Slashdot Mirror
Liability for Data Breaches are Minimal
vandon submitted a Security Focus bit about
liability and identity theft. The article talks about a contractor's laptop containing a half a million records of private student loan information being stolen. The court ruled that since "Reasonable" precautions had been taken, the loan company need not be held strictly liable for their customers damages.
is a failure to follow policy.
Now the person suing the company needs to acuse the company of not following policy, and provide some sort of proof. Then the company cabn attempt to defend itself.
The Kruger Dunning explains most post on
these sorts of problems will only continue. Without any sort of accountability, why should companies care?
Unpretentious Sydney reviews by unqualified Sydney reviewers
Liability ... are? I know the editors are not quite Mensa geniuses but this is a new low.
-- Too lazy to get a lower UID.
And, yet, if the person who cracked/hacked/illegally accessed the same data were caught and brought to trail the company would say that it suffered millions or billions in damages. Hmmm. Minor disconnect there.
If someone breaks into my house and steals one of my guns am I liable for what they do with it? No. A locked house is reasonable protection. If that absolves me of someone's death, then surely it absolves someone of having their computer stolen.
"Liability for Data Breaches are Minimal"
Grammar for Article Submitters are Minimal?
I've got six digits in loans thanks to med school and they're growing by the day. I'd like to see *any* judge with kids in college or grad school take a look at this case: any company that releases data like this should be fined $100+ for *every* person affected. Also, there needs to be state or federal laws for violations of privacy on this scale whether by the company themselves or their contractors.
As long as there is a Second Amendment, there will always be a First Amendment.
This actually makes sense, as the tort of negligence is a civil matter and where a defendant's (in this case the loan company) actions are being assessed, the law requires the standards of "the reasonable man" to be used..
:P
Generally in cases such as this, the court will use the reasonable man test in a formulation which would likely sound like this: "would a reasonable man, in the position of the defendant with the same information and experience that the defendant can reasonably be expected to possess, have behaved in the same way".
It then comes down to the court hearing evidence from members of industry and other witnesses or even amici curi (meaning "friend of the court", which is a person who offers evidence but is not called officially by the plaintiff or defendant, and excuse me but my latin spelling is not that good). The judge then decides if the defendant acted the way a reasonable man should.
P.S., Yes i know the formulation of "reasonable man" is sexist, but hey, it's the law
I hate printers.
is minimal.
In fact, this case is but one example of many that we have been hearing about, and by the time the company admits it, the damage may be done. The criminals are always coming up with new ideas, scams, and tricks, such as the "You've won the lottery! Deposit this check and we'll send you your lottery winnings"
Punishment, no matter how severe or financially crippling, will not stop this.
"Apparently the mere existence of some type of policy -- regardless of what that policy actually is -- is now enough for companies to eschew any liability for leaking consumers' data."
It's as if a million Lawyers cried out and then were suddenly silenced.
C.
"Doctor, it's not the voices I hear in MY head, but the voices I hear in YOUR head that really frighten me."
I'm sure for any ones you propose, the folks here can point out all sorts of corner cases in which they would not work / make sense.
Where do you draw the line? If I lose my laptop that has 18,000 valid email addresses stored in it, and somebody gets that data, should I be liable? How about the person who has a database of, oh, a couple hundred addresses?
What about addresses and phone numbers? My contacts database has about 2000 of those.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Since the courts have failed in this matter, what we might end up seeing eventually is something along the lines of the "organic" branding of food that is common in some nations. Food which is prepared without the use of chemicals, or genetic modification, and some such, use such a label such as "organic" to differentiate themselves from other growers and manufacturers.
The obvious computing equivalent would perhaps be "Served by OpenBSD" or "Data Stored on Solaris" labels on websites which collect and store personal data. The same could even go for other firms that collect data. Banks, for instance, could advertise that they store their data on IBM systems.
While it doesn't really prevent attacks or theft outright, it does indicate to consumers that the company has their IT department in order. I, for one, would feel far more comfortable dealing with businesses who openly profess their use of OpenBSD, Solaris, or Linux. Likewise, I would do my best to avoid those who built their networks around other, potentially more vulnerable systems.
One of the questions that consumers might ask when dealing with a business that collects much personal information could become, "Do you run your database servers on HP-UX, OpenBSD, or Solaris?"
Cyric Zndovzny at your service.
So does this mean someone can just place a sticker on the laptop (or computer) stating, "Do not steal this equipment or the sensitive data contiained within!" -- and then be protected from any liability?
[sarcasm]
Homer no function beer well without.
