Data Theft and Corporate Irresponsibility?

cjsnell asks: "Today, I received a letter from a student loan provider notifying me that my name and social security number had been stolen along with a contractor's computer. This makes -four- agencies that have lost my personal information, in the last year. Today's letter was the most disappointing yet: the company, Texas Guaranteed, did not offer any credit report monitoring like the previous three had. Their advice? Send a letter to the credit bureaus. Gee, thanks. Clearly, mass identity theft is completely out of hand and there doesn't seem to be any government regulation for handling these situations, nor does there seem to be any punitive action against businesses that lose customers' data. Do we, as consumers, have any recourse against these businesses?"

Recourse

[alshithead (981606)]

Forward all of your bills to them.

Hi, my name is Lizzy Fair

[Travoltus (110240)]

In the name of the Libertarian Party, I would like to speak on this issue.

I'm appalled by all the anticapitalist rhetoric that is being spewed on Slashdot regarding the corporate use of your personal information and the occasional leak of your SSN into the wrong hands.

You people talk like you want absolute ownership over your personal information. Like you want a corporation - an entity that only exists for the purpose of maximizing net profit - to take responsibility for handling your personal information. Then you'll be holding them liable for mishandling your info. Do you realize what damage this will do to corporate profits?

That utterly reeks of communism. What's next? Treating your personal information as your own property to be handled on your terms and not theirs? Heck, if we follow that line of reasoning, the Government will have to intrude even further into our lives and implement a law to treat personal information brokers like Choicepoint and Unicru as potential data pirates. I can see it now: the Digital Millenium Privacy Act.

Corporations made America, and now you pink commies are about to create a kleptocracy in the name of your overzealous attack on public access to personal information. Sheesh.

[...end Right wing parody]

Re:Recourse

[Choco-man (256940)]

I've had this happen to me 4x in the last 2 months. I urge you all to write your congress-person and state attorney general (not email, write the letter folks) - here's what i am sending:

Senator Specter,

I am writing to voice my concern over the lack of control many corporations have over my personal information - and just as importantly, the lack of recourse I have as a citizen should those corporations abuse my information. Over the course of the past 60 days, I've received 4 notices that a given corporation - two of which I don't even do business with, nor have I ever - have had my personal information compromised. Two of them were kind enough to provide suggestions as to what steps I should take to monitor this, one of them simply stated that they'd allowed my information to be compromised, and the final one actually sent me an empty envelope. I contacted them based on their return address to make an inquiry, and obtained confirmation that that too had compromised my information.

All this within a two-month period. And these are the ones that have voluntarily divulged that my information has been compromised - I'm assuming there have been other incidents that have not been disclosed.

It's absurdly obvious to me that, at minimum, there needs to be minimum standards of data protection, and recourse for the individual in the event that one suffers personal loss as a result of a corporation not adhering to those minimum standards of protection. In the day of high speed data transmission and very powerful encryption techniques, it's ludicrous that they are transporting these types of sensitive information around on unencrypted computers and on non-secured servers or portable drives.

I do not want to wait until something detrimental occurs to me before I take action. Identify theft has become so common place that it's become background noise, and we as a society have accepted it as a part of life in the modern world - this can not be the solution. Until there are ramifications for corporations that mistreat personal data that results in personal harm, there is no incentive for them to alter their behavior.

I certainly do not have the answer, nor would I presume to tell you what should be done to rectify this. I would, however, ask that you expend some resources to find and implement a solution to the issue. I am quite confident that were the tables turned, and I were to disclose damaging information that affected the fiscal health of those companies, that the repercussions I would face as a result from them would be quite serious.

Thank you for your time.

Regards,

Re:Recourse

[Ihlosi (895663)]

Let me get this straight; so you think if a bank gets robbed we should prosecute the bank and not the robber?

If the bank stores all their customers' cash in cardboard boxes behind the building, then yes, prosecuting the bank would be in order.

Also, your rhethorical question is wrong. The robber will be prosecuted in any case (for robbery), even if the bank is prosecuted for gross neglegience.

