A worker takes home a laptop computer loaded with personal information. The computer is stolen during a burglary, and with it, a hoard of Social Security Numbers are taken, creating tremendous risk for widespread identity theft.

Think you've heard that story? You probably haven't. It happened sometime in May, to customers of Baltimore's Mercantile Bankshares Corp. In that incident, 50,000 consumers had their personal information compromised -- including their Social Security numbers and their account numbers. In this case, the laptop was stolen from a car.

Perhaps you've heard this story? Fidelity Investments had to admit earlier this year that a laptop containing 200,000 identities was stolen from a public location.

You are no doubt familiar with last week's news from the Veterans Administration, which revealed that a computer containing the identities of every living veteran -- and some family members -- was stolen from a house. Now that we've had a week to beat up on the employee who took home all that information, it's time to look beyond this one incident, and that one pour soul who now regrets ever taking work home with him.

He's hardly alone. Millions of Americans take work home every day -- 20 million, according to the Bureau of Labor Statistics, or about 1 in 7 U.S. workers. Each one is a ticking time bomb. Just ask Fidelity or Mercantile Bancshares.

In light of last week's dramatic news from the VA, here's a not-so-modest proposal: Leave the work at work.

During the past 10 years, corporate America has slowly but surely extended the work day way beyond 9-to-5. It has extended the office, too, into home bedrooms and dens across America. The number of people who go home, feed the kids, then log in has skyrocketed from close to zero 10 years ago to two-thirds of "professional" workers, according to the U.S. government.

Perhaps it's not worth it. In the cost-benefit analysis of this creeping work force, computer security has not been taken into account. Recovering from a high-profile data loss is expensive and embarrassing. This is no doubt hyperbole, but instructive hyperbole -- at a congressional hearing last week, the VA discussed the possibility that the ultimate price tag for its lost hard drive would be $100 million. Whatever that employee was doing at home couldn't have been worth that much.

Now is a time to reconsider this extended work day. Given the true costs, would it be better to just let your workers leave the data behind when they leave the office?

Are you better off, soccer moms?

Working at home can give employees additional flexibility. I know there are soccer moms who are allowed to leave work early, drive the kids to the game, and then make up for lost time late at night after the kids are asleep. Perhaps that's an employee benefit.

But companies are getting a lot free labor out of their employees. The Bureau of Labor Statistics says in 2004 (the most recent year for which statistics are available), 10 million people worked extra at home with no arrangements to be paid for the work, and they averaged 7 hours a week. That's almost a full day of free labor.

It's hard to tell a corporation that work isn't worth it -- unless you take into account the unexpected cost of a data disaster.

Of course, preserving this free labor force is a critical priority for corporate America. An entire industry of software has developed to secure after-hours home work. That's why we've all learned terms like VPN (virtual private network) and tunneling. Avivah Litan, a security analyst at research firm Gartner who testified before Congress last week about the VA theft, insists there are safe ways to work at home.

It can be safe, but it's not

Working at home is no more dangerous than giving employees computers with floppy disk drives or USB ports, which can also be used to download data, and simple policies can cut down dramatically on the risk, she said. For example: Personal data should never be removed from company computers unless it's encrypted.

The truth, however, is very few organizations enforce such policies. Why? They don't have to.

"In many situations, there are just no rules out there," she said. In fact, in the VA situation, "No laws appear to have been broken."

Yes, working at home can be safe. But right now, that's utopia; it's not safe, for millions of workers, and millions of identity theft victims. The data isn't secured. It's left in taxicabs, hotel rooms and on park benches. It's stolen from homes and parked cars.

So since we're already living in a utopia, I would like to propose a different utopia: Keep the data safe by leaving it at work. With all apologies to Jonathan Swift, I can't help but wonder if this modest proposal -- work only at work -- doesn't sound as crazy as telling the Irish to eat their young.

I know some workers (such as journalists) really do need to be connected 24 hours a day, seven days a week. But many – and I would guess most – simply log in out of peer pressure.

I was in Ireland not long ago talking to Microsoft employees who often teased their American counterparts over this point. The Americans were frustrated that at 5 p.m. Dublin time (9 a.m. in Seattle) the Irish workers could no longer be found at their cubicles or contacted by e-mail, but instead were lifting a pint at a local pub. In response to accusations of a lack of industriousness, the Irish told me that Americans may spend more hours working on e-mail – in fact, they seem to be doing that all the time – but weren't actually getting very much done. In Ireland, they told me, the focus is work until 5 p.m., and after that, the focus goes elsewhere.