....has taken a closer look at a case in which a person sued their student loan company after their information -- along with 550,000 other people's -- was leaked when a contractor's laptop was stolen.
What possible reason could there be to have that much, or for that matter any, confidential data on a portable machine?!?!
Maybe the company policy allowed for this kind of thing, but the question should then be 'is this a reasonable policy'. My first thought is that if the employee works remotely and needs this data, it should all be stored on a secure server, and he/she should be working on the files without ever saving any of the data to this laptop's drive, making the company liable in this case. I'll grant there may be a good reason that I'm not aware of that explains why the data was on the laptop, but for the life of me I can't think of what it would be.
Some bring out the best in others, some the worst. Some bring out far more.
Unlike the slashdot summary of the decision.
It works for Apple.
Everybody knows that half the "policy" put together by the people managing big organizations is about covering their own collective butts, not about the practicalities of implementation or measures of actual effectiveness. It's the corporate equivalent of "plausible deniability". In this case it's "plausible responsibility", as in, they can plausibly claim to have *attempted* to implement security measures and be responsible about it, therefore, they are in the clear, regardless of actual or potential damages.
The obvious question here is what kind of crazy policy allowed someone to put 550000 customer's credit information in an unencrypted form on an easily-stealable laptop, rather than being fixed in an office behind secured doors and encrypted? Against burglary, sure, that could happen in any office. But for information this valuable and personal, why NOT encrypt it, at least, so that if it is stolen, the stealers would face a bit of a challenge to get in to it? To not do so would be the paper equivalent of having those 550k records sitting in an open filecabinet with no lock, except that they are vastly more portable and could fit in a briefcase. Do they do that in a bank? Leave this kind of data in unlocked cabinets? Would a court rule the same if burglers broke into a home and stole 550k equivalent paper records that were laying, unlocked, in the bank managers home office, so he could work on them there? Would that be responsible?
Really, what were the damages? What was the monetary value of the "damage" done? Did someone lose their job? Have their identity stolen? Without real damages you don't have a suit, IMO. (Real damages don't qualify as your friends laughing at you for borrowing so much money for an art history degree.) I have a hard time imagining any real damages that would be likely or did occur from this (unless someones identity was stolen then you could sue to recover expenses and damage to your credit). Although this country is lawsuit happy thinking you can sue someone for sneering at you, I just don't think you should have a case, in a situation like this, unless you have real and _measureable_ damages.
In Spain the affair described in the story would have translated in a fine of 600,000 EUR (US $714,000) in application of the Organic Law on Protection of Personal Data and the judge blaming the company for not taking enough care of data.
Depending on the physical security of the actual server rooms of a particular business, it could be quite easy for somebody to actually steal a server. Any able-bodied individual could easily carry out two or three rackmount systems. A system in a desktop case wouldn't be difficult to take, either.
Even some of the larger systems from Sun or SGI could be taken. If the entire system isn't taken, then at least any storage systems could be taken with relative ease.
Unless you're dealing with vintage Big Iron, most other servers these days would be just as easy to steal as a laptop.
Cyric Zndovzny at your service.
Here in the land of the kangaroo, we do all the hard work for the thieves and just let bank and credit statements fall off the back of a truck.
This is not an uncommon situation by any stretch of the imagination. NY state just enacted its Breach Notification act stating that any company that loses customer data must disclose this loss to its customers... with the HUGE loophole that if the data is encrypted (not mentioned what form of encryption), no disclosure needs to take place. HIPAA also states something to the same effect with our patient privacy rights... paraphrase: Any open band communication must be encrypted, any data that travels on insecure networks... neither laws mention encryption standards in anyway merely that the effort be made. Scary times we live in.
Reasonable steps, are the exact opposite of subjective. The test is what a reasonable person would view as the proper level of security for the data. Ughhh.
You will be found liable only if you should be able to forsee the damage you will create. The greater the damage that could be caused by you neglect, the greater your responsibility for preventing it.
If someone died because the data was stolen, and it was obvious that that would happen, the company would probably have been found liable.
The case I have in mind was one where a woman saw a traffic accident, went into shock, had a miscarrage and died. The judge decided that the driver who caused the accident could not possibly have forseen that someone would die just by seeing the accident.
In this case, the judge decided that the precautions were reasonable considering the risk. If the risk, as understood by the judge, were greater then the duty of care would be greater.
I work for a large aerospace company that recently had a similar problem. An HR employee left their laptop on a bus (or subway... I can't remember the details) that had tens of thousands of employee's personal info on it; Social Security numbers, direct deposit bank account information, etc. All the data was unencrypted, of course.