Re:Recourse

[beh (4759)]

The comparison is a bit slanted, if a someone robs your bank, you're not really inconvenienced, as the bank is insured - your money is safe.

This particular case is more like you depositing a copy of your house key with your neighbour (in case you should lose yours), and that KEY gets stolen. Your neighbour might tell you that the key is gone - and worse yet, that the key actually has a tag with your name and address attached to it. So, until you can go and change your locks, your home is basically compromised and it takes a lot of effort keeping it safe, until the locks are replaced.

With the stolen social security numbers, you can't switch your social security number easily, if at all? Is it possible at all to apply for a new social sec no in the US moving your data to the new one, but invalidating the old one?

In the example with your key getting stolen from a neighbour's property; of course, it's not really the neighbour's fault, if someone breaks into his house.

BUT - the neighbour might be liable, if gross negligence aided losing the key in the first place (i.e. putting up a sign with an arrow pointing to the key with all the data as to whose key it is, right outside on the front lawn - without any protective measure).

If an agency hands over your data to an outside contractor - they HAVE to put safeguards in place (check out the contractor's background/reputation, and *his* security measures), because they are handing away data that you *entrusted* to them. Just handing out blanket data, without properly protecting it (really good encryption, at the least, with the key being nowhere near the laptop during transport), is them breaking your trust.

And THAT is something that might make them very well liable for what happens.

(Needless to say - even those that will pay for free credit checks for a year, what's that to say, at all? THEY broke your trust by not safeguarding the data, and while they pay for the checks (for a limited time), they are not paying for your time following up the checks and/or the hassle in case something happens.)

Re:Recourse

[facelessnumber (613859)]

but I leave the vehicle door unlocked and the key in the ignition for the sake of convenience.

It must be wonderful to live in a place where you can feel that secure... I remember it wasn't too long ago that in my town, we didn't have to lock our doors, take our keys out of the car. I wanna live where you do.

So, kindly tell me where you live. Please be specific. Google Maps link if possible. What kinda car do you drive?

Simple...

[Cheapy (809643)]

Tell them that if you don't get your credit card watched, you're going to burn the place down. Burn it to the ground, and then take a vacation in some far off tropical place.

Re:Simple...

[Ruff_ilb (769396)]

Tell them that if you don't get your credit card watched, you're going to burn the place down. Burn it to the ground, and then take a vacation in some far off tropical place.

Like Nigeria? I hear there are lots of... lucrative... investment opportunities over there.

Just Email me with your Name, Address, Social Security number, and Credit Card information and I'll take care of it all.

Re:Simple...

[Eccles (932)]

Tell them that if you don't get your credit card watched, you're going to burn the place down.

They stole my identity, not my stapler.

Re:Simple...

[frisket (149522)]

> Do we, as consumers, have any recourse against these businesses?

Nope.

If you choose to live in a country where the government is pro-corporation instead of pro-people, you've got to accept that you're powerless. If you don't like the heat, get out of the kitchen -- or do something about the chef :-)

the less information collected the better

[carsonc (792247)]

For most things, organizations don't need much if any of your information. The want it to mine... there is no down side for them. For the companies that do need data, I believe that every field in a credit report should have a complete audit history and companies should have to pay up and fix their mistakes. If legislation also made them accountable for data theft then you would see a lot less information collected. That would be a good thing.

Yep...

[msauve (701917)]

unless they're making payments to my Social Security "account," (i.e. paying me on a W2) they don't get my SSN. Unless they're [i]required[/i] by law to report tax info, they don't get my Federal Taxpayer ID (which happens to be the same as an SSN). I even went after my employer for violation of their own "Employee Privacy Policy," for giving my SSN to a third party health care provider and forced issuance of an insurance card with a non-SSN assigned number.

You [b]can[/b] do it, but it can also be a hassle, since you have to educate people (especially health care people, who seem to be clueless as a whole).

Health Care

[skogs (628589)]

I second the healthcare problem as top on my list.

My data has been lost 3 times in as many years...all by the wonderful work of healthcare related companies. Seriously...how hard is it. Just don't lose it. Better yet...don't store it in the first place.