We could learn a thing or two from the Irish work ethic. A company rule saying work stays at work would be a boon to American families. And if you need a business case, it would be a boon for the safety of our data, too.

A day after one of the biggest reported data loss cases in history, many questions remain for the 26 million veterans who fear their identities have been compromised.

Yesterday, the Veterans Administration announced that more than 26 million veterans – every living veteran, I was told – had their Social Security numbers stolen recently by a house burglar. A database with their personal data was on a computer stolen from a Veterans Affairs employee, the agency announced yesterday. But the announcement raised as many questions as it answered. Chief among them: How could someone carry around a database that large? Easily, it turns out.

You might think a database that big would be too big even for most laptop computers. Actually, it wouldn't. In fact, it's possible the lost data fit on one of those little thumb drives.

The question of the size of such a database was bothering me, so I ran a little test. And my test shows such a file, if accurately described by the VA as containing only names, dates of birth, and Social Security numbers, could easily be compressed to a little larger than 1 gigabyte. That means it could be carried around on a flash drive.

You might remember, military missteps with thumb drives made news just a few weeks ago when a Los Angeles Times reporter purchased drives at bazaars near a U.S. military base in Baghram, Afghanistan, containing incredibly sensitive data, including the names of Al-Qaeda informants and their contact information. So there is precedent for the little gadgets causing big trouble.

I created a database with 1 million records containing names, dates of birth and Social Security numbers in Microsoft Access. (They weren't real.) Then I exported it as a plain text file, which is how you would transport such data. That file is only 43 megabytes. Multiply that by 26 and you get about 1.1 gigabytes. SanDisk sells a thumb drive which holds 2 Gigs.

Of course, if there were even a few more fields in that file (disability numbers were mentioned, but let's say address, rank, etc.), the size of the file would increase quickly. With eight to 10 more fields the VA tale becomes a bit less plausible. But as presented to the media, it's entirely possible this data was very portable.

But the story, as told so far by federal authorities, still leaves other questions unanswered.

Who exactly was in that database? The announcement indicated "some spouses" of veterans, but offered no additional details. Vets who call the toll free number offered by the government apparently can't get specifics. When I asked the VA, the response I got was confusing. "Every living veteran and any veteran ever applying for benefits," wrote VA spokeswoman Louise Filkins. But other accounts say only veterans since the Vietnam War were in the database.

What was the analyst doing with all that data? What project could possibly require bringing home 26.5 million Social Security numbers? No answers on that.

And finally, and perhaps most important, what should vets do now? The federal government has so far offered only vague suggestions. So I've compiled my own checklist, which will be available here. Basically, vets should add fraud alerts to their credit report accounts, consider adding a credit freeze, examine their credit reports often (see the link for tips on that) and find healthy outlets to vent their frustration.

It is perhaps the largest theft of Social Security numbers to date. And the victims, who once put their lives on the line for their country, appear to be getting even less compensation than most victims of data theft.

On Monday, the Veterans Administration announced that an employee had taken home data on 26.5 million veterans, and that data was stolen. It's a staggering amount, dwarfing other recent high-profile incidents at major U.S. firms like Citibank, ChoicePoint, and Bank of America. And yet, the support offered to victims by the VA is dwarfed by the support corporate America has offered in similar situations.

It's become standard practice for data leakers to offer free credit monitoring to victims, so they are able to watch their credit reports daily for signs of misuse. The services are available from the credit bureaus, and cost about $10 a month. Corporations that leak data and foot the bill usually get big discounts.

So far, the vets haven't been offered credit monitoring. Instead, the VA is reminding victims that they are entitled to a free copy of their credit report every year, and then basically wishing them good luck.

That's insufficient. For starters, vets who've already gotten their one free peek at credit bureau data this year cannot get a free report at AnnualCreditReport.com – they have to go through more complicated steps, and might end up paying for it.

Meanwhile, a single peek at their credit report today would probably reveal very little. Fraudulent accounts can take weeks or months to appear, meaning it would be better to take that one peek in a month or two. But even that's a tepid step at best to spy signs of identity theft after a data leak like this.

The only way to know something bad is happening to your credit is to look at it repeatedly, at about the same frequency that you look at your checking account statement. It's hardly a perfect solution and doesn't catch every instance of ID theft, but it's a solid start. Credit monitoring services give consumers that kind of access. ChoicePoint, LexisNexus, and nearly all other commercial entities that have lost data have offered credit monitoring to victims for 3, 6, even 12 months.

The VA should do the same. Anything less is neglectful.

