For years, companies have spent millions of dollars trying to keep hackers outside their computer networks.
But the real danger, some say, is not outsiders. It's not even criminals working inside companies. The real danger is a few innocent clicks of the "send" button.
Companies hemorrhage personal data every day as part of normal business practices, says Kim Getgen, director of marketing of Reconnex Corp., which makes technology to monitor the bits and bytes leaving companies' networks and destined for the Internet.
Word documents, Excel spreadsheets, and e-mails full of Social Security Numbers, credit card numbers, and other personal information are carelessly slung around the Internet, Getgen said.
Rob Douglas, a banking consultant who operates PrivacyToday.com, says he's seen widespread problems with such accidental leakage for years.
"At every company that I have ever interacted with, this is a problem," he said. "When I go into private sector client, I'll say to them at the beginning, I'll bet you my fee that if you let me see the information leaving your network I can find either customer information or human resources information that could be used by ID thieves ... and nobody ever takes the bet."
Screw-ups not rare
The classic case of accidental data disclosure occurred in 2001, when Eli Lilly inadvertently exposed the identity of hundreds of consumers who were taking the anti-depressant Prozac. They had signed up for e-mail based reminders, and in one e-mail, all subscribers were accidentally listed in the "to:" instead of the hidden "bcc:" line.
Similar mistakes are not rare, Getgen said. She described tests Reconnex ran for five large financial services companies in July. The company wouldn't disclose the clients' names, citing confidentiality. During the tests, the firm claims it found over 5,500 instances of a spreadsheet or word processing document sent out of the company with Social Security numbers in plain view. On 6,400 occasions, credit card numbers were sent out, she said.
The results are typical, she said. Reconnex technology is used by 60 companies, she said, and nearly 100 percent of the time, they find either credit card numbers or Social Security numbers sent out of the network. "It's rare not to see it," she said.
There is no hard data on how many companies have unhealthy data practices. But Howard Schmidt, a former White House cyberczar, who also ran Internet security at Microsoft, eBay, and other firms, said consumers should be aware that many companies don't take good care of their information.
"It depends on the company," he said. "People post things to their Web site so they can work at home. People lose laptops or PDAs with critical data on them. Once I even got a call about a bunch of CDs someone found at a bus stop that were full of customer data."
'Content inspection' technology
To combat the problem, Schmidt said a small group of companies have popped up that sell software and hardware aimed at tracking data that enters and exits companies.
Called "content management" or "content inspection," the technology looks for signs of misuse and abuse, such as browsing pornographic Web sites or transmitting company secrets.
John Pescatore, an analyst with the Gartner Group, says interest in content inspection technology has spiked this year due to more incidents and greater overall concern about identity theft.
"Security gurus for years have said 70 percent of the problem is insider driven, but nobody wanted to spend money on that," he said. "These threats have given ammunition to the security gurus now."
San Francisco-based Vontu Inc. has its content management software installed at 650 companies. In a study of clients' e-mails completed earlier this year, Vontu said it found 1 in every 500 e-mails sent by company employees contained "confidential information." And nearly half of the e-mails that are sent in violation of company policies contain either "private customer data or intellectual property." Many of those messages violate state and federal regulations.
"It's fair to say in just about every single company we work with there is consumer information going out," said Joseph Ansanelli, Vontu's CEO. He said mistakes can be as simple as this: an employee sends out an Excel spreadsheet which appears to be benign. But there's a second sheet to the file, hidden from plain view, which contains a list of Social Security numbers or other personal information.
Mistakes are often operator error, says Miriam Wugmeister, a New York lawyer who advises U.S. firms on compliance with international data privacy laws.
"I think that what happens is people inside companies become inured to the sensitivity of the information they deal with every day," she said. "People in finance who deal with credit cards all the time forget that information is sensitive, for example. People are human."
Even companies that have strong policies in place often see employees develop troublesome work-arounds, she said.