The laptop was never found. The company did a horrible job letting employees know who was affected. I finally called the support number, waited on hold for 1/2 hour (on the clock, of course!) and found out that my info was not on the stolen laptop. I still alerted my banks, and put a fraud alert on my credit report in case someone tries to open a new line of credit in my name.
There have been quite a few security problems like this in other large companies recently. I'm no Economist, but it seems to me that a laptop/computer manufacturer could do a pretty good business selling laptops with encrypted filesystems, biometric readers, etc. All of the employees here have ID badges with some RFID-like thingy in it (to let us into the buildings and pay for our food at the cafeteria). Use that and a thumbprint for login? Hell yes! It's got to be better than whatever perversion of my pet's name I'm using this quarter for my password. ;-)
Our company does a lot of classified work for the US government. I still can't understand why we haven't applied security techniques from those business units to the whole company. The wheels turn slowly, I suppose.
1) Collect Data
2) Lose Data
3) ???
4) Profit!
This
Seriously, the business elite has simply lost the fear of God, and someone needs to instill it back in them. If the token jail sentences, loony leftist activism, and fear of reputation lost has failed to keep them in check, than stronger measures are needed.
I am not talking about randomly going postal, ala many a mail carrier, but a campaign of precise, systematic, lethal punishment of the most blatant offenders. Outsource American jobs to India to boost your stock a 1/4 point, well then lookout. Does anyone think Ken Lay would have tanked Enron had he a reasonable fear of death? Of course, nor will any other CE jack around like that, if swift severe punishment was certain.
For those opposed to violence, can you think of a better solution?
If a consultant had private data on the company... perhaps confidential shareholder information, personal information about management, etc... would the company then sue the consultant if he left his/her laptop unsecured and it was stolen?
I have a laptop for work, and I leave the damn thing in the office. Then, at least, I can't be held responsible for company property if my house were broken into. If I had strongly confidential data on the thing (other than a few encryption keys, which can be changed easily enough) I would probably stick an encrypted filesystem on it.
I wonder if this is a situation where a USB drive would come in handy? Easy enough to take the thing and toss it in a secure place (vault, etc), and you could also use a secure filesystem on it, even if the OS filesystem were left open.
IANAL, so I don't know if there are legislated standards for data handling practices, but I assume there aren't in this case.
I'm not sure that a legislated security standard is a good idea. Take a look at how the US handles homeland security. With an incompetent standard, people don't even have to keep above the "well, at least you took some reasonable measures" bar. They just implement the standard, and look the other way when it's shown that it's not doing any good.
Then again, if not the fed, who SHOULD be watching over this?
existence of some type of policy -- regardless of what that policy actually is -- is now enough for companies to eschew any liability for leaking consumers' data.
That's a ridiculous statement. I'm an applications manager and the company(ies) I work for are in the HR/accounting/BPO industries. I manage a team of software developers, designers, graphic artists, etc. to create BPO software. Our software processes, and we are custodians of, a lot of sensitive personal information. Nearly everything we make, implement, buy, or use affects the security of the data and applications. I spend a substantial amount of time discussing security and IP issues with our inhouse counsel. The one question he *always* asks with regard to security is "What would be reasonable for us to do to protect the data? In other words, what would a company be required to do, within reason, to protect the data that we are housing?" There is no "correct" answer to that as it's highly subjective. What he always stresses to us is "Would I be able to convince a judge or a jury that the precautions we took were inline with accepted practices, and were they reasonable enough to protect the data?". In most cases, he relies on our (my) judgement to determine whether it's enough or too little. Security is such a subjective topic - there is such thing as too much when people who need to can't access information, and of course there is such thing as not enough.
The real issues arises when determining what is reasonable. What's reasonable to a person whose HIPAA information is being stored might be absurd. Likewise, "reasonable" to a company might equate to "whatever we can afford" which may be far too little. It becomes a balancing act to reconcile the concerns of both sides to take what measures would be considered "reasonable" to protect the information in question. What's reasonble to protect a list of credit card numbers is far different than what's reasonable to protect a list of song titles. It's highly subjective and open to interpretation. The minute someone tries to legislate it and define "reasonable" is the minute someone else will find loopholes and ways around it. But to say "regardless of what that policy actually is" is just plain absurd.
If you do what you always did, you get what you always got.