There is hope the veterans' data was stolen by a burglar who simply wanted the hardware, according to the VA. In the best case scenario, the data has already been erased and the hardware pawned at a small shop. But assuming that best case is a bit naive, at a time when virtually every petty thief knows the data on a computer is often far more valuable that a computer itself.

Offering 26 million people a service that retails for $10 a month would obviously be a costly expense for the VA, and might eat into funding for other essential programs. That's where it's time for the VA, the Federal Trade Commission, and the credit bureaus to get creative. Hopefully, this incident will serve as a chance to re-examine the entire issue of consumer access to credit reports. Consumers should never have to pay the credit bureaus to see if they are victims of identity theft. Certainly, veterans shouldn't have to. And most certainly, veterans who know their Social Security numbers have been stolen shouldn't have to.

For now, veterans who want more information are being told to call 1-800-FED-INFO. Much more information is available at the FirstGov.Gov Web site. There's also detailed instructions on how to place a temporary fraud alert on credit reports at the Federal Trade Commission's Web site.

Mike Herwig looked at his credit report recently and saw something even more disturbing than past due accounts.

He saw the words "Starlite Recovery Center."

As the name hints, Starlite is a drug and alcohol treatment clinic in Texas. Herwig, a 36-year-old Boston resident, received treatment for alcoholism there two years ago and wanted that to remain secret. But now he fears he's been outed as a recovering addict in front of future employers, landlords, insurance companies and any other organization that pulls his credit report.

Experian, which issued the credit report, says Herwig's fears are unfounded. Starlite's name is omitted from copies of the report given to others and appears only on Herwig's personal report, according to Experian's Don Girard. In fact, federal law prohibits credit bureaus from listing the name of any medical treatment facility on a credit report furnished to lenders or employers, he said.

Still, Herwig's story is instructive about the alarming things that can appear on credit reports, and the kind of rights consumers have.

Like many Americans, Herwig is in the middle of a dispute with his health insurance provider. He said he was told his insurance would cover his entire stay at Starlite, when in fact it only covered 20 of his 29 days there. When he left, there was a gap of $3,480.

The good news is, Herwig says, the treatment worked, and he's been almost two years without a drink. He will soon finish school, and plans to test the marketability of his new economics degree in New York City. So in advance of applying for a Manhattan apartment, he did what consumers are supposed to do -- he got a copy of his credit score and his report.

And that's when he spotted the $3,480 balance listed next to the name "Sarma," a debt collection firm and, nearby, the Starlite Recovery Center listed as the original creditor.

Addict label cost him work?
It got Herwig thinking. He had recently been a finalist for a job at a chocolate retailer when suddenly he was dropped as a candidate. Was this entry on his credit report the reason?

Consumers should know that any time an employer, landlord, or creditor rejects them because of a credit report entry, the consumer is entitled to something called a "notice of adverse action. It's a letter from the rejecting company which tells the consumer that something is amiss on their credit report.

Herwig didn't get such a notice from the chocolate store. Still, he wondered.

"They are outing me to the world that I was an alcoholic," he said. "I have gotten my life together and my fear is my credit report will tell N.Y. brokers not to rent me an apartment."

So he called Starlite, with a request.

"I asked them, 'Can't you just remove the name? Leave the collection on there, but not the name?" he remembers asking.

No, he says he was told. If he wanted Starlite off his credit report, he should just pay the bill.

Starlite did not return phone calls requesting comment for this story. Neither did Starlite's parent company, CRC Health Group Inc., nor Sarma, the debt collection firm.

Not on commercial credit reports
But officials at the Experian credit bureau did return our call, and they said Herwig does not have anything to fear from the credit reports issued to lenders, landlords or prospective employers. Reports furnished to others about Herwig do not include the name of the clinic or other details concerning medical treatments, Experian's Girard said.

It's little understood, but true, that the credit report that consumers receive when they ask for their own data is different from the report companies receive when looking into a person's financial background.
In many cases, the companies are entitled to see more information than the consumer can see – an anomaly that irritates consumer advocates. But in the case of medical information, consumers can see details that companies can't.

The consumer credit report available for free at AnnualCreditReport.com and at various pay-for-credit-report sites -- technically called a "consumer disclosure" -- usually includes the name of the medical institution so that a consumer can act to clear up the dispute, Girard said. But specifics on medical debts, including the name are omitted from credit reports issued to others.

"Medical information under the law has to be treated very carefully," Girard said.

Generally, credit reports fashioned by Experian include the following explanation, Girard said:

"By law, we cannot disclose certain medical information (relating to physical, mental or behavioral health or condition). Although we do not generally collect such information, it could appear in the name of a data furnisher (i.e., "Cancer Center") that reports your payment history to us. If so, those names display in your report, but in reports to others they display only as MEDICAL PAYMENT DATA. Consumer statements included on your report at your request that contain medical information are disclosed to others."

