Should Companies Share Criminal Blame In ID Theft?

snydeq writes "Deep End's Paul Venezia criticizes the lack of criminal charges for corporate negligence in data breaches in the wake of last week's Best Western breach, which exposed the personal data of 8 million customers. 'The responsibilities attached to retaining sensitive personal identity information should include criminal charges against the company responsible for a leak, in addition to the party that receives the information,' Venezia writes. 'Until the penalties for giving away sensitive information in this manner include heavy fines and possibly even jail time for those responsible for securing that information, we'll see this problem occur again and again.' As data security lawyer Thomas J. Smedinghoff writes, data security law is already shifting the blame for data breaches onto IT, thanks to an emerging framework of complex regulations that could result in grave legal consequences should your organization suffer a breach. To date, however, IT's duty to provide security and its duty to disclose data breaches does not include criminal prosecution. Yet, with much of the data security framework being shaped by 'IT negligence' court cases over 'reasonable' security, that could very well be put to the test some day in court." It's a slippery slope to be sure, but where should the buck stop?

Re:Fix the bank and lending system instead

[db32]

Clearly you are confused. If we take away the ability for people to spend themselves into oblivion with easy credit the terrorists win! I want the prices of everything on the market artificially inflated by peoples spending habits of imaginary money. I am simply not satisfied until I have to pay $50 for a $5 item because the supply and demand curve is completely screwed due to the massive influx of imaginary money into the consumers hands!

You must be some kind of dirty pinko commie bedwetter if you want to stop the massive debt spending credit system.

Re:Yes/No

[zappepcs]

So all is ok if the stolen laptop had everything encrypted? That would seem legally equivalent to someone hacking at a server in the company's data center but not getting in. Then what kind of paperwork etc. is required for a contractor to use laptops from the company contracting them? The point being, how far can culpability be extended through the food chain? If an employee is not a security expert and does what IT told them to do but a compromise still happens, is the company or an employee guilty? If my details are leaked and my ID stolen, can I sue the company, the CIO, and the employee?

Sarbanes-Oxley has already wreaked havoc on the business world. Extending culpability for data breaches to criminal prosecution would be even more destructive in terms of the changes and security costs involved in protecting the company from financial damages in the event of a data breach.

I'm still waiting for DHS confiscation of a laptop to cause a data breach. When (not if) that happens, can we sue the government?

(I am playing devil's advocate, or rather corporate advocate)