Slashdot Mirror
ChoicePoint Hit With Large Fine For Data Theft
Lam1969 writes "The U.S. Federal Trade Commission has fined ChoicePoint $10 million for a data breach that allowed identity thieves posing as legitimate businesses to steal social security numbers, credit reports, and other data from nearly 140,000 people. This is the largest fine ever levied by the FTC. ChoicePoint also has to set up a 'trust fund' for people victimized by identity thieves. From the article: 'As part of its agreement with the FTC, ChoicePoint will also have to submit to comprehensive security audits every two years for the next 20 years.'" BusinessWeek has some background information on this breach.
Not just that, but the fact that financial institutions really don't help you once you get your ID stolen...r banking/P142361.asp r banking/P142361.asp
http://moneycentral.msn.com/content/Banking/Bette
Banks hang fraud victims high and dry
If a thief uses a stolen ATM card or checks to pilfer your accounts, you may not get much sympathy from your bank -- or any of your money back.
By Liz Pulliam Weston
Lesa Henderson of San Diego was shocked when her husband's paycheck suddenly disappeared from their checking account. But their troubles were just beginning.
An acquaintance who stole both Henderson's debit card and checks from her checkbook had drained every penny from the account. The Henderson's bank initially restored some of the lost money, which the thief promptly stole. The bank then decided the thefts were Lesa's fault because she had allowed the thief into her home. The bank demanded the Hendersons pay back the restored funds, plus all the fees from bounced checks. Furthermore, it refused to let the Hendersons close the compromised account because it was overdrawn.
http://moneycentral.msn.com/content/Banking/Bette
And All I Ask is a Tall Ship And a Star to Steer Her By
I'm happy to see regulators stepping in. Security of other peoples' data is a big problem, and it's going to be a much bigger problem. However, I think this is the wrong approach. I think the right approach is actually much simpler than lots of regulatory oversight: Make companies liable for misuse of data that they collected and lost or misplaced. In fact, make them not only liable for direct damages, but award punitive damages as well. Also, the plaintiff should should not have a large burden of proof that it was actually company X's loss of the data that led to the damage. If company X had the data, and there is a preponderance of evidence that company X let the data escape, X should be liable for the damages even if it's possible that the bad guys actually got the data somewhere else.
That may seem unreasonable, but I have a very specific reason for that "extreme" position. We want companies who use customer data to be very, very reluctant to collect any data they don't absolutely need, and we want them to be anxious to destroy that data as quickly as possible so that there is no possibility it may be compromised.
As long as corporations see more potential gain than loss in collecting and hoarding personal details, they'll do it. Regulators may slow them down a bit, or force them to be a little more careful, but the best solution is to convince them that they do not want it.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
You are assuming that they will actually have to pay that fine.
The procedure is as follows:
1: Publish big number to qwell citizen revolt
2: Negotiate lower settlement over the next few months
3: Profit!
Case in point: Exxon Valdez(sp?) Oil Spill
1: Exxon get Billion(!!) dollar fine
2: Exxon negotiates Billion dollar fine over umpteen years
3: Exxon pays less than 1/2 the published number in real dollars.
Choicepoint would cry like babies and threaten bankruptcy which they probably are doing anyway. "But Senator/Congressperson, consumer privacy is important. But think of all the lost jobs if ChoicePoint were to declare bankruptcy!!!"
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
From ChoicePoint's perspective, they were legitimate businesses. They paid for the data, they didn't steal it.
From the goverment's perspective, they were legitimate businesses if they paid taxes on their "profits".
Now from the victims perspective, they were a bunch of crooks raiding their credit records and sucking as much out as they could.
Is every employer, landlord, and car dealer a legitimate business just because they actually have a better excuse to get their hand on the data? Some of those businesses are a bunch of crooks too.
The whole system needs better security, not just better control over who can get your info.
vb
Don't forget. Paying fines counts as an expense, which you can claim against revenue, thus cutting your taxes. As such, the hit is never as bad as it seems at face value. Now, if you had to pay fines out of your after-tax profits...
The odd things is, you picked an interesting bit of the article - instead of the silliness displayed above, why don't you, y'know, talk about it or something? People actually come here for that sort of thing. Shocking, I know.
It does - in hopefully, uncolored by our friend here, a non-conspiracy way - make me think about the Gummint, tho. Conflict of interest?
As mentioned, the fines are practically pointless for the fined - where does the money go? Who gets to spend it? So the consumer is screwed, the corporation loses a pittance, and the FTC gets a paycheck. Why doesn't the fine money go back to the screwed consumer? How does Corp A screwing Citizen B means "government makes more money?"
And, of course, what incentive does the FTC have to enforce any real changes here? Screw up and we make some cash, get to posture about how we care, and slap you with some lax security requirements while the public eye is on us all. What happens in the 2 years between audits? And when they pass the audits, and 10 months later this happens again... what then? Anything? Oh, more fine cash for the FTC. And more screwed consumers.
Bah.
That which does not kill us makes us... st
This reminds me of the "settlement" Nintendo got for price fixing.
Anyways here's how I think I got victimized (though I could be wrong). My previous employer used Choicepoint verify my resume information before hiring me... Not sure how to avoid this situation