Should Companies Share Criminal Blame In ID Theft? 328
snydeq writes "Deep End's Paul Venezia criticizes the lack of criminal charges for corporate negligence in data breaches in the wake of last week's Best Western breach, which exposed the personal data of 8 million customers. 'The responsibilities attached to retaining sensitive personal identity information should include criminal charges against the company responsible for a leak, in addition to the party that receives the information,' Venezia writes. 'Until the penalties for giving away sensitive information in this manner include heavy fines and possibly even jail time for those responsible for securing that information, we'll see this problem occur again and again.' As data security lawyer Thomas J. Smedinghoff writes, data security law is already shifting the blame for data breaches onto IT, thanks to an emerging framework of complex regulations that could result in grave legal consequences should your organization suffer a breach. To date, however, IT's duty to provide security and its duty to disclose data breaches does not include criminal prosecution. Yet, with much of the data security framework being shaped by 'IT negligence' court cases over 'reasonable' security, that could very well be put to the test some day in court." It's a slippery slope to be sure, but where should the buck stop?
civil not criminal (Score:5, Interesting)
This would be a great civil class action case, but criminal? The slope is quite slippery, and like previous posters have said, the cops don't do much when it comes to non-violent, non-domestic, non-street crimes.
Of course, some would argue that the banks and lenders behind the whole sub-prime mortgage crisis deserve to be criminally punished for causing a global recession and for the number of lives they've destroyed.
as simple as due diligence ,,, (Score:5, Interesting)
If your going to store my private data without my expressed permission. In other words I didn't specifically request it (as opposed to having it thrown in as a caveat on some user agreement). Then you are responsible for all mishaps that may be incurred by your actions.
If I ask you to save my data then I accept that I am giving permission to said company as is. In other words it now is my responsibility to look over all disclosures.
The inherent problem however is there is no means of specifically identifying a person. first and last name no longer work. you can assign them a unique code but most people get tired of bringing around and ID card for every business they do business with. Thus you are forced to use a.) a phone number which is subject to change, social security ID, or credit card number.
So though I do believe they should be held responsible for negligence and saving information without expressed permission. I do think the credit industry as a whole is responsible. There needs to be a fixed ID system which is separate from the credit system (as in credit score) and governmental ID systems.
This one ID bullshit needs to stop. Each person should have a superficial ID which can be changed at request. A credit ID which requires in person transactions (loan etc) a government ID and a health care ID. all of which should be maintained by different independent agencies.
Re:Yea! (Score:4, Interesting)
Exactly right. Nobody.
At the very least, they should be held civilly liable. We should be suing every last one of these MFing companies that hand our personal data over to criminals to the fullest extent provided by law. There should be statutes on the books allowing for statutory damages to be awarded when our personal data is negligently handled.
And where are the amulance chasers in all this? Why aren't there ads on my TV for shysters who will take on these cases?
Follow the money... who's getting paid? The politicians. Barack Obama, John McCain...doesn't matter who you vote for, because they both have their hands in the same pockets!
Possibly too far (Score:2, Interesting)
I am not sure that criminal charges are necessarily needed. Who would get the jail time? I mean does the SA have to prove that he recommended better security to the PHB? Does management automatically go directly to jail?
I might be happy enough with the company being responsible for any identity theft of the people listed in their data. Maybe only for the next 5 or 10 years, but if their credit starts getting messed up, then the company which lost the data should be responsible to take the blame and also partially (split between the bank and the company) financially responsible.
Even that suggestion has issues though. People will then fraud the company that lost their data by pretending that their identities were stolen and that someone is purchasing things in their name. All the while it was that person themselves.
Regardless, I think the whole identity/information theft thing is more complicated than most (non-technical/non-business) people take into account.
Re:Yes/No (Score:5, Interesting)
I've got a better idea. Ban the collection of personal information beyond the time required for the transaction. I don't but it that companies somehow need to store all this info on people especially years after the transaction has occurred. If you are going to be light on them when they lose it, then be heavy on what they can keep.