What I would like to know is why all this super-sensitive information is riding around in everyone's laptops. Now, I'm sure it's a great convenience for Mr. HR rep who for some reason needs to be able to look up any employee's SS# on the fly, but I think the privacy rights of the thousands of customers/employees on that laptop are much more important than the convenience of one employee. I have had my identity stolen twice in the past 12 months. One from UC Berkely's laptop theft, and another from Georgia Tech (both universities I applied to at some point, and I didn't attend either one).
Why don't people store this kind of information on encrypted, hard-to-walk-away-with data servers? If an HR rep or some other employee needs access to the information, they should have to remotely login to the server and access the data, and not just keep the entire data sitting unencrytped on their personal machines at home. Seriously. I'm to the point where I think that there should be laws established in the US government that mandate how companies/institutions need to handle and protect this kind of data.
Hero of Allacrost, a FOSS RPG for *NIX/*BSD/OS X/Win
As Bruce Schneier always says, if the people responsible for exposing others to security risks don't lose more than the costs of applying the security, then they never will. And of course the people exposed will always lose.
--
make install -not war
The problem here lies with the application of Gramm-Leach-Bliley. The regulation merely requires financial institutions to apply reasonable protections to the customers information. Unfortunately for most consumers, this bar lis lower than one would hope. The application of GLB, and most other federal regulations does not adequately protect the individual. This is why people should ensure they communication with the congressional representatives to get privacy laws with teeth in place.
Tragically, the privacy laws that are currently being evaluated at the federal level water down the requirements of many state laws. For example, California's SB-1386 requires a company to report to you that you information may have been inappropriately disclosed. However, the proposed federal legislation requires companies to only disclose this to you if they believe you are at risk from this exposure. It is easy for a company to say they do not think a disclosure of your information would harm you. If you do expereince ID theft, you wouldn't know what company was the source, so you would not have the ability to require the offending company to disclose the information exposure.
The upshot is...You MUST get involved in this. There are very high-paid lobbyists who want this lower level of protection for your private information. Ensure your congressional representative knows you want a law with real teeth. You can find who is your rep at: http://www.congress.org/congressorg/home/
I was involved with an IP lawyer a couple of years back. He told me to encrypt my mails to him so at a future date we could prove, if needed, that we'd made a reasonable effort to keep our R&D secret. He gave me some Norton tool with a horribly hobbled form of encryption. I was able to crack it in minutes by downloading an app from the .ru domain :-) I told the lawyer. But his response was that all we needed was to be able to prove "due diligence", not actually be secure. After all, what does some judge know about crack software downloaded off the web. The box containing the software used words like "SECURE".
And this is how the world works. Companies don't really try to make themselves secure - they just make them secure enough to convince other people that they are. I've been complicit in such things myself. One of our clients demanded we make our software development secure. We made loads of groups so we could control exactly who in the company had access to what source code. But this was braindead - people all through the company needed access to software all over the place. We couldn't partition things up in this way without hindering development. So I made all the groups and put everyone who asked in whatever groups they asked for. We could now report to the client that we had made the groups and denied permission to people outside these groups. We omitted to mention who was actually contained in each group and just said that people were in whatever groups they needed.
"The White House is not an intelligence-gathering agency," -- Scott McClellan, Whitehouse spokesman.
So ageist. I was thinking more of the lines of Red Army Faction, than Fight Club.
Start fining companies a thousand dollars a head, and watch all those "policy violations" start getting noticed.
ELOI, ELOI, LAMA SABACHTHANI!?
>What's reasonble to protect a list of credit card numbers is far different than what's reasonable to protect a list of song titles. It's highly subjective and open to interpretation.
Good point, but bad example.
Visa and Mastercard realized they were losing money to credit card fraud. They now have contractual requirements ("PCI DSS") that tell you how to secure credit card information if you accept it. The standards are detailed, down to the level of network architecture and firewall policies. The contracts have teeth -- screw up and you can face a six-figure "fine" (penalty, really).
HIPAA, which I've also had the misfortune to peruse professionally, tries so hard to be technology-neutral and scalable from organizations like Johns Hopkins down to Old Doc Jones that it's a better example of your point. HIPAA is full of words like "reasonable" and "acceptable" in key places. At least it kinda-sorta requires encryption (it's "addressable" rather than "required" -- you don't want to know). Screw up on HIPAA, and the government can impose big fines.
Be sure to use the full 16 rounds. I've read of cryptanalytic attacks on reduced-round variants.
IANAL but the reasonable standard isn't something the judge simply made up on the spot as the OP seem to imply. It is actually a crucial part of our law and quite commonly used, especially in ngeligence cases.
