When Johns Hopkins officials announced this week that a courier had lost nine backup computer tapes containing personal data on 135,000 employees and patients, security specialists were critical, even though the information probably was destroyed without being compromised.
The reaction came not just because the tapes were lost, but because they weren't encrypted - coded so that they could be read only with a computerized key.
"Have we not learned from history yet, that if you're going to give [data] to a third party that you either encrypt or password protect it?" said Linda Foley, executive director of the Identity Theft Resource Center in San Diego.
Amid a spate of lost or stolen data, some organizations and industries have begun taking steps to better protect employee and customer information, yet far too many have not, privacy advocates say. Many still leave sensitive information uncoded or hand it off to sometimes-careless employees or third parties.
This year alone, Social Security numbers were posted on a public Web site at the University of Nebraska; personal information on 537 people was stolen from the New York Department of Labor; a hacker accessed Social Security numbers for more than 1,200 people at the University of Missouri; and a laptop was stolen that contained medical records for 1,100 patients at the Salina Regional Health Center in Kansas.
Some consultants say that costs keep organizations from updating their security practices - encryption software and developing privacy procedures can be expensive. But the No. 1 reason is complacency, according to Lillie Coney, associate director of the Electronic Privacy Information Center, or EPIC, in Washington.
"They don't see themselves as being in a position where they're going to lose something," Coney said.
She is calling for more stringent criminal, civil and financial penalties for those who fail to protect information they've collected.
"Companies aren't going to do it on their own," she said. You have to "make it a part of a bottom-line equation."
Hopkins officials said they haven't encrypted their data in the past in part because it would have been incompatible with the equipment of vendors and customers.
But Hopkins was in the process of encrypting some of its data when it revealed Wednesday that some of the information not yet coded was missing. Eight computer tapes with payroll data for 52,567 university employees and one tape containing information about 83,000 hospital patients were lost.
The employee data contained sensitive information such as Social Security and banking numbers, but the patient information contained only names, dates of birth and generic medical record numbers. Officials believe the tapes were inadvertently left at a dump site and destroyed, and noted that they could only be read by special machines, not your average computer.
Since then, new discussions have begun over whether the institution can do more to protect its data.
"I don't think we're at a point yet where we've reached any conclusions. These are complicated issues, and it will take careful consideration," said Hopkins spokesman Dennis O'Shea. "We certainly recognize this as a wake-up call."
Hopkins has apologized for the incident and reached out to those affected through mailings, an informational Web site and a toll-free number.
Such instances are causing consumers to rethink the kinds of information that they're willing to share and leading state and federal legislators to craft bills that would tighten security practices. One bill before the Maryland General Assembly, for example, would require that businesses destroy detailed information in a certain way and maintain specific security procedures.
But digital specialists say that something as simple as scrambling data so it can only be read with a key could significantly reduce the risk of it being compromised.
"The reason that we're hearing of security breaches on almost a daily basis is because there's so little encryption of the data," said Beth Givens, director of the San Diego-based Privacy Rights Clearinghouse. "It's not unusual, that's the problem."
A year ago, the Federal Trade Commission ordered data broker ChoicePoint to pay $15 million in penalties and consumer redress after it was found to have mistakenly sold records containing credit reports, dates of birth and Social Security numbers for more than 160,000 people to a ring of identity thieves.
Coverage of the incident led the Georgia company's stock to fall and Congress to convene hearings on its practices.
Since then, ChoicePoint has revamped its practices, transforming itself from a prime example "of data breaches to a role model for data security and privacy practices," according to a September report from Gartner Inc., an information technology analyst.
The company developed a Web site, privacyatchoicepoint.com, outlining its efforts. Those include strengthening the customer credentialing process, refusing to give out personal data except in legitimate cases, hiring veteran security professionals, encrypting its databases and creating in-house committees to oversee best practices.
"We have not had an incident since then," said Carol DiBattiste, ChoicePoint's chief privacy officer and general counsel, who now speaks at industry conferences on the company's practices. "From our own employees to our customers to the consumers, I think we've seen improvements."
Such practices decrease the likelihood of a security breach, analysts say, though they acknowledge that nothing is fail-safe: If it can be made, it can be cracked, though not by your average Joe.
"It's absolutely better than having nothing," Coney said. "When they collect personally identifiable information, they have a strong obligation to protect that information and take reasonable steps."