle lawsuits brought by the Attorneys General of 44 states for its lax handling of personal data that led to the breach.

SS number verification is one of their services they provide but this isn't what BSA is verifying. According to Choicepoint, the candidate only needs to provide their full name and their birthdate in order to run a criminal background report . SS number is not needed to search but would be listed as one of the fields on the report. See: http://www.volunteerselectplus.com/hdocs/National_Criminal_File.html The person on the phone today was very certain on this point that only the complete name and birthdate needs to be entered to perform a search with their system.

It is a large event with several hundred kids and 150-250 volunteer adults. No kid will be told no because of the situation. The council here is very much entrenched in their position that the ss number needs to be on the application in order to process them eventhough I spoke with the company the scouts use to do the background checks and a ss number is not needed. In fact the company said organizations and companies are getting away from ss numbers due to the exact issue I am raising. In the age of identity theft, it makes no sense whatsoever to put people in a position where a single system failure (lost paperwork, hackers, bad employees, relocated computer servers, unscrubbed hard drives) could cost their own volunteers when there are perfectly acceptable options.

Beavah, When in New York, my council successfully appealed my position and I became a leader. Here is the irony- a week later, my wife visited the local council scouting store to pick up a Tigers advancement chart for our den. While there they had a box by the register for applications, one for adult, one for scouts. For a couple of minutes, there was nobody behind the counter and my wife had full access to about a dozen applications, most or all with social security numbers. This occurred after the council tried to convince me that they are very secure with confidential information. That the information is kept locked up in files with limited access and never put on-line. That they are very serious about the forms. BTW, they do enter the information on-line.

I believe that this can be appealed by the local council and I have asked for such an appeal. I also contacted Choicepoint, the company BSA contracts to perform the background checks. According to Choicepoint, a SS number is not required perform the search - you only need the person's full name and date of birth.

I could retell the story but instead, I cut-and-pasted my e-mail to cub master. Any suggestions? XXXX, I was informed today that my application for cub scout leader would not be processed unless I provided my social security number. According to the council, this also includes my participation in the upcoming camp. Eventhough there are numerous worthy alternatives to performing background checks (full name with date of birth, fingerprints, drivers license) and the system BSA subscribes to (Checkpoint National Criminal Files Plus) does not require a social security number, the council is standing firm with this unnecessary requirement. As somebody who has had confidential identity information breached twice in the past 3 years by large organizations (XXXXX, XXXXX), I simply will not be able to provide my social security number. This has been an especially frustrating situation since my previous pack and council in New York were receptive to equally effective solutions rather than being entrenched in a single position. Unless there is a change in the council's position, I regrettably will not be able to serve as a leader in your pack. Sincerely,