Slashdot Mirror
Liability for Data Breaches are Minimal
vandon submitted a Security Focus bit about
liability and identity theft. The article talks about a contractor's laptop containing a half a million records of private student loan information being stolen. The court ruled that since "Reasonable" precautions had been taken, the loan company need not be held strictly liable for their customers damages.
In fact, this case is but one example of many that we have been hearing about, and by the time the company admits it, the damage may be done. The criminals are always coming up with new ideas, scams, and tricks, such as the "You've won the lottery! Deposit this check and we'll send you your lottery winnings"
Punishment, no matter how severe or financially crippling, will not stop this.
Since the courts have failed in this matter, what we might end up seeing eventually is something along the lines of the "organic" branding of food that is common in some nations. Food which is prepared without the use of chemicals, or genetic modification, and some such, use such a label such as "organic" to differentiate themselves from other growers and manufacturers.
The obvious computing equivalent would perhaps be "Served by OpenBSD" or "Data Stored on Solaris" labels on websites which collect and store personal data. The same could even go for other firms that collect data. Banks, for instance, could advertise that they store their data on IBM systems.
While it doesn't really prevent attacks or theft outright, it does indicate to consumers that the company has their IT department in order. I, for one, would feel far more comfortable dealing with businesses who openly profess their use of OpenBSD, Solaris, or Linux. Likewise, I would do my best to avoid those who built their networks around other, potentially more vulnerable systems.
One of the questions that consumers might ask when dealing with a business that collects much personal information could become, "Do you run your database servers on HP-UX, OpenBSD, or Solaris?"
Cyric Zndovzny at your service.
Actually, I believe the person bringing suit has to show they were harmed in some way, but IANAL. So, if they lost your data and somebody used that to steal money from you via identity theft, then you've been harmed. If they merely lost the data and nothing bad has happened to you? I dunno. If I were sitting on a jury, I'd have a hard time finding in your favor.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Really, what were the damages? What was the monetary value of the "damage" done? Did someone lose their job? Have their identity stolen? Without real damages you don't have a suit, IMO. (Real damages don't qualify as your friends laughing at you for borrowing so much money for an art history degree.) I have a hard time imagining any real damages that would be likely or did occur from this (unless someones identity was stolen then you could sue to recover expenses and damage to your credit). Although this country is lawsuit happy thinking you can sue someone for sneering at you, I just don't think you should have a case, in a situation like this, unless you have real and _measureable_ damages.
Seriously, the business elite has simply lost the fear of God, and someone needs to instill it back in them. If the token jail sentences, loony leftist activism, and fear of reputation lost has failed to keep them in check, than stronger measures are needed.
I am not talking about randomly going postal, ala many a mail carrier, but a campaign of precise, systematic, lethal punishment of the most blatant offenders. Outsource American jobs to India to boost your stock a 1/4 point, well then lookout. Does anyone think Ken Lay would have tanked Enron had he a reasonable fear of death? Of course, nor will any other CE jack around like that, if swift severe punishment was certain.
For those opposed to violence, can you think of a better solution?
Yes.
Do you have any other stupid questions?
And the men who hold high places must be the ones who start
To mold a new reality... closer to the heart
I think this qualifies as a "fundamental breakdown of the law." Not only do we have to get tougher on the companies when it comes to laws, we have to get tougher on the lawmakers. Maybe, just maybe, we should have a system that regulates lobbyists, since these types of companyes seem to have really good ones.
I don't get it.
TFA discusses this point: what is "reasonable" protection. The data could easily have been encrypted; but it wasn't. Or was it "reasonable" for a consultant to have copies of 550,000 customer files on his laptop at his home at all? If you're allowed to have a gun at all for personal protection, you have to be able to keep it in your home, but the same doesn't go for data.
Everybody here is bitching about what to do when it happens, simple for me:
I go to my bank, and I ask for a credit card. I have to sign for the thing. Together with that they state that you've read the agreement statements and other legal mumbo jumbo. I ask for those things, the bank representative gets me a copy out of which I scrap all the statements I do not agree with and rewrite them according to what I think of it. I ask for a signature of the bank representative (usually I deal with their manager by then) and a signed copy of that document.
If the bank director/manager/clerk agrees with it, he places his signature and I am free from crap like this. If they don't agree, I don't get their service (credit card) because I do not want it from them with those rules imposed to it. But usually (if you are like me only change the privacy statements) they agree and sign (they don't understand anyway).
Recently I did an overdraft of a certain checking account and they charged me $32 for it and some interest. I asked where I agreed with that, the bank clerk said it is all accounts that have that. I asked again for the document I signed agreeing to that. They got the bank director who remembered that I did not agree and got out the documents with the statement that I agreed to it only if all my accounts were overdrafted or to such an amount that the bank was actually loosing money on me as a customer (over all my accounts) and they agreed with that since I deposited quite a sum in a special savings account (saving up for a fully upgraded Quad G5) and me and my family has some international funds making me their special customer.
If they don't agree, then ask why. If it is just an answer along it being company regulations or whatever, I threaten to change my services to other company's. Usually they do agree when they are going to loose a good customer.
Really, in the USA company's do a LOT to keep their customers and giving them all kind of traits (because then you do not spread bad publicity). Of course if you order a credit card online or through mail, then you're usually screwed (although online could be debatable if you reviewed the correct information).
Custom electronics and digital signage for your business: www.evcircuits.com
You have an excellent point, but I would label it being a Victim. I think this is just prudent. You don't walk down a dark alley without some expectation that you are entering a situation with a higher than normal probability of becoming a victim of something.
I live in Detroit. In Detroit we have two areas know as Cass Avenue and Woodward and Eight Mile. These places are where all the freaky shit goes on at night. Transvestites park, hookers, dealers, bangers are all pretty well represented in these two locations. Everybody who lives in or near Detroit knows that these are places you stay away from unless you are looking for one of these activities. You might consider these to be "bad places" to go. From my house, it's at least 10 miles as the crow flies to get there.
Over a decade ago companies starting promoting the sale of software designed to limit where you could go on the internet. The idea was to protect your unmonitored children from these "bad places" just like you wouldn't want your children to go to Eight Mile and Woodward.
The difference is that the distance of 10 miles is harder to cover than a mouse click and 10 seconds. But the social experience is the same in either case. You can arrive at a "bad place" and without some street smarts (or e-street smarts) you end up a victim of something "bad".
We check our credit cards and other stuff not for internet transaction fraud, we check it for any fraud. So we have an expectation that any type of transaction/business has the potential of resulting in fraud. But this isn't being a victim of anything. It's a realistic street smart awareness of what happens in the world.
On the flip side of the arguement. How could conduct any business if any resulting theft could result in millions? As a company, you couldn't manage the litigation costs of selling t-shirts over the internet. So, it's acceptable to consider that reasonable efforts and practices exist within a company to at least try. If you can't allow this, then you only hand over money to the lawyers. I have to pay overhead to insurance companies and legal retainers to accomodate risk litigation expenses, real or imagined. I have to port all those costs over to you the consumer.
So how much are you willing to pay for a t-shirt if I also have to sell you a gaurantee that nothing bad will ever happen to your credit card information? What if I can sell it to you for 30% of that cost and ask you to check your credit card for transactions? Even with that gaurantee, you will end up buying the product at 30% my price because it's cheaper and you still have some expectation that my credit information won't be posted on a website within the hour.