Can't be bullied
Of course, Herwig is not entitled to see the version of his credit report produced for lenders, landlords, and employers, and you couldn't blame him – or anyone else -- from wondering what medical information might slip through.

It's understandable that after seeing his own report, Herwif worried his reputation might haven been sullied by an entry identifying him as a former patient of Starlite.

And his concerns understandably grew when he believed he was being bullied by the center, which he says tried to use the potential credit report embarrassment to lean on him to pay his bill.

But he agreed to let MSNBC.com tell his story so others might better understand their rights regarding medical information and credit reports.

According to David Rubinger of Equifax Inc., the Fair and Accurate Credit Transaction Act of 2003 makes clear that the name, address, and other specific information about medical treatment facilities cannot be published in a consumer's credit report and sent to outside companies, with only a few narrow exceptions.

That's good to know, given the high number of collections disputes involving medical bills. According to a report issued by the Federal Reserve in 2003, about 52 percent of all collection activities arise from unpaid medical bills. While such bills can haunt you, and they can hurt your credit score, they cannot be used to embarrass you or reveal anything about your health.

There's Bob Sullivan, the Red Tape Chronicles author. Then there's Bob Sullivan, who might be a bankrupt child molester with a brother who's a killer. One is flesh and blood, one is a computer creation. But in our digital age, who's to say which one is real? If perception takes on its own reality, certainly a computer creation can, too.

If you use the Internet today to conduct a background search on me, you might get the idea that I have been convicted of child molestation, and I have a close male relative who's been convicted of manslaughter.

Let me assure you, neither is true. But let me try to convince you that there is a crisis at hand.

Databases are spinning out of control. Our country is awash in data that is secretly collected, inaccurately transcribed, sloppily connected. As they say in the business, there's a lot of dirty data. But dirty data is being used to make important decisions that affect us. It decides who gets home loans and car loans, who gets credit cards, who gets insurance, even who goes to jail.

And sometimes, it's used to falsely taint people as potential child molesters and murderers.

Today, if you went to a number of prominent Web sites -- including Yahoo.com -- and decided you wanted to purchase a background check on me, you'd be led to a service named Intelius.com. The site's motto is "Building Trust." Until recently, it was "We know."

Intelius is one of hundreds of sites that offer consumers the ability to perform background checks on anyone. No license required. No permission slip required. Just type in a name and a state, and up comes a list of potential targets. Select a name from a list that looks about right, pay about $50, and off you go.

It is Intelius.com's computers that seem to think I might be a molester with a murderous relative.

Connection to dot-com mania
The site is run by data maven Naveen Jain, who rocketed to fame and fortune in the go-go 1990s as head of former dot-com darling Infospace.com. At the height of Internet mania, Jain was worth $8 billion, and Infospace worth more than Boeing Corp. Infospace stock took an historic tumble when the bubble burst, spurred in part by questions about the company's revenue projections. In 2002, Jain was replaced as CEO.

Soon after, Jain founded Intelius. The firm offers background checks and identity-theft protection services. Consumers can sign up and receive warnings any time there's a new account opened in their name, or there's a public record indicating an unusual event like a change of address. Jain says he has 3 million paying customers now. After receiving an invitation to Intelius' Bellevue, Wash., offices last year, I tried out the background service.

I was in for a big surprise.

'Child molestation 1'
Using Intelius is easy enough. You type in a name and a state; then you are presented with a list of potential "hits." There were a few dozen Robert Sullivans in Washington state; I picked the one who lived in my hometown, whose age matched mine, as a neighbor might do. And I agreed to pay the $50 fee.

The report I received was seven pages long.

Under a section titled "Criminal Check," two possible convictions were listed. One indicated it was for an unspecified offense. The other charge:

"Child molestation 1."

There's also a civil judgment listed under my name, a bankruptcy filing.

But that's not all. Under the section "Possible Relatives and Associates Report," Intelius lists the names and phone numbers of my parents, my sister and a mysterious "Shawn Sullivan." When I clicked on Shawn's name, I received additional details about him. Shawn is listed as having a possible conviction for involuntary manslaughter.

Again, none of these things are true about me.

To be fair, the Intelius report comes with qualifiers. The biggest one of all, in small print, says this: "You should not assume that this data provides a complete or accurate history of any person's criminal history." Newer versions of the report contain an more extensive disclaimer: "It is important to understand that public records are only as accurate as the agencies that input them. Please be sure to closely review the public information listed about the individual that you may be researching in the report."