"There's a rule saying the information has to be password protected, and you find an employee sending a document that's password-protected, but they send the password in the body of the e-mail," she said. "You see things like that."
"When you start sending things to other companies, you have no power over who is there, who might see it, and who it might be forwarded to," said PrivacyToday.com's Douglas.
Usually, the data is sent outside the firm innocently, said Dan Verton, author of a new book The Insider, which describes the threat of leaked data. Verton relies heavily on Reconnex data for his research, and the firm is promoting his book.
"These are not cases where banks are employing criminals," he said. "They are employing individuals who are inadvertently disclosing and mishandling information. It stems from their willingness to go around security policies and procedures."
Verton said companies across America have failed to create a culture of privacy, and as a result, broken business processes leading to data leaks are rampant.
Wugmeister puts it differently -- she says there's a need for companies to have a culture of compliance. Well-meaning employees who unwittingly expose consumers through work-arounds are often the source of such problems, she said.
"The vast majority of it is inadvertent," she said. "People trying to avoid a hassle and get around the systems put in place." Spot audits to make sure employees aren't sneaking into risky behaviors like using Web-based e-mail services are essential, she said.
The Enron case study
Given firms' reluctance to discuss security problems, it's difficult to assess just how common the problem is. But researchers at Audiotrieve Inc., which makes e-mail analysis tools, have found the publication of thousands of internal Enron e-mails to be a treasure trove for assessing how employees use -- and misuse -- company networks.
In March 2003, the Federal Energy Regulatory Commission posted on its Web site 1.6 million pieces of internal Enron e-mail dating from 2000-2002. Immediately, Enron asked the agency to remove the e-mails, which were chock full of personal information. According to the Wall Street Journal, one e-mail included a payroll document that listed the Social Security number of every employee. Ultimately, FERC removed 141,379 at the request of Enron -- about 8 percent of the database -- because Enron said personal information of one kind or another was included.
"This is a huge problem for corporate America. Corporations don't really get this yet," said Roger Matus, CEO of Audiotrieve. "At the end of day, (companies) are legally responsible for every bit that leaves their company....If an employee does something that violates someone's privacy, the company is involved."
One the reasons firms fall prey to such casual data procedures: They've paid through the nose for technology that they think is protecting them. But firewalls and antivirus products only secure companies from the outside-in. They stop intruders from entering and stealing data; they don't prevent employees from intentionally or accidentally leaking it, leaving companies vulnerable from the inside out.
"All of these companies suffering from this problem all had technologies they thought locked them down from doing it," Verton said. "Companies have spent millions on perimeter defenses. But there's still a gap."
Gap is closing
That gap is closing, says Pescatore, because companies like ChoicePoint and CardSystems -- which exposed 40 million credit cards to a hacker earlier this year -- are facing the consequences of data leaks.
"CardSystems may go out of business. ChoicePoint stock is still down 30 percent from when its incident happened," Pescatore said. "It's having an actual business impact."
Ansanelli said all that bad news has been good for his business. Sales of his firm's products are up 300 percent in the past 12 months. Corporations have long implemented written policies mandating that employees handle personal data with care, but have had a difficult time enforcing that. Content management technologies provide are changing that, he said, and are exposing the magnitude of the problem. Still, consumers don't have a lot of options to protect themselves.
Schmidt, the former Cyberczar, makes a habit of quizzing customer service representatives to get a sense of the firm's privacy practices. When they ask him for the last four digits of his Social Security Number, he asks the telemarketer for the first five. If the service rep has the right answer -- meaning the operator can see the entire SSN -- Schmidt quits the company.
He also recommends consumers ask a firm about the "life-cycle" of the data they collect. For example, if the firms obtain a credit score, find out how long they keep it, he said. Another question: When you leave the company, does it destroy your data?
"For the most part, it's hard for them to answer," Schmidt said. "But if enough people ask the questions, companies will get the message and start getting the answers."
Bob Sullivan is author of Your Evil Twin: Behind the Identity Theft Epidemic