BANK ROBBERIES still take place. But while banks remain tempting for some criminals - "That's where they keep the money," reasoned legendary heister Willie Sutton - nowadays you don't have to break into them to walk off with other folks' money. All you have to do is get hold of Social Security, financial account and credit card numbers. There's real gold in those digits, and it's become clear that financial institutions too often aren't sufficiently guarding their electronic vaults.
The latest evidence of that was the disclosure last week that United Parcel Service had lost a box of computer tapes shipped by Citigroup, tapes with 3.9 million customers' account information. Since February, when a large data collection firm, ChoicePoint of Atlanta, revealed it had let thieves gain access to its trove of personal data, there have been dozens of such announcements. It's thus not surprising when the Federal Trade Commission says that almost 10 million Americans a year fall victim to the crime of identity theft.
We're more often learning about these security breaches because of a 2003 California law requiring customer notification. Similar legislation is being pushed at the federal level and in other states, but even stronger steps are needed - along the lines suggested by Sen. Charles E. Schumer of New York, who has proposed establishing security standards and fining companies for losing control of sensitive data. Companies ought to be aggressively protecting their customers' privacy as a matter of good business, but too many aren't. Financial penalties would spur greater safeguards, if only by putting a firm cost on not properly protecting customers.