Great to see PrivacyMatters get better and better. In case you weren’t aware, PrivacyMatters approached me about a year ago and asked me if I’d be interested in helping to create an educational portal to help their members better understand identity theft and how to avoid it.

I was more than happy to oblige, especially because PrivacyMatters was the first credit management company that really seemed to understand the value of education in preventing identify theft, and backed up their words with some serious commitment to education.

Some of their great educational resources are being rolled out on their newly relaunched web site. Check out their press release, it looks like they’ve lots more great credit report education initiatives planned.

With PayPal recently announcing the availability of a password generating keyfob for all of its 133 million+ customers, expect keyring or keyfob authentication tokens to play a bigger role in your life. And take up much more space in your life.

PayPal’s token is one of a number of initiatives to increase security and reduce the dangers of identity spoofing by using two-factor authentication to make life a little harder for the bad guys.

If it hasn’t already done so, your bank or credit union may soon be offering you a security keyfob, as may your credit card company and a number of other service providers. These devices work in a variety of ways but generally around the same principals. Instead of forcing you to rely on the ever-vulnerable password, keyfob authentication devices are supposed to add an extra layer of security – by requiring you to have a password and the keyfob in order to gain access; to use the keyfob to securely store your password; or as in the case of PayPal have the keyfob generate a unique one-time password every time you need to access your account.

All great ideas, although not foolproof as we see more evidence of attackers finding ways to spoof these defenses. Not to mention the cost of each device (anywhere from $5 to $50), and the possibility that a typical user may end up having to haul around a handful of these fobs simply to survive in a digital life.

How’s the identity theft problem where you live? According to yet another new study into identity theft, your zip code can determine your vulnerability to identity theft.

A new report by ID Analytics listed the top (and bottom) states and cities for identity theft, based on actual and attempted frauds reported by the financial industry between January 2005 and June 2006, although it didn’t study the cost or number of victims. What makes it different from other studies is that it was not based on reports by victims but on actual attempts to gain credit using a stolen or concocted identity.

The study also found that 10-15% of cases involved the theft of identities of actual consumers while the remainder involved thefts using a mixture of data, such as a real social security number but false name or address.

According to the study the ten states with the highest rates of identity fraud are:

1. New York

2. California

3. Nevada

4. Arizona

5. Illinois

6. Hawaii

7. Oregon

8. Michigan

9. Washington

10. Texas

The ten states with the lowest rates of identity fraud are:

1. Wyoming

2. Vermont

3. Montana

4. North Dakota

5. New Hampshire

6. Ohio

7. Maine

8. Iowa

9. West Virginia

10. South Dakota

The ten metropolitan areas with the highest identity fraud rates are:

1. New York, NY

2. Detroit, MI

3. Los Angeles, CA

4. Little Rock, AR

5. Greenville, MS

6. Atlanta, GA

7. Phoenix, AZ

8. Portland, OR

9. Dallas, TX

10. Springfield, IL

In a quick follow-up to my last post, someone asked me if encryption protects information, against hackers and identity thieves as well as careless or dishonest insiders, then why is it not used all the time? Wouldn’t it make data theft a much less serious security threat?

The fundamental answer is yes – the more data is encrypted the less likely it is to be exploited. But the real answer is a little more complicated. The challenge with encrypting everything is not so much a cost issue but a technical one. Good encryption impacts the speed and ease with which data can be accessed and this can create problems in an instant, on-demand world.

And encryption uses keys or codes to lock and unlock the data. These electronic keys, which are essentially huge numbers, have to be managed and protected because if they’re compromised the encryption can be useless.

That’s why, as usual, we need a multi-faceted approach. More investment in encryption technologies, more laws to require the use of encryption wherever possible, more consequences for organizations that don’t protect their data, and ultimately, better protection for the consumers caught in the middle.

Remember - when data is stolen from a company database it’s not usually the company’s secrets that are compromised. More often it’s customer information that the thieves are after. The company that loses the data is usually more concerned with the bad publicity than with the emotional and financial impact on consumers.

Just as TJ Maxx learns about a bunch of lawsuits over the loss of an unspecified number of customer records, the hits keep coming. You might recall that a few months ago TJX Companies, owner of the TJ Maxx and Marshalls stores, admitted that hackers had access to customer data undetected from May 2006 to December 2006.

More than 30 banks have since reported that cards they issued had been compromised as a result of the theft, and now the Massachusetts Attorney General Martha Coakley has announced that she will head an investigation by dozens of states into the security breach.

The same day the announcement was made, Johns Hopkins University announced that computer backup tapes containing payroll data on 52,000 employees as well as the medical information of 83,000 patients, had gone missing.

And to top it all, the Department of Veterans Affairs admitted that it is investigating the disappearance of a hard drive containing the personal records of 48,000 military veterans. You might recall the same agency announced the theft of an employee laptop in May 2006 containing information on more than 26 million veterans, and despite promises to ensure that all such vulnerable data would be encrypted to make it useless to thieves, it seems that these records were once again not encrypted.

This all happens at a time when a growing number of data protection and breach disclosure laws are once again being pushed through a new Congress. We need these laws, but we need laws with sharp teeth and without the opt-out loopholes that some representatives are proposing.

Keep pressuring your local representatives to push for data protection legislation that protects the consumer and potential id theft victim as much as it protects our personal data.