Well what about long-term services like Life Insurance? A service like that would need to keep your Name, Birthday, Social Security Number, address, next of kin, etc until you died and someone collected. And what about Banks and Loan offices?
A friend of mine got a notice from his life insurance firm saying that a laptop was stolen that probably had his records on it. Why it would be on a flippin LAPTOP I have no idea, something like that should be a server only accessible from the company's encrypted network (but I digress).
I could also see the benefit of some stores keeping some light data on you (name, address, phone) so they can contact you but I think they should get rid of your credit card info after X days/weeks.
In all, it's a mixed bag of blame. Personally I think the government and law enforcement should take Identify Theft a lot more seriously, with major penalties against these fraudulent jerks.
Careful with that word 'crime' (Score:5, Interesting)
There's a reason that someone who sues McDonalds over the hot coffee she dumps in her own lap doesn't ask a DA to go after them criminally. Likewise with slipping on a wet restroom floor that doesn't have one of those "caution" signs put up by the maintenance crew. Being bad (or even, unlucky) at your job could well be grounds for a civil suit, but it isn't usually - and shouldn't usually - be considered an actual crime. That's pretty dangerous stuff, there.
When some wackadoo in full-on tinfoil hat mode brings a gun or a knife to work and kills the PHB he's hated for years, and is now convinced is working for Alien Overlords... is the employer who didn't see that coming an accessory to the crime that was committed, for having failed to prevent it?
If data is leaked, and no crime (based on the use of that data) is ever committed, and the laptop gets recovered with no expectation of it having been compromised... did a crime take place, not counting the person who ripped off the laptop from an employee's luggage? Is the employer actually a criminal because that happened? The opportunities for Really Bad Precedents here are vasty.
Is it even illegal? (Score:5, Interesting)
I mean, I know HIPPA takes care of issues with respect to people's medical records, but, I don't think that there are actually any laws against the release of people's data. If there were, there would be a whole lot less of companies out there that held and traded in such information.
It is a crime to break into a computer to gather this data. But, I don't think at this point, in the US it is a crime to lose it.
If I happened to have a database of people's information, and I want to freely publish it, I don't actually think there is a statute against me doing that.
If there is, can someone cite it or give links on this?
How long data is needed (Score:3, Interesting)
I'm of the opinion that the liability should depend in part on whether the data's being kept longer than needed for the transaction or purpose it was provided for or not. For instance, if I buy something from an on-line merchant they need to keep my name and address on file at least long enough to ship my item, and almost certainly for the length of time I'm allowed to return the item for a refund or replacement. They need to keep my credit-card number on file long enough to authorize it, possibly long enough to settle the charges (depending on how they're set up with their clearing house), and possibly as long as I'm allowed to ask for a refund (if for instance the clearing house requires the card number to credit the money back). When a company keeps information around longer than needed, they should be held to a higher standard since now it's their choice that the data's being kept. And "needed" should be determined by the purpose or transaction the data was provided for, not by what the company wants to do. When I provide a billing/shipping address for a purchase, I'm not providing it so the company can do better advertising later. If they insist that I create a profile and leave that information on file permanently for their convenience or benefit, they should be taking more responsibility for it's security than if they're keeping it just long enough to do what I asked of them and then discarding it.
Nominal "crime": leaving the keys in the ignition (Score:4, Interesting)
In Texas (and in other states, it seems), it is against the law to leave your keys in the ignition [austin.tx.us]. I haven't yet figured out exactly what the purpose is for that law, except to remind people that leaving your keys in the car invites theft. I certainly haven't heard of anyone being prosecuted for the "crime".
Perhaps a similar nominal criminal sanction should be in place for the company that leaves the keys to my identity in their corporate "ignition"? The penalty would be a slap on the wrist, or less -- because a stiff penalty would lead to coverups. But the law would still be on the books.
