Your personal information is not yours at all. Companies collect it, buy it, sell it, archive it, mine it, crunch it, and even lose track of it. Many companies have recently disclosed that they have lost track of the information they collected on their employees and customers.

Citigroup has begun the process of notifying 3.9 million of its current and former customers that information about their accounts (names, addresses, phone numbers, social security numbers, account numbers, account balances, transaction histories, etc.) has been lost. Apparently, this data was contained on backup media that was being shipped to an alternate location. Citibank shipped the backup tapes on May 2nd, but didn’t realize they were missing until May 24th.

Last month, Time Warner lost backup tapes containing all the data it had collected on 600 thousand current and former employees (going back 19 years).

Back in April, Ameritrade informed more than 200 thousand current and former customers that their personal information had been lost when their backup tapes didn’t show up at the desired location.

Do shipping companies like UPS, FedEx, DHL, and others really lose that many important packages? In my experience, the answer is no. What usually happens is something like this: Company has some change (backups were problematic and were not finished on time, a new shipping person was hired, etc.) that requires a new person to handle some aspect of shipping the backup tapes to the new location. This is where the trouble begins. The new person may not know the right address of the final location, write down just the building address, etc. The package is then shipped and signed for on arrival at the front desk. The receptionist assumes the person that had the package delivered will come claim it, since it wasn’t addressed to anyone or any department. A few weeks go by and the department realizes they don’t have their package. They panic, call the shipping company, and find out that it was signed out at the destination. They look at the signature, but don’t recognize it (the receptionist isn’t an employee of the department where the package was supposed to be delivered). They jump to the conclusion that the package was somehow intercepted. Company decides never to use that shipping company again.

Are banks and other companies losing track of their data more often these days? Why does it seem that we are hearing about it all the time, when we never used to hear about it? Is it because the data was never lost until it was all on computers and backup tapes?

We don’t know, but we assume that it is no more prevalent today than previously.

Until recently, companies were not required to disclose to anyone when they lost your personal information. Now they are only required to report it if the information was not encrypted. But didn’t Debby Hopkins, Citigroup CTO, state that the backup tapes were produced “in a sophisticated mainframe data center environment” and would be difficult to decode without the right software? Yes, she did say that. But it doesn’t mean anything. It is pure spin. Let’s remember that they are only disclosing this data loss because they are required to do so. And they are only required to disclose information loss when the information is not encrypted. This tells us that the backup tapes are not encrypted. Sure, you may need a copy of whatever backup software they used to make the tapes in order to piece the information back together, but you will not need passwords or encryption keys to recover and (ab)use that customer data.

Requiring companies to disclose loss of personal information is a great concept. If you trust them with your personal information, you want them to tell you if they give it to the bad guys. The trouble with this particular law is that it provides companies with a very low bar to jump over in order to avoid being required to disclose their missteps. Data that is encrypted before it is turned over to the identity thieves need not be reported. This is just sad. Whether or not your personal information was encrypted when it was handed to the bad guys is not the issue. They gave away your personal information, increasing your risk of identity theft, and you need to know about it.

Don’t worry, you won’t hear about these companies losing track of your data in the future. They have seen the light at the end of the loophole.

Soon after public disclosure of their loss, Time Warner has started encrypting its backup data, absolving it of the requirement to disclose future losses of your personal information.

Most Citigroup units send data in an encrypted form and are already free from the requirement to disclose personal information loss. Beginning in July 2005, CitiFinancial data will also be encrypted, absolving Citigroup of these public relations headaches when they lose track of it.

In the US, any data collected by a firm belongs to the firm that collected it, even if that data contains your personal information. In Europe, Canada, and Australia, your personal information belongs to you. Those firms who also have custody of it are merely controllers. I’m rarely a proponent for new laws, but I do like the UK Data Protection Act (and its European counterparts). I wish our laws did a better job of recognizing that you are the rightful owner of your personal information.

Companies should not be allowed to buy or sell your personal information. That’s your data. You may choose to allow a firm to have custody of your information, but only when you make that conscious choice. Once you release it, there’s no telling where it will end up.