EvilCON - Made Famous by
For those opposed to violence, can you think of a better solution?
Yeah, the rule of law really sucks. You should come and live in Somalia. It freakin' rocks here! No lawyers. No taxes. *Everyone* has the fear of God in them. Oh, and the best thing of all: No bullshit personal data losses by stupid big businesses, because there are no big businesses. It's all nice and small and simple and manageable.
Come on out, and I'll set you up in a sweet little shack in the outskirts of Mogadishu. The occasional gunshots might wake you up at night, but I can lend you my earplugs.
Read the EFF's Fair Use FAQ
When protecting the records of millions of customers, taking reasonable precautions means it simply doesn't get stolen, ever. Anything less is negligence.
It all depends... Every situation seems to be different. Take, for example, the fact that at least in the U.S., a bartender and/or drinking establishment can be held liable if they allow a customer to get drunk, drive away, and end up in a car accident, injuring or killing another person. The premise seems to be the idea that the establishment and bartender is responsible for cutting people off before they can get to a stage where they can cause the incident.
So if you view corporate laptops in *that* light, then yes - I can see where they'd hold a company legally responsible for data lost because of a theft of a corporate laptop.
You grammar nazis need to take it easy on this poor guy. It's obvious he's not a native English speaker.
This was a US District Court case, at the lowest level of the federal judicial structure, and there are likely other decisions in other districts that may have come out differently.
Furthermore, the facts in this case don't look terribly good for the plaintiff. As others have pointed out, in a torts case you need to prove a harm. From the decision:
Brazos points out that the evidentiary record is completely devoid of any disputed facts indicating that Guin's personal information was actually on Wright's laptop at the time it was stolen, or that Guin's personal information is now in the possession of the burglar.The rationale for summary judgment in this case is clear, because the plaintiff can't provide any evidence of harm.
The author of the SecurityFocus piece further muddies the waters by giving it the title "Strict liability for data breaches?" Strict liability is imposed in torts cases for activities that are abnormally dangerous. The case in question was purely about negligence.
Most court cases are very fact-specific, and in this one the facts were such that the law of torts gunned down the plaintiff. It wasn't the specifics of statute, but the plaintiff's inability to prove he'd been harmed that doomed the case. Imagine if in order to win a torts case, you didn't have to prove that you had been harmed. Even emotional harm cases require some actual evidence of damage to the plaintiff. What if you were a sysad and someone in the office where you work claimed you had illicitly entered their computer and taken their private information, but they had no proof. Would you want your accuser to prevail?
Read the EFF's Fair Use FAQ
But Your Honor, it was encrypted, three times! First, we converted all the letters to numbers using ASCII, then we encrypted that using ROT 13 encryption, and just to be safe we re-encrypted using ROT 13 again!
And the sad thing is, many judges would accept that.
Open Source for Open Minds
The laws in the case mentioned are written so that one has toi prove actual damages, not just mishandling of your data. And the student could not prove they had been harmed much, it seems.
:-/.
This is different from, for example, the older US junk fax law or the US health information privacy law, where specific financial penalties are mentioned in the statute for misuse of the data. Even there, one might have to prove either deliberate intent to misuse or major neglect, and the company itself may be protected by having a policy in place that the guilty individual's group as a whole were following--the suit would then have to be against the private individual who violated the policy in place, I suppose, though private individual pockets are somehow not often deep enough (compared to their institutions) to attract the tort lawyers
Take it apart: Liability... *is* Minimal.
See?
(More evidence of the public-school trainwreck, I assume)
>>ake, for example, the fact that at least in the U.S., a bartender and/or drinking establishment can be held liable if they allow a customer to get drunk, drive away, and end up in a car accident, injuring or killing another person. The premise seems to be the idea that the establishment and bartender is responsible for cutting people off before they can get to a stage where they can cause the incident.
>>
I'm not contesting your point, only making an educational clarification (hence the anonymity.)
Such liability on the part of a bartender is *statutory*. The law actually reads 'a barkeep may not serve a visibly intoxicated person' 'must see to the wellbeing of their intoxicated clientelle' or whathave you. Different from state to state and some don't have such provisions at all. Conversely, some (a very few) states hold *social hosts* liable. If you invite your friend over to your house, he gets blitzed, and runs over an old lady, the courts may impose liability on you for providing alcohol.
My point was that the legislature drafted law for those very situations, whereas laws over data theft are currently either constued from (arguably inappropriate) extensions of older laws, or are clunky, inept constructs that haven't evolved to reflect technology use yet. It makes good analogies hard to come by...