That would allow the bean counters to add an item on the balance sheet for "secure client data -- compliance required by law". That would carry more weight than "secure client data -- compliance with 'best practices' guidelines".
Re:Yes/No (Score:5, Interesting)
The first thing that would have to be done is that we would need some guidelines as to what a "reasonable" level of security is, and even that might be scaled based on the type of information stored. This should then be re-evaluated yearly by a commission of qualified IT managers from industry. There are other limitations which should be placed on the commission, but that's outside the scope of this uninformed rant.
Just as an example:
Storing customer names and addresses - Database encryption and basic perimeter security may be considered reasonable. Losing data and not being there should result in fines and maybe some jail time.
Storing Credit Card info - Same as above, but add backup encryption, laptop hard-disk encryption, internal firewall for DB servers and source code audit on all applications with DB connections. Failure to comply and losing data would be hefty fines, jail time for those responsible for the systems, and civil liability to those people affected.
Storing Social Security Numbers - All the above, but damages increase substantially, as does jail time, with c-level execs getting in on the PMITA action. And civil liability is increased to "the affected customers now own your ass" level.
The problem, of course, is that it would be the government doing it, so they would invariably screw it up.
Re:Yes/No (Score:3, Interesting)
Great idea lest threw business back 2 decades. This data is used beyond just advertising and marketing it is used to improve the business on the whole.
Eg. When you call your credit card company you can usually get your balance and access what most usually called features right away. I bet if you call them a few times and not go that route that the phone system may change for you to get you on and off the line quicker making you happy as you are spending less time on the line and them happy not having to pay to keep you on the line for longer times.
Or if you go back to the store or an online store then it can fill out all the information for you that you entered in already making checkout a lot quicker.
How about tracking progress of a product line. They see that while a product is still selling strongly they may find that some areas stopping and spreading thus time to change the product or offer services to extend the product. Or change the shipment quanties around so one location isn't overstocked and the other has a stock out.
Data is key for a successful company as IT Guys you really should know this already. Lack of data will cause you to go by the gut and just start guessing.
Re:Self reporting of a felony would not happen (Score:3, Interesting)
Easy, make the peanalty dependent upon the companies handling of the situation. If the company comes clean the penalty is X dollars per victim. If the company attempts to hide the situation the penalty is 100 * X dollars per victem.
Re:Yes/No (Score:5, Interesting)
A friend of mine got a notice from his life insurance firm saying that a laptop was stolen that probably had his records on it. Why it would be on a flippin LAPTOP I have no idea, something like that should be a server only accessible from the company's encrypted network (but I digress).
$10 says someone was either creating top-line reports or other such nonsense based on spreadsheets full of live data, and they brought it home/outside of the office to continue working on it past business hours.
I can't even tell you how many times I've seen people in insurance companies take live data home with them so they can whip up statistical reporting. People don't follow IT protocol when it becomes inconvenient for them to do so. (i.e. staying late at the office vs going home & working there.)
Re:Yes/No (Score:5, Interesting)
The Economist ran a report pointing out that companies had whined at length about how Sarbanes-Oxley was crippling their business, but they did an investigation and found that the companies in question were doing as well as before or better.
(The Economist is absolutely gung-ho to the point of stupidity about free markets, so I don't think they have some sort of corporate agenda in saying so.)
Re:Criminal charges for companies != jail time (Score:1, Interesting)
Agreed! Corporations have all the benefits of "being a person" and none of the liabilities. If they are convicted of criminal behavior, basically they just pay...and maybe some employees go to jail. The corporation, however, blindly continues on with perhaps a lower quarterly earning that month. Corps are chartered and if we had the guts, they could be un-chartered. Shut down a company for a year and other corps would (hopefully) be terrified. People would lose work, shareholders would freak, but think about it. It wouldn't be long before both those parties held the corporations feet to fire.