I've had to put watches on 'my accounts' with the credit reporting agencies myself for each one too. You know how irritating it is that I have to take a couple of hours out of my day to fix some other nimrod's stupidity induced problem? Makes me want to

When a hospital asks for your SSN...

[msauve (701917)]

what they're really asking for is your health insurance account number. The vast majority of insurance plans use the SSN as an identifier, although that is slowly changing. If you have a non-SSN account number, they're typically also 9 digits. When they ask for your SSN, just give them that 9 digit number. If you try to explain or argue, they get confused.

Completely out of hand

[hackwrench (573697)]

There is a growing and growing group of things that seem completely out of hand once it happens to you. I'm not sure who "we" are, but we need to get together either as a nation or a planet or just some concerned human beings and take a serious look at where we are and where we want to go from here.

Re:Completely out of hand

[plover (150551)]

In this particular case I think the credit reporting agencies have way too much power. Their information is used for everything from cell phone contracts to insurance rates to employment background checks. And they've done it without oversight, without honesty and without ethics. They will collect, report and do anything to sell someone another peek at your Fair Isaac score. And every company wanting to sell anything at all gets to use this automated system of discrimination ("hey, it's not a race/ethnic thing, it's just your computer score and the computer is color blind." As if having an address in The Projects would be anybody's choice, yet it all factors into your score.)

We've evolved our own Big Brother via capitalism.

Somewhere, Karl Marx and George Orwell are sharing a laugh from beyond the grave.

Re:Completely out of hand

[gEvil (beta) (945888)]

I'd tell people to mod you up, but you can't go any farther. As I've often said in the past (and will continue to say), the credit reporting agencies don't give a shit about you. They have no reason to care about whether the information they have on file for you is accurate. YOU ARE NOT THEIR CUSTOMER. Their customers are the ones they're selling your information to. When you contact them to complain about inaccurate information, they consider it a nuisance that *might* need to be dealt with. And the simple reason is because YOU ARE NOT THEIR CUSTOMER.

starting over

[silentscope (908971)]

Start over with a fresh identitiy.

Liability, liability, liability

[electroniceric (468976)]

There are two simple prescriptions for this:

1) Create and enforce real liability for loss of personal data. After that it may make sense to introduce "safe harbor" general privacy regulation (unlike domain-specific regulation like HIPAA) where if you comply with the regs, you get relief from liability in the event of a genuine mistake or contingency.

2) Create and enforce real responsibility of credit providers and credit bureaus. Allow consumers to immediately suspend any line of credit, and require true checks before issuing credit (no more instant credit). No more endless paper battles to get credit ratings fixed, charges rescinded, etc. [These previous two were cribbed from Kevin Drum at WashingtonMonthly.com. He expouns on this subject quite regularly]. Liability for failing to properly check that credit is properly issued or used, which is supposed to be the reason why vendors and buyers pay exorbitant credit card rates in the first place.

Get the liability in order and regulation will the preferable alternative.

Re:Liability, liability, liability

[bmwm3nut (556681)]

I don't like the idea of a "safe harbor" or anything like that. If I give my money to a bank and they lose it, even through a "genuine mistake", I get it back. Likewise, I expect that if I give information to a company, and they lose it, they are liable for any harm that comes from that loss. The trouble is that when the governemnt gets involved, then the lawyers at the companies will get involved and they'll look for loopholes and such. There have been a couple of laws passed in the last couple of years that give protection to the companies (Why do you think the submitter was notified of the data loss? Not because the company cares about the submitter, but they get legal protection if they notify of the loss), what we need is to not have those laws and let it up to people to bring civil cases against the companies that lose the data. Yes it will be expensive, but after a few precidents are set, then it'll be easier for the little guy to go after the big companies that lose the info.

Re:Liability, liability, liability

[rcw-home (122017)]

2) Create and enforce real responsibility of credit providers and credit bureaus.

Easy. Just make libelous statements on a credit report... libel. You lost your earnest money because you couldn't get a home loan because you allegedly signed up for a credit card, maxed it out, and never repaid it? You get passed up for a job because a car purchased in your name got repossessed? You prove it, you sue the credit bureaus, you win treble damages.