Everybody here is bitching about what to do when it happens, simple for me:
I go to my bank, and I ask for a credit card. I have to sign for the thing. Together with that they state that you've read the agreement statements and other legal mumbo jumbo. I ask for those things, the bank representative gets me a copy out of which I scrap all the statements I do not agree with and rewrite them according to what I think of it. I ask for a signature of the bank representative (usually I deal with their manager by then) and a signed copy of that document.
If the bank director/manager/clerk agrees with it, he places his signature and I am free from crap like this. If they don't agree, I don't get their service (credit card) because I do not want it from them with those rules imposed to it. But usually (if you are like me only change the privacy statements) they agree and sign (they don't understand anyway).
Recently I did an overdraft of a certain checking account and they charged me $32 for it and some interest. I asked where I agreed with that, the bank clerk said it is all accounts that have that. I asked again for the document I signed agreeing to that. They got the bank director who remembered that I did not agree and got out the documents with the statement that I agreed to it only if all my accounts were overdrafted or to such an amount that the bank was actually loosing money on me as a customer (over all my accounts) and they agreed with that since I deposited quite a sum in a special savings account (saving up for a fully upgraded Quad G5) and me and my family has some international funds making me their special customer.
If they don't agree, then ask why. If it is just an answer along it being company regulations or whatever, I threaten to change my services to other company's. Usually they do agree when they are going to loose a good customer.
Really, in the USA company's do a LOT to keep their customers and giving them all kind of traits (because then you do not spread bad publicity). Of course if you order a credit card online or through mail, then you're usually screwed (although online could be debatable if you reviewed the correct information).
Custom electronics and digital signage for your business: www.evcircuits.com
You are the EU in EULA, the END USER. You count for shit. It's not corporate responsibility to keep your records private, no matter how much damage identity theft causes. You are plankton in the world of big business, your only purpose in life is to be comsumed by someone up the food chain. The legal system exists to make sure that the plankon will never gang up on the whale. Get used to it.
OK, to all those that would bitch and moan about this.....it's actually a good thing for us.
Computers crash, and we get a hand slap
Computers are compromised and we get a hand slap
We write buggy code and we get a hand slap
We screwup and lose tapes destined for some offsite vault, we get a hand slap (I've been seeing this in the news from time to time)
Do you guys realize there no other profession is like this, let's keep it this way, we are essentially unaccountable.
Corportions are just collections of people..we are or will be part of those corporations..SOX is bad enough, let's not make our jobs impossible, or better yet make ourselves legally liable for a screwup on the job. The buck will be passed, likely to us.
Yeah this shit is bad, but we need not break the windows out of our own house.
There a thousand different ways to decide what this is, but none of them are "subjective;" that'd be, "What Jones, with his intelligence, experiences, education, and temperment would have done under the circumstances."
If a company keeps a database of personal information, than that database must also include the personal information of all employees of the company--all the way up to the CEO...
Of course there's a difference. If you RTFA, you would know that the recipient of the stolen laptop either didn't know or didn't care about the personal information. It probably ended up in a pawnshop or at a flea market or something, not in the hands of the Russian mob. If someone *had* used that information for fraud, then there *would* be actual damage. The company would have had to spend a bunch more money on fixing the problems their customers had. If they caught some punk kid who just wanted money to buy crack or something, no one would believe a claim of "billions in damages".
No disconnect there.
I say that financial information should be protected from negligent disclosures as well. Any business, financial or otherwise, should be required to protect financial information (properly defined, but including credit card numbers and bank account numbers), subject to strict liability. There should be a private right of action, with a presumption of causation if you suffer false credit card charges within, say, 30 days of the breach. To balance what I foresee as tremendous opposition from the business sector, the law should lessen the length of time businesses have to keep private data on file. Heck, most businesses should probably delete credit card numbers from their files immediately after the transaction clears. The only businesses that can't, use rolling payments or frequent transactions (pay-per-use services). There might be an exception for them. The big hurdle there would be rewriting the tax laws, but Bush said he was going to do that to make life easier for businesses, didn't he?
Write your Senators and Reps. Especially if you live in a Red state. The GOP is in power now, it's time we used them properly.
This post expresses my opinion, not that of my employer. And yes, IAAL.
I work for a large insurance company.
We have about 30,000 computers or so, probably 5,000 or so laptops.
All data for customers can only be accessed through multiple secure channels, that is VPN, then another layer of security which has another password, and then another system which has even yet another password.