Re:Yes/No (Score:3, Interesting)
Well what about long-term services like Life Insurance?...A friend of mine got a notice from his life insurance firm saying that a laptop was stolen that probably had his records on it.
It seems like you could have a rule to dispose of data after the transaction except in businesses/industries where it's necessary, and then regulate those businesses/industries better than we do now. How about it's illegal for a company to put that sort of data onto a laptop?
Re:Is it even illegal? (Score:2, Interesting)
When someone costs you money through negligence (i.e giving away or sloppily handling your data) you can sue them.
This would apply at the very least to Credit Cards (if used) and social security numbers (if they are used).
If the cost to you is nothing it is definitely a different issue.
Data Protection (Score:4, Interesting)
The USA needs something like the Data Protection Act [wikipedia.org] which the UK has... It gives individuals rights to access and correct data held about them and it mandates that organizations must take adequate steps to protect and secure the data. Failure to do so is a criminal offense.
IANAL... If any of Best Western's compromised data details reservations at any of Best Western's hotels in the United Kingdom, they may have opened themselves up for prosecution under this law. All organizations and businesses in the UK which may store details on more than around 500 individuals must register and adhere to the DPA. I am sure that Best Western has had more than 500 customers in their UK operations!
Fifth Amendment kills that. (Score:3, Interesting)
Not only should there be criminal damages, but attempting to keep the thieft secret should carry an even heavier penalty.
And the famous part of the Fifth Amendment hits that head on:
"... nor shall [any person] be compelled in any criminal case to be a witness against himself, ..."
So it's not going to happen in the US. Give it up.
= = = =
The people harmed are easily identified. It makes more sense for this to be a civil matter, with heavy financial penalties being paid by the company to the victims of the identity theft, rather than into government coffers.
If the government were to legislate or rule-make the penalties and/or automate the process in corporate regulations, rather than waiting for class action suits to lay the ground rules (and line the pockets of the litigating class while the victims get pennies), so much the better. (Assuming the legislators don't just write a slap-on-the-wrist preemption law for their corporate sponsors. B-( )
Re:as simple as due diligence ,,, (Score:3, Interesting)
What I don't understand is why ID is needed in the first place. It seems to be tied to the idea of the merchant making a charge against the purchaser's bank account, which means the merchant needs to identify the purchaser to make the charge. But why does the merchant need to make the charge? Instead, have the merchant provide a merchant ID and transaction number to the consumer, who then logs into their bank's site and initiates a payment to the merchant for the transaction. Nobody can initiate a payment without knowing the credentials to my bank's site, which I don't ever have to provide to anybody so I can keep them secure (modulo attacks on the bank itself or me falling for a phishing scheme). If the merchant doesn't ship until they receive the payment they don't have to verify the address, anybody trying to initiate a purchase in my name won't have my bank credentials and won't be able to initiate a payment from my account. And all the information the merchant needs to keep on file long-term is the payment number my bank gave them as part of the payment transaction, which the bank can tie to my account on it's end if the merchant needs to do a refund or anything. All this should be fairly simple, it's just standard EFT initiated by the payer instead of the payee.
Re:Yea! (Score:5, Interesting)
Actually wrong.
The first step is to financially ruin and have real "pound me in the ass" prison terms for the executive staff that cut the IT departments budget to increase security.
If the CEO has the fear of being raped by bubba while the CTO is told "you're next pretty boy" They will quit spending money on their company BMW's and office remodels and actually give the IT departments the funding they need to have the staff and hardware to do their FUCKING job.
Do I seem a bit jaded?
Better to go after data storage itself. (Score:3, Interesting)
I suspect that going after the type, quantity, and duration of data storage is a much more productive avenue. For any given commercial relationship, certain data storage will be necessary, for a certain amount of time. Not much we can do about that. Anything beyond that level, though, should be open to stiff liability in the event of a breach. You want the advantage of storing extra data? You take the risks, like it or shove off. The trouble(particularly bad in the US, though hardly good elsewhere) is that there is essentially nothing, other than the low and falling costs of storage, counterbalancing the desire to hoard as much customer(no, I'm not going to say "consumer") data as possible. Make anybody who stores more than the necessary minimum of data liable for damage caused by breach or inaccuracy and the problem should be considerably reduced.