Suddenly, credit bureaus would require a lot more proof before dinging your credit score, and they'd promptly correct their mistakes.

Pass it forward

[by Anonymous Coward]

Yeah, go to another company and steal their computers.

I just got "the letter" too

[bsartist (550317)]

Mine came from the Dept. of Veterans Affairs. You might have seen the story about the stolen laptop on the news. If the most well-funded military in the world can't keep a lid on our personal data, who can?

Re:I just got "the letter" too

[Anonymous Brave Guy (457657)]

If the most well-funded military in the world can't keep a lid on our personal data, who can?

Someone who never has the data to lose in the first place.

Re:I just got "the letter" too

[horatio (127595)]

What I can't figure out for the life of me, is why the hell all this information is being stored on portable (laptop) systems, and not on the servers behind locked doors and firewalls where it belongs....how do you get millions of SSNs stored locally on a damn laptop and not consider the consequences?

Then again, hiring agencies like usajobs.gov want you to email your SSN as part of your application materials, and if you complain, they fire back some bullshit from their privacy policy...this is what they told me:

Within the Federal job application process, Social Security Number is a unique identifier. Applicants must provide their Social Security Number (SSN) to identify their records because other people may have the same name and birth date and the Federal Government is legally authorized to require this information. This authority is provided under Public Law 104-134. While job applications may occasionally be accepted in a system without the Social Security Number, your applications will likely not be accepted/processed if they do not give the hiring agency the information requested. Please know that the personal and private information you provide is encrypted during transmission and encrypted in our databases. Please also know that all personnel with access to sensitive data are legally bound to use the information only for its intended purposes. Please see our Privacy Statement: http://www.usajobs.opm.gov/privacy.asp [opm.gov] for additional information.

* emphasis mine to illustrate the absurdity

I never once argued about whether they could or should be asking for. I was only asking for alternative methods besides frickin e-mail on how to provide it.

Re:I just got "the letter" too

[MillionthMonkey (240664)]

One of these days some government employee is going to run an errand with a laptop in his car and a lucky car thief will drive off with every single name and Social Security number in the country. You could fit them all on a USB thumb drive. And they could be all over the Internet within hours. It would be game over for Social Security numbers and the rickety infrastructure that has been built on top of them. It's only a matter of time before this happens. It might not be in a single theft as I described, but smaller thefts will eventually add up to the point where everyone's SSN has been compromised, and someone is going to compile them and make them widely available.

That would be the most bitchin' thumb drive, wouldn't it? You could show it to all your friends and taunt them. I'd better not lose my keys or you're all screwed!

Japan has a strong law

[mattr (78516)]

Japan has a strong law and companies must follow certain procedures for storage of over 500 names, which has a major effect on business. It hasn't increased security per se, considering the thefts in the news, but if you could show they did not follow the law they would be liable I think. As for the U.S. my guess (IANAL) would be that you'd have to get info about how they stored your data and what happened, and then prove their negligence, and who knows if there is even a precedent (groklaw?)

Not the best solution, but...

[peacefinder (469349)]

"Do we, as consumers, have any recourse against these businesses?"

There's always the solution from Fight Club. [imdb.com]

Oops. I'm not supposed to talk about that. Forget I said anything, will ya?

Class Action Lawsuit would work.

[spycker (812466)]

Why don't you set up a website that collects information about those who have been actually hurt by identity theft and trace it back to its source company if possible. Then give that information to a land shark for a fee. You could make $200-300 thousand.

Me too (twice even)!

[RootsLINUX (854452)]

I've had my identity stolen twice. Once for UC Berkeley's "snatched laptop" that made the news a while back, and more recently a desktop from Georgia Tech. I applied to both schools (UC in 2003, GT in 1999) but attended neither. But they still held on to my personal information for their own convenience. Furthermore, I wasn't informed of the theft by either school until weeks after it had taken place (so in the mean time while I was unaware, my credit could have been destroyed). A few weeks ago, someone hacked into the UT Austin business school computers and snatched information from current and former faculty, staff, and students. A professor I am currently taking an intellectual property course with was talking about it and how he has all his info on fraud alert right now. The school negotiated with an identity protection service to offer him a major (66%) discount, but he's still paying something like $20 or $70 a year for this (I forget what amount he said exactly).