All of the systems are homegrown, so knowledge of the actual applications are so obscure, only a person who was familiar with the interface (ie actually knowing what commands to say at a login prompt) would have a chance at hacking it.
Now on top of this, the system takes months of training to even understand, and the system has multiple special commands specifically for my company just to get a password prompt to pull data.
On top of this, you would need to know what commands to use to get to a users options which again are all in house.
Sure, it's security through obfuscation, and to a point even our agents have trouble doing work without a manual. Does this make us slower to make policies and to adjust policies? Yes, that is why we have a top 100 help desk which is dedicated to assisting all of our employees and we do a damn fine job.
What amazed me when I came here was the sheer concern we have for our customers. So many companies I've seen don't seem to care, where as we are so caring we will shut every system down at the hint of a virus, even if its one machine and we aren't sure it even has an infection but is just doing something strange.
I have really grown proud of my company and the way they have stepped up. We recognize potential threats, issue security bulletins, read bugtraq, and really we all look deep into ways we can improve our security. Something like user's information on a laptop would be a serious security breach.
I am not shocked this company had this problem, but it's not every big business. Some large corporations care about our customers. I know that I shred papers that have people's socials on it as soon as I'm done with the information, I know that all my coworkers do as well. We are serious about security, and not out of any concern for being sued. We do this because we don't want anyone to get screwed over because it just sucks to happen.
I wish I could say what company I worked for, but I can't even give a clue as I know some of the stuff I say may be considered simple marketing ploy, but I want people to know that not every multbilliondollar corp doesn't give a shit about thier customers. Some do, and with a heart and soul.
I care extremely about security, I'm known as a "hacker" at my company (due to my unfortunate past), but I am the first one that is asked about a new exploit, and I readily help our teams become prepared.
Be aware, some companies care, you just have to find the right ones.
My father in law used to work for a geophysics company that sold a $30,000 software system. One of their security measures was a USB dongle. I have no idea what it did, but the software wouldn't run without it.
If you didn't want the trouble of transferring that much data back and forth, you could at least have some external way of disallowing access to whatever program they use to store data. Encryption is so simple that it's just disgusting that *nothing* was done to safegaurd this.
It begs the question, though: What was a laptop doing with half a million people worth of loan data? Shouldn't that kind of thing be "locked up" on a server (or a cluster of servers) somewhere?
"Beware of he who would deny you access to information, for in his heart he dreams himself your master."
This is not quite the same situation.
In this case the company is being trusted with someone else's stuff (or 'gun') and as such has a responsibility to take whatever precautions would be considered 'reasonable'. If you were keeping firearms in a building then it is reasonable to require that the 'locks' and other 'security' be sufficient to prevent them falling into the wrong hands. In the case of this data there does not seem to have been sufficient diligence on the part of the company to protect the information entrusted to them.
Bearing in mind the damage that can be done with information like this when used for criminal purposes the penalties for careless handling of such data should be commensurate. This seems another case of the legal framework lagging significantly behind the actual situation in the wild. Hopefully cases such as this will provoke the necessary debate in the media and within the judiciary so that sensible treatment of such cases will be achieved. It is a sad fact that human/corporate nature dictates that if there is no incentive to do the 'right thing' then it is fairly unlikely to be done, if it is inconvenient or costs something.
Kind of reminds me of a like back the whole friendster security policy thing.
0 0
some one at friendster actually said.
"We have a policy that we are not being hacked."
This is very similar, only in reverse.
http://slashdot.org/article.pl?sid=03/08/13/23382
https://www.accountkiller.com/removal-requested
A reverence for the written word, regardless of its practical application or not, seems to be one of the most remarkable characteristics of American culture. It is evidently found comforting and enormously important to have things on paper, even if they are not actually applied and it makes very little practical difference.
The origins of this national trait would be worth someone's time to investigate. I suspect that it was a combination of protestantism, with the high importance this religion attaches to the reading of the Holy Scriptures, and the Anglo-Saxon legal tradition with its almost absurd respect for anything that can be established as a precedent.
The result usually is an untangible mass of written procedure, absolutely useless in practice, but important in court. I have only limited experience in SOP writing, but I have noticed that if you want to include any actual useful content in such a document, you have to tag it on in an addendum. There is no place for it in the template.
In that sense, I am inclined to go along with this court decision. Perhaps the loan company did not implement its written procedure; but everybody knows that official written procedure is not practical to be implemented and not really intended to be implemented. The sole reason for its existence is its existence itself.
And then people just follow their common sense, or not, for whatever that is worth. Often not much.