Even if the above seems, shall we say, unrealistic, there are some basic steps we should have taken ages ago. FFS, companies that have data stolen aren't even obligated to warn people in some jurisdictions!(See the ChoicePoint debacle a while back, they warned California customers, because the evil commie nanny state had the crazy idea that people ought to be warned when somebody fucks up and gives their data to criminals; but everybody else just had to puzzle it out) That is absolutely insane.
Re:Yes/No (Score:3, Interesting)
I could also see the benefit of some stores keeping some light data on you (name, address, phone) so they can contact you but I think they should get rid of your credit card info after X days/weeks.
Indeed, this is the heart of the problem: When X = 52 weeks, or 2 years, or forever. I can understand why a hotel would want to keep my information on file for a short while, say a week or two to assure that I've been charged for my visit, or held responsible if I happened to break a lamp or a window, but I see absolutely NO REASON why a company has to keep my credit card details on file for an entire year after I have concluded a business transaction with them.
Less critical information such as my name, address, or phone number, sure. If I give this information up I understand that the company might want to use it sometime in the future to contact me. But what benefit is my credit card number to said company a year or two down the road? Is there some sort of insight that can be gained from analyzing credit card usage data? Does the information (if any) gained from such analysis really help them improve the way they do business? It sounds like too many companies have been caught up in the "if we can store the data, we will, even if it's useless" mindset.
Storing credit cards ... (Score:4, Interesting)
Part of the issue is storing identifying information, the other issue is storing credit card info. There should be no excuse for storing credit card info.
I was at Home Depot (Canada), returning something I bought earlier, and I reached for my wallet to give the guy the credit card to refund the item. He said, "Oh, we don't need that Sir, it is all stored in our system". I said: "You store credit card data on your computer"? He says: "Oh, we don't have access to it".
The point is, not the employees having access to it, but the data getting copied or stolen by criminals, such as the Best Western case.
Some credit card gateways provide a token based approach to recurring charges, such as monthly subscriptions, but it is not a standard that can be used everywhere with any card, and any merchant.
Hold the police responsible first (Score:1, Interesting)
I'll tell you what... Before you make a decision on whether companies should be responsible for theft of their information, make the police responsible for murders that occur on their watch.
No really, I'm not kidding. What surprises many people is that the motto, "To Protect and Serve" is just that, a motto. Police have NO duty to stop a crime in progress, only to execute the law by arresting those who have committed the crime whenever its convenient. A good example is someone who is either in witness protection or perhaps has a patrol car stationed at their house if they are a testifying witness. Despite the assurance that you are "protected" they can't be sue or held liable for failing to do so.
It seems silly to hold a corporate entity to a higher standard than our own police forces. Sure, hold them liable for pure negligence, like creating a webpage that lists their customers' name, ssn and cc numbers, but for pure theft no way.
Re:Criminal Charges? (Score:2, Interesting)
i think the focus should be on management external to the IT department. I have worked in Enterprise IT Sales for a few years now, and am still shocked on an almost daily basis by how easily funds are denied for absolutely crucial projects.
If your CIO, CFO, CEO, Compliance Officer, Security Officer, etc is aware of a risk, and chooses not to act, the fault is theirs, not the IT department that was told to play with rubber bands, old hardware, free software, and tin foil to piece a robust security infrastructure together.
IBM's ISS costs up to around $200,000 for a good-sized implementation, and may be the only *truly* full-sized security solution available on the private market (offerings from McAfee and so-on shouldn't even be mentioned). The organizations that are typically collecting, storing, and losing important and sensitive user data are typically organizations that can afford, or should find a way to afford such security infrastructure. (Are you telling me that S/L/F government, financial institutions, major telecom companies, etc etc etc etc can't afford a non-joke security system? Are you telling me that they can't enact serious security policies and punish ignorance, laziness, or apathy?)