Anyway to answer your question: IMO (and IANAL), the court would not force the 3rd party who's information was stolen to compensate your ID theft protection service, should you take it to a small claims court. However, if your credit record was destroyed as a result, I think you would have a better chance at winning some financial compensation for your case. So the best short-term answer I guess would be: put ID fraud alert on ASAP and unless you have spare time and a thirst for absolute justice, don't take it to court (although you could ask them nicely to compensate you, at least partially if not fully).

The long-term solution here people, is to get a god damn law passed. This is absolutely ridiuclous how much this occurs, and its usually because of poor/inadequate/incompetent security on the fault of the 3rd party containing the info. I am actually very interested in proposing such a bill to our legislative branch, but I'm an engineer and a grad student, and I have little time to spare right now. If someone is interested in moving this forward, let me know about it because I would like to do what I can to be involved. I believe such a bill should cover:

1. The circumstances under which a company/school/whatever may contain your personal information
2. The length of time under which they may retain that information (with mandatory and permanent removal after a given period of time)
3. A definition of the minimum necessary security measures a party must take when retaining another's personal information
4. Explicitly stating to the person when they will retain their information, for how long, and what security measures they will take to protect it
5. In the case of theft, if parts 1-4 are not satisfied, the party owes full monetary compensation for providing ID theft protection, and also granting the person the right to choose what ID protection service and what level of protection they want
6. In the case of theft, if parts 1-4 are satisfied, the party owes a minimal monetary compensation for ID theft protection that meets certain stated requirements.

How's that for a start?

Re:Me too (twice even)!

[RootsLINUX (854452)]

Damn, just after I posted this I realized I forgot to mention another part (which parts 5 and 6 are also dependent on in the same way they are dependent on parts 1-4)

7. In the case of theft, any and all persons that may have had their information stolen in the theft must be informed within a 48 hour period upon discovery of the theft. No party may with hold or keep secret the theft any longer, or they are subject to further financial obligation to the victims.

Of course "48 hours" is something I pulled out on a whim right now, and "all persons that may be effected" can be intentionally misinterpreted by a party. In reality, if one person's information was stolen, there is a non-zero chance that everyone else had the possibility of having that information stolen.

Re:Me too (twice even)!

[Kadin2048 (468275)]

How's that for a start?

It's a great start. All you're missing is about a billion dollars or so in cold, hard cash. That being roughly the amount of money you'd need to toss around Capitol Hill in order to buy enough politicians to ever have a shot at passing something when every financial institution, insurance company, and data-mining outfit in the country would be fighting it tooth-and-nail.

Come to think of it, I doubt a billion bucks would be enough.

I think this is going to be another area where the corp

Re:Me too (twice even)!

[Kadin2048 (468275)]

In all honesty, there's something to that idea.

A while back when it first came out that you could call up certain companies and for less than $100 get basically anyone's cell phone records, I remember that somebody did it to the Canadian Privacy Minister (or someone to that effect, I forget their actual title) and mailed the results to them.

Short of actually tossing tons of money at them, that's probably one of the more effective means of influencing politicians on privacy issues: make them care by putting their privacy into question along with everyone else's.

I wouldn't ever advocate anything illegal per se, but a lot of good could potentially come from a massive data theft of every member of Congress' credit histories and banking records (besides just finding out who's really on the take).

Don't be so quick to give it up

[mr_stinky_britches (926212)]

Generally, it has been my experience that people are completely willing to give up very private information whenver demanded by a company or similar seemingly legitimate and authoritative entity. I encourage everyone to be more wary and careful about who they give their SSN to. Identity theft has become a rampant problem for many people all over the world. We have to wise up and Just Say No.
--
http://wi-fizzle.com [wi-fizzle.com]

Sue them

[WindBourne (631190)]

Look; Go after the company for negligence. If they used Windows, then show that their useage of windows was irresponsible (it is). If they allowed an employee/contractor to take data that had your information on it, then sue them for not locking down the box or allowing it out in the first place. Sadly, congress is trying to pass laws that make these suits disappear. But if we go after them now, then as suits are won, the companies will actually start caring about the information that they so carelessly allow out. It would be nice if the CIO's could be held legally accountable for choices that they make without consideration to security.