Above my criminal report data, there's a warning which indicates there are no records of convictions against someone with an exact match of my name and birthday in Washington state. But since some criminal records aren't filed with birthdays, the report explains that it includes all convictions for any Robert Sullivan with my middle initial and a Washington residence.

The Robert Sullivan who apparently ended up on my background report was born in 1943, a fact listed next to the conviction record.

Hard to unring a bell
Still, is that enough to prevent any tainting of my name, any possible guilt by association? As privacy advocate Rob Douglas, who operates PrivacyToday.com is fond of saying, "It's very hard to unring a bell."

As for my new brother Shawn, his appearance on my report is a database curiosity. Shawn and I both lived in Columbia, Mo., at one point in our lives. His address was 211 Waugh St., mine 211 N. Ann Street. Because Intelius' matching technology only compares the city and the numeric part of the address to form an association, the computers assumed we lived together. Shawn and I are now digital brothers.

Again, there is the disclaimer that he is a "possible relative." But given that the rest of the data in that section of the report is accurate, a searcher would probably be led to believe Shawn and I have something to do with one another.

And remember, this searcher could be anyone: a neighbor, a friend, an enemy. Anyone can look you up, too. And these reports that are jumbled together to create a picture of me and you -- they cannot be fixed. I have asked Intelius to remove this wrong information from my report. The company won't. In fact, according to Jain, there is nothing wrong with my report.

"There are no mistakes," Jain says. "It's just data."

One might call them "neighborhood," as opposed to precise, searches. I call them "over-broad" searches.

Whatever the name, this, I would argue, is madness.

Helping parents keep kids safer
Jain forcefully defends his background reports. Parents who are hiring babysitters for their kids need every opportunity to unearth the possibility that the stranger they may be letting into their home is a molester. Intelius provides the broadest possible results, Jain said. If the results were narrower -- say, limited to exact name and birthday matches -- a molester might slip through the cracks. Jain offers the usual defense in these cases.

"If I can prevent just one child molester from getting at a kid, it's worth it," he said.

While that standard may be good enough for the average person, it's not good enough for companies or landlords running background checks on potential employees and renters. For those, the name and birthday must match exactly, Jain says, according to the tenets of the Fair Credit Reporting Act. That means professionals who use these reports for a living get a more limited report – and casual users who may not quite understand what they are looking at see all the additional potential sex offenses.

"I am convinced that what we are doing is the right thing to do help protect the families who use our service," Jain said. "You may question our judgment on erring on the side of the protecting the families, but we believe that, at this time, it is in the best interest of our customers."

One important note about such over-broad background searches – they tend to be heavy on sex offenses because there is so much data available on sex offenses thanks to Megan's Law, which requires sex offense registries. Background search companies that want their clients to feel like they are producing thorough reports use broad search queries to load their reports up with a few sex crime records. After all, when a clean report is returned, it looks like a waste of $50.

Accurate or not, the sex conviction will stay on my report. But after our talk, Jain said he's considering an option for consumers to add a note to reports like mine, advising anyone who pulls it up to pay special attention to the birthday, hair color, or other factors that would show the conviction wasn't really theirs.

"I think having something on top of the background check report about a person with an explanation from a person should be very effective in providing complete perspective," Jain said.

Again, I say, this is madness. Why should I have to do defend myself against Intelius' database? And the more important question: How many Inteliuses are out there? How many services am I supposed to use and research myself to make sure there are no errors? How many statements will I have to add arguing for my own innocence?

And then there's this question, familiar to any law student – how does someone prove they are not beating their wife or husband?

Other stories of data gone crazy
This is just one story of data gone crazy. There are many others. Famed cybersleuth Richard Smith once looked up his ChoicePoint report, and says the report suggested he was dead. But at least ChoicePoint makes its reports available to consumers for free, and ChoicePoint provides instructions on correcting mistaken reports. Others are not as approachable.

A consumer wrote to me recently after she had looked herself up on another backgrounding site and got a surprise like mine. She says her report listed erroneous convictions against her. When she looked up the site, there was no way to complain. No phone number, no e-mail address, no mailing address.

"What am I supposed to do?" she asked me. "I can't sleep at night."

Someone should give her an answer. While Congress has spent an interminable amount of time debating legislation designed to sprinkle regulations on the commercial data brokerage industry after last year's embarrassing data leaks, the world has continued collecting billions more bits of data about us.

And no one is really thinking about what will happen to all that information, all that dirty data. It's time we did.