Seems to me that spending $200,000 for a full, robust security system, up front, far outweighs the potential lawsuits, out-of-court settlements and negative publicity that can follow a serious breach or loss of data.
The power lies in the accounting office. With the people who get a bigger bonus for cutting expenses. And this might make sense when you're talking about such things as paperclips, copy paper, toilet paper, etc. But when you're talking about the very things that keeps your business in existence, and maintains your reputation with your peers as well as your customers, shouldn't there be another process?
If someone says to the IT manager, Network Security manager, etc, that "I understand your pain, and while you may feel that you need a full IPS that tests the network for flaws, dynamically, you're going to have to stick with a handful of WatchGuard appliances, because I, and nobody above me, cares", then I say blame that person and anyone else involved in the apathy or ignorance.
I'm done.
Re:Is it even illegal? (Score:5, Interesting)
If I happened to have a database of people's information, and I want to freely publish it, I don't actually think there is a statute against me doing that.
No there's not - this the "problem" the original submitter want's to solve. I personally have huge issues about criminalizing any form of free-speech.
The identity of a person is not a secret, or a thing that can be stolen. The very way that identity works is by making it public:
"Hello, I'm John / Oh Hi John, I'm Susan"
Now if John is coy about revealing his identity for fear that Susan might open up a bank account in his name, the whole use of identity crumbles. I have nothing against anonymity, John can remain anonymous if he so desires. But the notion that you must somehow "protect" identity by keeping it a secret is a stupid trick that harms the usefulness of identity and our society as whole. The artificial distinction of allowing trusted people (banks, the phone company) access to it, while keeping it a secret for the general public (that includes identity thieves) is childish. As it is the proposal above, of criminalizing the act of compiling a list of people's identity using public data - as explained above, all identity data is public to some extent, by definition; if it's not public, it does not identify you.
Far for me to claim that it's safe to post your personal data on Slashdot. In this warped world we are living in, there is the danger of so called "identity theft".
The term of "identity theft" is a copious misnomer perpetrated on the public by the banking industry. The identity of a person cannot be stolen, only duplicated or impersonated. The real crime here is identity fraud. The distinction might not seem much, but it's of key importance: it shifts the victimization from the impersonated person to the banker/stock agent/realtor/whatever that accepts the fake identity.
After all, why should *I* pay for the fact that some bank lends money to someone who says it's me ? The bank has little incentive to properly authenticate the guy: they want as much customers as possible; the problem of "ID theft" is an externality. Meanwhile, I can do nothing to protect myself: my identity is in hundreds of public and private databases, out of my control: it's how I register to vote, how I get medical care, and how I install an Internet connection. I cannot function in this society without making my identity public, so It's unreasonable to require me to protect my identity from "theft".
You can find an excellent written article about the distinction between identity theft and fraud here, by noted security expert Bruce Schneier:
http://www.schneier.com/blog/archives/2005/04/mitigating_iden.html [schneier.com]
The solution against identity fraud is making the enablers pay for it, breaking the externality. For example, a maximal 15-day clearing period of any wrong information on your credit report, after which the bank can be charged with libel.
Devising more intricate ways to keep our identity data "secret" is just band-aid.
(I have only approached the problem from the identity fraud perspective; I fully agree there are other reasons to wanting to have your data private, such as, well... privacy)
Re:Criminal charges for companies != jail time (Score:1, Interesting)
In the UK I think there has only been one successful prosecution, the Lyme Bay canoeist disaster, but that was a 1-man company so it was directly the director's fault. Attempts to prosecute Railtrack directors for train crashes have not gone ahead.
