There are rarely brand new original identity theft scams, just improved versions of older, more outdated frauds. And they’re now available at a fast food restaurant near you. A few years ago I reported on how employer identity theft was giving job applicants more than they bargained for, and that giving your social security number to an alleged employer before doing your own due diligence was a bad idea.

Now we learn that employees at a number of well-known fast-food chains have resurrected that old scam. Police in St Helens in Oregon recently arrested and charged an employee of a Subway restaurant with forty counts of identity theft after she stole social security numbers and other personal information from the resumes of job applicants.

During the sweep police found computers, printers, forged documents, and the stolen mail of at least 43 different victims.

At about the same time, an assistant manager of a Burger King in another Oregon city was arrested on 18 counts of identity theft after police said she stole job applications from the restaurant.

In both incidents the alleged thieves were not only using the stolen information to open fraudulent credit accounts, they were also selling the complete applications to others.

I think it’s pretty pitiful, but not surprising, that the most vulnerable in society are being preyed on by people they want and need to trust. It can be hard enough to find even a poorly paid job in some communities, without having to factor in the real risk that your desire for work ends up costing you your identity.

And it’s unlikely that these victims will be able to afford credit monitoring to help minimize the damage created by the thefts. I just hope the parent companies of these restaurants step up and help the victims, and if they haven’t already done so start implementing security measures to protect their customers from their employees.

As if we needed a reminder that it’s not safe to drop our guard against computer viruses, check out this story. PC World Recently highlighted research by security firm Secure Works that had identified a Trojan horse that was largely missed by 30 of the leading anti-virus scanners.

Which probably explains why it was able to infect more than 5,000 personal computers and steal personal information on 10,000 account holders worth an estimated $2 million on the black market.

And who detected the stealth attack? Not a security sleuth, a global crime lab or even a piece of anti virus software, but a user who discovered that a number of web sites he regularly accessed had been hijacked. Investigators discovered that his computer had been infected with a previously unknown Trojan horse now nicknamed Gozi, and had probably infected his computer in the same way it infected thousands of others – because users had failed to update their Internet Explorer browser with fixes for known exploits.

Two lessons can be learned – many attacks are still simple exploits of careless users who still don’t take their personally security seriously enough to do even an occasional browser update that takes just a few minutes; and just as we think anti-virus vendors have got us covered, the bad guys trump them (and us all) with an undetectable attack that can create a huge payoff.

Senator Dianne Feinstein continues her great work on protecting consumers from identity theft, and recently introduced some new legislation that could be of great benefit to consumers – as long as it gets passed.

Her “Notification of Risk to Personal Data Act” has got some good provisions, including:

- Requiring businesses and federal agencies to notify individuals of a security breach involving personal data without unreasonable delay.

- Requiring media notice as well as individual notice, and the notice must include a description of the type of personal data breached and a toll-free number to call for more information.

- If more than 1,000 individuals have to be notified as a result of the breach, the company or agency must coordinate with credit reporting agencies (“coordinate” sounds a little vague but it may become clearer).

- Authorizing the U.S. Attorney General and state Attorneys General to bring civil actions;

The Social Security Number Misuse Prevention Act (S.238) also has some good prevention features:

- Prohibits the sale or display of an individual’s Social Security number to the general public without the individual’s consent.

- Prohibits federal, state and local government agencies from displaying Social Security numbers on public records posted on the Internet or issued to the general public through CD-ROMs or other electronic media, or from printing them on government checks;

- Provides some limitations on when a business can ask a customer for his or her Social Security number.

- Includes both criminal and civil penalties.

This is all great stuff and despite the critics, I think that more legislation is badly needed in an environment where our identities are bought and sold, often without sufficient care and security, and usually without our knowledge or permission.

So keeping pushing for more legislation like this and urge your Representative to do more.

It might seem like I’m harping on the TJX/TJ Maxx data breach and its repercussions. But I think the incident is rapidly becoming the golden case study on the ripple effects of a single data breach.

Having gone through the now predictable process – discover the breach, remain quiet while you figure out what to do about it, announce the impact of the breach with a little information at a time, spin the incident in the most positive way possible etc. – TJX is now facing what was expected to be the next logical step in any serious data breach, the lawsuits.

On Monday one of TJX’s largest shareholders announced that it was suing the company in an effort to force TJX to provide more information about the data breach and the real extent of the losses. So far, TJX has refused to admit exactly how many customers were affected by the breach.

And in the spirit of death by a thousand self inflicted cuts, police investigating the use of data stolen in the breach claim that they notified TJX in November 2006, while TJX has always claimed that they only found out in December and notified the public in mid January.

It’s becoming clear that how you handle an incident may be more important than the incident itself, and that always the customers and victims are always the last to know. Maybe a series of class-action lawsuits representing the interests of customers might be on the horizon, and a warning to other companies to focus on what really matters.

The TJX/ TJ Maxx data breach is one of those stories that keeps on giving, and is a powerful reminder that we can assume nothing when it comes to the theft and misuse of our personal information.

To refresh your memory, in January 2007 the retailer announced that a data security breach discovered the previous month may have actually occurred months before. Yet before media ink was dry the company announced that hackers may have had access to the data as far back as May 2005 and yet laterconfirmed that some of the information stolen may have gone back as far as 2003.

As part of its crisis communications TJX reassured the public that information stolen in breaches like this was rarely used in identity theft, and that there was no evidence that any of the stolen information had been used in a crime.

Fast forward a few weeks and police in Florida announced that they had arrested six out of ten suspects in an $8 million gift card fraud using some of the very information stolen from TJX.

So far it appears that the suspects probably didn’t steal the information but instead probably purchased it from others, which is the way most of this stolen data ends up hurting consumers.

I’m sure there are still a few more chapters to be written as the saga continues, so stay tuned. And whenever you’re told that your stolen data is unlikely to be used against you, consider it spin.