Makes you wonder, just how many of these "incidents" occur without any knowledge of the public. It would not surprise me to find out that my personal information is leaked or lost by one of the (hundreds? thousands?) of people collecting it on a "once every 24 months" basis. The only time you really see these things publicised is when someone gets caught trying to cover it up or when someone does some whistle blowing. (are there any laws in place that require disclosure when personal collected information is lost or stolen?) I would not be impressed to find that 75% of private information loss is unreported. "So, Henderson, you lost the backup tape? You'd better either find it or forget you ever had it!"
I work for the Department of Redundancy Department.
In the gigantic aerospace company I work for, "policy" is routinely ignored by one and all whenever possible. Top-level management spends all their time generating policies to cover their collective ass, but the reams of paper are so volumnious that no one has time to read, much less follow, the actual liability-avoidance policies.
Understanding of subject/verb agreement are also minimal, it would seem.
This misses the entire point of policing and prosecution. They are not there to protect, they are there to deter, to raise the stakes of diverging from community standards.
Yes, you're right. Punishment will not stop *ANYTHING*. Barring totalitarian fascism, "punishment" is not intended to eradicate undesirable behavior. It is merely intended to reduce its frequency. To that end, there is nothing anyone can do to reduce that frequency to zero. At a certain point you just have to accept that, basically, shit happens and that's why we have "insurance."
vandon: Apparently the mere existence of some type of policy -- regardless of what that policy actually is -- is now enough for companies to eschew any liability for leaking consumers' data."
geekoid: The number one reason companies loose lawsuits is a failure to follow policy.
Lawyers deal in paper trails - that's their currency.
If it's written down on paper [or saved as 0's and 1's on a computer hard drive somewhere], then it can be introduced in court.
If it was never written down, then it can't be introduced in court. [Why do you think Bill "Yale Law School" Clinton never used email? Because he didn't want to leave an electronic paper trail of his day to day behavior.]
If a lawyer can find a piece of paper that instructs an employee [or a group of employees] to behave in a certain manner, and if he can show that they subsequently failed to behave in that manner, then he wins. Conversely, if the employees behaved in the manner that the paperwork instructed them to behave, then the lawyer loses.
Doesn't matter whether the instructions were sage advise or insanity - all that matters was that the instructions were written down on a piece of paper.
I'm working for a company that falls under the Gramm Leach Bliley Act, and think that it's a good standard. Let's face it, without some laws in place, most companies don't care squat about security. The law probably doesn't go far enough, but companies that don't do anything can now get screwed in lawsuits like these. That's a good thing.
The result of the law going into effect is pressure from up-on-high in the company to be in compliance with the law and gives justification to spend money on people and equipment/software/etc. Another company I worked at wouldn't even spend money for firewall software, because management dismissed IT's cost/benefit justification. If it didn't directly contribute to sales figures, it didn't happen. I'm glad I'm not there anymore.
Now, IT security is talked about at all levels, from IT all the way up through management. The question is asked and discussed "Is the sensitive information adaquately protected?". Having the GLBA as the hidden hammer, gives the question a lot of weight. And it's made a difference, with a lot more thought being put into it. Any planning does have project time and resources set aside specifically for security. There's actually time to audit and review existing equipment, and authorization to change any blatant findings.
Is it perfect? Well, no. More time and money could certainly be used. But the effort put into it certainly exceeds the bar that the GLBA provides. I do admire the company for that.
Danny
-1, illiterate. Learn to spell, damn it. There is only one O in "lose." The verb "loose" has a completely different meaning.
Dumbasses. If you can't spell a four letter word correctly, how can anybody take your moronic spewing seriously?
A Cajun sent his son to college, and when the boy came home on spring break, the old man asked him what he'd learned.
"Pi R square," the kid says.
"What??" demands Pop. "What kind o' larnin' they givin' you, boy? Pie are round, cornbread are square!"
(non-MRC="restroom")
This is a cut-and-paste from an article on Wednesday at TechDirt: http://techdirt.com/articles/20060222/0812215_F.sh tml
When I worked at Huge Financial Corporation we had a rules that all PCs (desktops AND laptops) had to be locked to the desk at all times, and all disks had to have bios-level password protection installed. Gangs of deputized PHBs ramed the hallways and unsecured PCs were confiscated. You had to do a considerable amount of groveling to get your PC back.
This was not because a court said anything about this, and not because of any law, it was because two incidents of laptops with sensitive data got stolen, and the media hounded Huge Financial Corporation to hell and gone, and no doubt some customers decamped. No harm was ever proven.
The market speaks louder than any law on this.