You can place a fraud alert on your credit report

[tlambert (566799)]

You can place a fraud alert on your credit report. An initial alert does not require a police report, and lasts for 90 days. During this time, you may end up having to jump through additional hoops to obtain new credit.

The easiest way to put an alert is to use the online form at Experian; alternately, you can call any of the credit reporting agencies to also set up an alert, if you want to do it by phone, instead.

The direct link for the Experian site to do this is:

https://www.experian.com/consumer/cac/InvalidateSe ssion.do?code=SECURITYALERT [experian.com]

More advice available here for identity theft victims:

http://www.consumer.gov/idtheft/con_steps.htm [consumer.gov]

Hopefully, you will not need it.

-- Terry

Re:You can place a fraud alert on your credit repo

[Bobzibub (20561)]

So why exactly is it up to the schmo to do this? Why not the company?

Cheers,
-b

What I've done

[cimmer (809369)]

I've stopped worrying about whether or not my information is out there. Having been involved in IT security in the financial services industry for some time now, I know how haphazardly our personal information can be treated. Many company executives don't want to spend the money to turn already functional and profitable systems into secure data stores or the money to hire enough skilled security personnel as they are cost centers, not revenue producers.

Instead I've gone on the defensive and assumed that my identity is already compromised. I coughed up $130 for 3 in 1 credit monitoring services (one of the big three credit bureaus has a two for one going if you call them. got a spouse?). I also keep close tabs on my credit and debit card activities, which doesn't require all that much effort since I cancelled all but 2 credit cards and my debit card. It means some money and time spent up front, but it's not too intrusive and it gives me a reasonable degree of confidence.

As long was we maintain some degree of privacy, identity theft is here for the forseeable future. I'm not saying don't hold companies responsible. I am saying realize that many companies in control of your information will be irresponsible regardless of what they can be held accountable for and that it's a good idea to take some personal responsibility for protecting yourself.

class action lawsuit

[bunions (970377)]

This sort of thing is exactly why class action lawsuits exist. Find a lawyer, start one. Companies will do whatever is most cost-effective, so you simply need to make losing your private data expensive.

Recourse?

[mfago (514801)]

No, not unless the american people elect a congress that gives a damn about something other than big corporate sponsors. That's the only reason I can think of why the US doesn't have a law that makes businesses responsible for safeguarding personal information. According to "free market" forces your SSN and credit history is only another product, much less something to be protected.

I've been hit three times myself in the last 4 months. What am I supposed to do, sue three $50B corporations?

Oh, and don't believe the neanderthals that tell you the free market lets you "vote with your business" -- not when everyone seems to be involved.

Identity Theft Protection Act bill in the Senate

[RootsLINUX (854452)]

Here is a link to two proposed bills on identity protection. [loc.gov]

One is dated July 14th 2005, while the second version is dated December 8th 2005. Get off your ass and call up your senator and tell them that you feel this bill should be passed into law to protect you as either a former victim, or possible future victim. Cite some recent examples of identity theft from the news. Tell them that this is more important to you as a citizen that they are supposed to represent, compared to whatever other "important agenda" they are talking about right now in the Senate (gay marriage, starting MORE wars with countries in the name of "freedom", etc). Don't just whine and complain because no one is going to want to listen to you. Instead, push and shove so that they will be forced to do something about it!

(Cue Braveheart moment) - FFFFFRRRRREEEEEEEDDDDDDOOOOOOMMMMMM!!!!!

Oh yeah, and don't forget to buy LOTS of stock in identity theft protect companies! Citizens will win, and irresponsible parties will lose!

Credit freeze under fire

[greeneggs2000 (739337)]

Don't worry, Congress is on the case. Republicans are trying to overturn state laws protecting against identity theft. Overriding the California law is particularly important, even to people who don't live in California -- it is the California law which has forced companies to disclose identity thefts in the first place (they have to disclose thefts involving Californians, but that's most of them).