It's just too hard to establish that a CEO of a multinational with 3,000 employees has done a specific act or omission that makes them personally responsible to the point of criminal liability. This is especially the case in areas like industrial chemical engineering which the CEO may have no qualifications or involvement in.
Unless you find a "smoking gun" memo saying "I'm a greedy bastard, so please cut back on vital safety equipment: it doesn't matter if people die because I want to increase my bonus" you can't really connect anything done by the board to people's death. Not in a way that is direct enough to justify equating the board with a gang of Mafia bosses who arrange to have their enemies shot.
Even lawyers think it is a bit tenuous to argue "well, this divisional profit target was a bit challenging so it was effectively inevitable that low level supervisor Joe Smith would disable a piece of safety equipment in violation of the company's written procedures manual, please send the CEO to jail for ten years".
It's no good just identifying someone and threatening them unless that person can really respond effectively to that threat. What do you want the techno-clueless CEO to do? Send a memo to the IT department saying "please please please don't lose any data or I'll go to jail"? Spend a lot on high-price consultants?
In any event discussion on this topic invariably falls into the /. trap of assuming the only goal of security is confidentiality. People also need to access the data in order to fulfil tax, audit and general business requirements. Balancing these requirements is not a solved problem and until it is, I don't see that criminal penalties will help.
Risk management (Score:2, Interesting)
IT negligence? (Score:1, Interesting)
"IT negligence" as suggested by the summary is caused by Management's "head in the sand" tactics.
There've been a number of times over the years where I've raised security issues about an existing system, or even a proposed system, and been beat down by Management because it would cost too much or take too long to fix it. They prefer to not "spend money frivolously" and instead gamble that the problem will never be exploited.
I'm sure this is a common issue throughout the industry... fine Management or send them to jail if IT can show an e-mail or other evidence where Management have refused to act on something.
What is Identity Theft? (Score:4, Interesting)
Well, according to the FBI, this includes all forms of credit card fraud. This is mostly why "identity theft" is getting so much attention and seems to be growing by leaps and bounds.
I have been subjected to credit card fraud many times, as have many people I have known. I have yet to meet anyone that has experenced any loss, even the supposed $50 that you might be liable for. Zero loss, get a new card and move on. Sometimes a minor hassle.
The sort of "identity theft" that most people associate with the term is where someone obtains credit under false pretenses. I don't know what the actual incidence of this is and because of the FBI combining it with credit card fraud, we will probably never know the true impact of this. What I want to know is how often this is really happening and has anyone, ever, been a victim of something beyond credit card fraud because of one of these disclosures.
I don't see any point to trying to make a bigger deal out of it if there have in fact been zero occurrences where this information has been used to someone's detriment.
why even use laptops? use Citrix terminals (Score:2, Interesting)
How about it's illegal for a company to put that sort of data onto a laptop?
Why do many of these people even need laptops? They work in a cubicle/office sitting down. They then go home and work at a desk sitting down. Set up two RDesktop terminals: one on the corporate LAN, and one that VPNs in.
You get exact same work environment and your data is safe on the server, with everything being encrypted with AES.
Data is compromised only when the person's account information is stolen (stealing the dumb terminal doesn't even help you).
For some people this won't work because of the ego trip involved in getting a laptop (and some people do actually need laptops), but others will appreciate the fact that they don't have to lug this thing around.
And if you can standardize on a particular model of unit you can perhaps throw in smart card logins.
Re:Yes/No (Score:3, Interesting)
It's also rather daft since it complicates matters if they need to deal with customers who don't have SSNs, e.g. corporations.
Mainly because SSN's are horrible primary keys since they REPEAT!!! Yes look it up... they DO get reissued after death and with longterm storage, this will only cause issues for storage of personal data.
The reissuing might have some interesting effects if someone's estate took a long time to be sorted out
Re:Yes/No (Score:3, Interesting)
...Nobody needs to store SSN's except the government that issues them...
