Perhaps more than most corporations, Citigroup knows the perils of moving personal data.
In February last year, a magnetic tape with information on about 120,000 Japanese customers of its Citibank division disappeared while being shipped by truck from a data management center in Singapore. The tape held names, addresses, account numbers and balances. It has never turned up.
And this week the company revealed that it had happened again - this time the loss of an entire box of tapes in the care of the United Parcel Service, with personal information on nearly four million American customers.
Citigroup executives noted with a bit of chagrin that the Singapore incident had helped prompt a companywide transition to "secure electronic channels" for moving sensitive data - a process nearly completed. But not fast enough, it turned out.
Indeed, while handing over the names, addresses, and Social Security and account numbers of millions of customers to a U.P.S. driver may seem anachronistic, it is in fact common, security experts and lawmakers say.
While things are changing, the process of moving away from these vestiges of a bygone era - when the world was not coursing with electronic back alleys and computer-savvy thieves who just might know how to pull data and profits from reams of magnetic computer tape - needs to be kicked into high gear, some experts say.
The problem of data security goes well beyond couriers and data tapes. And improving things takes time and money.
When so much commerce is conducted online and when just a few bits of stolen data - a Social Security number, a name, an address, a date of birth - can be turned into cash by opening false credit accounts, thieves have proved themselves skilled at getting the information they need.
ChoicePoint, a commercial data broker, was duped by con artists posing as legitimate businesses, allowing them to download sensitive information on thousands of consumers. And a thriving trade in credit card and bank account numbers continues to unfold on underground Web sites and Internet chat rooms.
Combating the crooks requires a holistic approach to data security, said Mike Gibbons, a security consultant for the global technology services company Unisys, and the former chief of cybercrime investigations for the F.B.I. That includes creating more secure online access methods, robust customer authentication, hiring dedicated data security staff, and improving the way large amounts of consumer data are stored or moved.
"All of these things have cost impacts," Mr. Gibbons said. "Businesses have to pony up the capital to change the way they are storing and holding data."
Given that 10 million consumers are now falling victim to some form of identity theft each year, according to the Federal Trade Commission, the stakes are high.
"I think there are some people who dismiss this as a sky-is-falling problem," Mr. Gibbons said. "But the sky has already fallen and it's just a matter of when a piece hits you in the head."
Citigroup and U.P.S. said that the data loss reported this week at Citigroup's CitiFinancial division - the most recent in a long string of reported data losses and thefts at other banks, colleges and media companies - appeared to be a simple mishap rather than a result of foul play. But Mr. Gibbons said that in terms of public perception, the circumstances of the loss made little difference anymore.
"There's going to have to be a shift in corporate thinking in managing these new business risks," Mr. Gibbons said. "The public won't stand for it."
Anthony A. Caputo, the chief executive of SafeNet, a company that provides encryption technology high-speed networks as well as data-security services for the Pentagon and the Homeland Security Department, among other federal agencies, said that a reason sensitive data is still being transported using tapes and trucks is that "the amount of data being transmitted is frequently too much for an Internet connection," and creating secure, dedicated networks takes money and time.
But, Mr. Caputo added, "over the coming years, or months, with so much focus on this, the data will be moved to networks."
The impetus for change is almost certain to be legislative.
A 2003 California law is widely credited with what Bruce Schneier, a highly recognized data security expert whose books include "Secrets and Lies: Digital Security in a Networked World," calls the "public shaming" method of security enhancement. The law, which requires that the state's consumers be notified of security breaches involving data on them, has prompted a string of previously unheard-of corporate confessions - from big data brokers like ChoicePoint and LexisNexis, and from other financial and investment companies, like Wachovia and Ameritrade.
That is a start, Mr. Schneier said, but he said the fact that highly sensitive data was still being shipped by courier - on unencrypted tapes, as in the CitiFinancial case and in a loss of Time Warner employee data in transit earlier this year - is evidence that data aggregators of all stripes, acting rationally, have no particular incentive to speed the adoption of new and expensive methods of handling data.
"This is a capitalist society," Mr. Schneier said, suggesting that no company can be expected to spend money to improve things simply "for the public good."
Rather, "I believe we need actual liability or penalties associated with doing this," Mr. Schneier said. "It doesn't matter if it's made public or not. There must be a penalty. If you could say you have to pay the government $1,000 per name lost, the risk of the loss triggers the increased security."
Just such a bill, along with dozens of others, are pending at the national level.
Senator Charles E. Schumer, Democrat of New York, has proposed the creation of an Office of Identity Theft under the auspices of the F.T.C., which would establish minimum security standards for any entity handling sensitive personal data, including Social Security and driver's license numbers, medical information and credit and bank account information. Failure to meet such "reasonable standards," according to Mr. Schumer's proposal, could result in fines of up to $1,000 per consumer affected.
Hard lobbying is almost certain to pull some of the teeth out of any such proposal - if shipping by U.P.S. were considered unreasonable, Citigroup might have faced a fine of about $4 billion - but the mission is clear.
"The world has changed and this kind of information is as valuable as cash and any institution dealing with it ought to treat it that way," Mr. Schumer said. "The old systems just aren't good enough."
At least 22 bills dealing specifically with the problem of identity theft have been proposed since January - from both sides of the aisle. Taking a stand against identity theft is, after all, an easy position. Betting sorts have suggested that the legislation most likely to win approval is a national law emulating California's notification law. But as the number of consumers affected by each loss, each theft, each compromise creeps upward through the millions, the odds of getting more comprehensive legislation improve.
Representative Cliff Stearns, Republican of Florida, has proposed his own bill, which would require companies to develop written data security policies, and impose penalties for security failures.
"We've got to get to the point where consumer information is protected," Mr. Stearns said.
Partly because of the very public and embarrassing revelations of mishandling now required by many states, the financial industry and other institutions have begun to see the legislative writing on the wall. Most are, at the least, taking steps to shore up their defenses against phony log-ins and other means thieves use to make their way into consumer accounts and steal money and information.
Late last month, for instance, Bank of America - the largest online banker in the United States - began putting in place a rigorous new method for authenticating customer log-ins. The SiteKey service enrolls customers by having them provide a unique phrase and choose an image from a large library of options. (An example on the company's Web site pictures a Chihuahua).
The bank also stores the customer's computer identity in a "cookie" stored on the user's machine. When customers log in from the computer they used to enroll, they are shown the chosen image and phrase for verification. If customers try to log in from a different computer, they are asked one of three prearranged security questions. Only after all of this does a customer enter a pass code and enter the site.
In March, the investment company E*Trade announced that it would begin offering customers with $50,000 or more on deposit a free digital "token" device from the security company RSA. The device generates a new six-digit code every 60 seconds, which users will need to log in to their accounts.
And the movement of large amounts of stored consumer information - as with the CitiFinancial case - are increasingly being transferred to wide-area networks that deploy encrypted, fiber optic technology on closed systems that connect, for instance, credit reporting agencies with the banks and other companies that routinely supply them with huge amounts of consumer credit data.
Experian, one of the three major credit reporting agencies that receive vast amounts of consumer data every month from the nation's banks and lenders in order to keep consumer credit records up to date, said the company had been actively working with all large data contributors to convert to electronic data transfers.
And even where tape deliveries continue, banks and other companies are learning - if only by horror story - that the data must be encrypted.
"There are social expectations about security that can't be met," Mr. Schneier said. "But the practices are still so shoddy."