Credit Freeze Under Fire [sfgate.com]

'The so-called Financial Data Protection Act of 2006 (HR3997) would also weaken state laws requiring disclosure of security breaches. In California, businesses must notify people if their personal info "was, or is reasonably believed to have been, acquired by an unauthorized person."

'Under the proposed federal legislation, such disclosure would have to be made only if a company determines that a security breach "is reasonably likely to result in harm or inconvenience" to individual consumers.

'"Basically, the company would have to know that you're a victim of identity theft before it needs to tell you that you could be a victim of identity theft," said Ed Mierzwinski, director of the U.S. Public Interest Group's consumer program in Washington.'

Best solution is...

[Dark Coder (66759)]

Make the Social Security Number public to EVERYONE.

That's right, cat's out of the bag. Can of worm has been opened. Too late.

Ban use of Social Security Number as an identifier, except for Social Security, like it was supposed to be in the first place.

Each business entities must use their OWN issued numbers.

Wide-reaching Identity Theft Containment problem limited to just the affected business.

Now, it is time to look into three-way public keys to ensure that consumer data is not misused:

      1. Merchant/Business/Corporation
      2. End-user/User/
      3. Arbitrator/Government

With keys signed by each other in 3-ways, secured identification and security of data compartmentilization has been greatly enhanced.

Each and every transaction is signed, sealed and delivered by all 3 parties.

Now, let's get an infrastructure going on this...

Even Bruce Schneier [schneier.com] agrees to this.

Credit Card companies make money on fraud!

[tres3 (594716)]

That's right, when a card is fradulently used they charge the purchase back to the retailer. That way they get a transaction fee on the original sale and then a bonus transaction fee when they carge the retailer for the fraud that they allowed to happen. The trick to wiping it out overnight is make the fraud cost the credit-card company money. As it stands now they have absolutely no insentive to do much about it. Did they not issue the fradulent card to someone other than you after your identity is stolen? Do they have no responsibility to verify the information they receive? Do they not have a responsibility to the retailer to honor debts that they authorize? (Well not really, that's what the merchant agreement is for. You don't like it? Don't accept credit cards.) It is no wonder that the most profitable industry last year was the banking/finance industry. It is also no wonder that they contribute the most to the politicians. On one side they change the bankruptsy laws so you can't get out of debit and start over and on the other they are pushing off the responsibility to the merchants as much as possible too. More reading:

http://www.smithfam.com/news2/july02a.html [smithfam.com]
http://www.answers.com/topic/credit-card-fraud [answers.com]
One of the two (answers/wikipedia) plagerized the other. ;-)
http://en.wikipedia.org/wiki/Credit_card_fraud [wikipedia.org]

Make the credit card companies take responsibility. Make it them that has to pay for fraud and the situation will rememdy itself overnight!

How did we get here? SSN as private information?

[stuartg (983688)]

I don't hate the stupid companies who loose SSN numbers, instead, I'm bothered on how we as a country got into this mess into the first place.

I helped my parents this last week with a garage sale. During the sale, my mom noticed that an old table for sale had her SSN engraved in the wood! Why? Because back in the late '70s early '80s, the local police department told citizens to put a SSN on your assets in case they were stolen (Ironic, Eh?). She spent 20 minutes frantically trying to rub out her ID, she was visibly shaken.

OK, I understand the need to pass SSN/Taxpayer ID information between the Social Security Administration, IRS, Banks/Credit Unions, and your Employers.

The real problem is that there are so many other business segments who need to validate your identity, that they have piggy backed usage of the SSN as the de facto form or Identity verification. This is the real segment that needs to change their behavior!

• Companies like Comcast who insist on the last four digits of my SSN to call the help desk?!?!
• Universities who use the SSN as a student ID number.
• and most importantly, Credit reporting agencies [wikipedia.org] who base consumer credit scores on unverified [wikipedia.org] data.