Tell that to your friendly DMV who are now mandated to collect this information by the federal government. It so happens that in any computerized database, a unique record identifier is needed. For any database that could contain information of potentially anyone in any state, the SS is more likely to be unique than any other number currently assigned to nearly everyone.
Instead of making the legitimate owner of the identity responsible for fraud committed in their name, the financial institution should bear the fraud loss. This would give them an incentive to carefully check the information given by the fraudster. This is essentially the case with credit card fraud today. The legitimate cardholder is essentially not responsible for fraud committed in their name. In spite of this, credit card companies and banks are doing quite well, thank you.
Re:Is it even illegal? (Score:3, Interesting)
There should be a clear distinction between the liability of a company who has made reasonable efforts according to typical industry practices (a bank with a brick & mortar facility, armed guard, surveillance, and timed locking vault) and one who makes no effort at all (keeps customer assets in a cardboard box marked "keep out" in a Public Storage facility). Despite all efforts, no system is completely secure - this is slashdot: you KNOW that.
What if the system administrator who allowed the system to be compromised were the one on the hook? The fact is that the bad guys are ALWAYS determined to find something that the good guys haven't thought of and eventually will get in and make off with the materials. At some point you have to stop looking for someone else's ass to burn and just chase the crooks themselves.
Criminal charges on the VICTIM?!?! (Score:3, Interesting)
Jailtime is difficult. (Score:3, Interesting)
If you try to jail the CEO, he will say it's the CTO's job to secure the systems. He in turn blames the head-of-IT-ops, who in turn blames the lonely sysop. So who's going to jail? All of them? The top? The bottom?
If YOU do something bad, YOU have to pay the price. We've got several gradations here: pay a fine, go to jail, both in different amounts.
If a company does something bad, what can we do to make it pay? Well, exactly that: Make it pay.
Now, if YOU know that a fine for XYZ is $1, and it's easier for you to do XYZ than something else, then you'll easily do XYZ. Besides that the chances of getting caught are usually small, the fine is such that you can easily pay up. If you have to pay $10000 as the fine most of us will think twice, and be really careful.
In the case of a big company, $10000 is nothing. So fines you put on companies should be proportional to their size. Faking profits or losses is easy. So it should be proportional to their turnover.
Here in Europe, MicroSoft got fined EUR 1 billion for ignoring antitrust laws. This is an amount that even a company like MicroSoft feels.
With several situations, legally someone is responsible. But after they have "paid" in whatever way that is, they might then be able to hold someone else responsible. For example, if I buy a stereo here in The Netherlands, I've got warranty service from the shop. They can claim: "factory warranty: 1 year" all they want, but the law gives me the right to ask the shop to fix problems in the product during a "reasonable time" no matter what they claim. (i.e. warranty: 1 week will not work either!).
So, if a company pays a fine, and finds that this evidently the fault of a certain employee, they can sue that employee afterwards.
The problem of scale then kicks in. If the company pays a $1M fine, but this is evidently the fault of precisely one employee. (Say he was told not to do X, but he did so anyway, finding clever ways to escape the regular checks of the company to see if he was complying with the order) Then how can that single employee pay the $1M "damages" to the company?
Sue! (Score:1, Interesting)
This strikes me as one of the few times when it makes sense for the customer to sue the crap out of the company that lost the data. Sue for every penny you can get so that companies start to take notice of this and do their due diligence to protect that data. I'm surprised no lawyer has gone class action with one of these lost data incidents.
For years now I have largely refused to sign on digital signature pads because they tell me *absolutely* *NOTHING* about what happens to my signature. I suspect in most cases it's sitting on an unsecured, unencrypted server with my CC# and other transation info. My CC# and signature are enough for an enterprising hacker to create a card and have a LOT of fun at my expense (partially my expense, anyway). A physical signature (as opposed to digital) has physical security around it (safe, locked store, etc.). I can't assume any security with a digitally captured signature, UNLESS THEY TELL ME WHAT THAT SECURITY IS.