I mean, how hard is it to go into the local Car-Toys, order a bitchin' stereo on zero money down, and forge the credit application with a stolen SSN and other personal info? And the problem is not just limited to your SSN! Your credit card number(s) have the same problem. If you know the number, expiration date, and Security code on the card, that's all it takes for many purchases over the phone or internet.

The real problem in our modern society is identity verification. Anyone who has ever forgotten a password to a website (what is up with all the different password complexity rules?), everyone who has ever wondered if that waitress is taking so long is because she is ordering a new dress from Victoria's Secret on your card, and everyone who wondered why their bank insists on a utility bill to verify your place of residence due to a clause in the "Patriot Act". You know what I'm talking about.

IMHO, what we really need in this country is not a credit score, but an identity score for identity(ies) that are independent from our SSN/Taxpayer ID (not government controlled, sorry). If I purchase a candy bar with a credit card, the level of identity verification required is low, if I purchase a new car with a loan, then I suspect the level of identity verification would be much higher! The credit score should be weighted against the integrity of the identity given too. If someone fills out a credit application with just a name, address, and SSN, then the chance for fraud is high, and the integrity of the information is low. If the person supplies a trusted smart card certificate, with a complex PIN, along with some other kind of biometric data, then the integrity is much higher.

<Sigh...>

DO something when this happens to you.

[Feebleminded_Genius (950911)]

[shameless showoff plug] I work for an insurance company that handles large ammounts of personal data who, contrary to the current trend actually cares about data security on our laptops. I am absolutely an advocate of holding companies responsible for data theft, particularly given the options available to safeguard against it. We recently implemented hard drive encryptions software, and the implementation start to finsh took less than 2 months. It was a rediculously easy step to add a solid layer of security in the event that a laptop is stolen. The fact that this is not more widely adopted points to laziness and indifference on the part of corporate America. [/shameless showoff plug] What disturbs me as much as the frequency in which this "data loss" happens is the growing attitude that people should react to this merely by putting a hold on their credit and waiting it out. For the love of God people, when this happens to you STOP DOING BUSINESS WITH THESE INSTITUTIONS. By simply waiting it out, you are sending the message that security of personal data really isn't that important. Where's the benefit for profit-churning corporations to change their security model if loss of data does hurt them in any way? Now, if people started fleeing from companies that lost their data, then the message to rich execs would change to "Hey, if you customer data gets stolen, you will lose market share." That is guaranteed to produce a reaction. Pass the laws, avoid companies that don't secure their data, and we may actually be able to change something here.

Re:Prepaid legal

[nacturation (646836)]

If you're afraid of your identity being stolen, Prepaid Legal can help.

An MLM scheme will help me with my fears? Do they offer counseling to overcome these fears?

I got modded down last time...

No kidding. It's like all these free iPod sites -- you get modded down because you're just hoping people will join your MLM so that you can personally profit from their fears.
 

Re:I think Ice Cube said it best

[R2.0 (532027)]

Congress will care about it when a laptop full of THEIR personal data gets stolen.

Just like the Jefferson fiasco - FBI busts down a citizen's door, it's strong justice; bust down a Congresscritter's door and it's a CONSTITUTIONAL CRISIS!!!!omgwtfbbq

Re:Maybe...

[cimmer (809369)]

A sampling of "crappy organizations" that have lost sensitive peronal information of their clients in the last couple of months:

Ernst & Young
Humana
AIG
Union Pacific Railroad
The State of Colorado
The State of Oregon
The State of Minnesota
Hotels.com
University of Miami
University of Kentucky
Miami University of Ohio
The YMCA
The Red Cross
The Department of Energy
The IRS
The Veterans Administration
The IRS

"Get over it" and serve your masters

[by Anonymous Coward]

Yeah, you've got no privacy, but that's not cause to "get over it." The reason you've got no privacy is that you are coerced into giving up your private information -- coerced by government identity-tracking, supposedly for tax purposes but far, far expanded; coerced by effective cartels, like the credit and banking industries; and coerced by laws which support those cartels in their demand for your private information. You don't even have a choice, unless you want to live as a hermit, and at an incredible economic disadvantage.

Having no privacy isn't the problem in itself; the problem is other people exercising control over you with that information. Don't "get over it." Stand up to it.