Slashdot Mirror
Data Theft and Corporate Irresponsibility?
cjsnell asks: "Today, I received a letter from a student loan provider notifying me that my name and social security number had been stolen along with a contractor's computer. This makes -four- agencies that have lost my personal information, in the last year. Today's letter was the most disappointing yet: the company, Texas Guaranteed, did not offer any credit report monitoring like the previous three had. Their advice? Send a letter to the credit bureaus. Gee, thanks. Clearly, mass identity theft is completely out of hand and there doesn't seem to be any government regulation for handling these situations, nor does there seem to be any punitive action against businesses that lose customers' data. Do we, as consumers, have any recourse against these businesses?"
Forward all of your bills to them.
I reserve the right to think for myself. Others' opinions are optional. Puppy on lap = typos...not illiteracy.
Tell them that if you don't get your credit card watched, you're going to burn the place down. Burn it to the ground, and then take a vacation in some far off tropical place.
Would you kindly mod me +1 insightful?
"You have zero privacy anyway...." "Get over it."
^ agree with above.. that is terrible. wait why does SOX compliance come into mind?
time to goto the courts with that company bud.
For most things, organizations don't need much if any of your information. The want it to mine... there is no down side for them. For the companies that do need data, I believe that every field in a credit report should have a complete audit history and companies should have to pay up and fix their mistakes. If legislation also made them accountable for data theft then you would see a lot less information collected. That would be a good thing.
There is a growing and growing group of things that seem completely out of hand once it happens to you. I'm not sure who "we" are, but we need to get together either as a nation or a planet or just some concerned human beings and take a serious look at where we are and where we want to go from here.
Start over with a fresh identitiy.
There are two simple prescriptions for this:
1) Create and enforce real liability for loss of personal data. After that it may make sense to introduce "safe harbor" general privacy regulation (unlike domain-specific regulation like HIPAA) where if you comply with the regs, you get relief from liability in the event of a genuine mistake or contingency.
2) Create and enforce real responsibility of credit providers and credit bureaus. Allow consumers to immediately suspend any line of credit, and require true checks before issuing credit (no more instant credit). No more endless paper battles to get credit ratings fixed, charges rescinded, etc. [These previous two were cribbed from Kevin Drum at WashingtonMonthly.com. He expouns on this subject quite regularly]. Liability for failing to properly check that credit is properly issued or used, which is supposed to be the reason why vendors and buyers pay exorbitant credit card rates in the first place.
Get the liability in order and regulation will the preferable alternative.
Yeah, go to another company and steal their computers.
Mine came from the Dept. of Veterans Affairs. You might have seen the story about the stolen laptop on the news. If the most well-funded military in the world can't keep a lid on our personal data, who can?
Lost: Sig, white with black letters. No collar. Reward if found!
Japan has a strong law and companies must follow certain procedures for storage of over 500 names, which has a major effect on business. It hasn't increased security per se, considering the thefts in the news, but if you could show they did not follow the law they would be liable I think. As for the U.S. my guess (IANAL) would be that you'd have to get info about how they stored your data and what happened, and then prove their negligence, and who knows if there is even a precedent (groklaw?)
It is a bit off tangent, but I believe Ice Cube said it best: Laugh now, cry later. It is the way both the House and Senate view the problem of ID theft. They aren't doing much to protect the consumers, and allow individuals to consume personal data through public records. They may laugh now while the votes are coming, but eventually we all are going to cry later when our personal information will be the gold nuggets of the Digital Western Frontier.
"Do we, as consumers, have any recourse against these businesses?"
There's always the solution from Fight Club.
Oops. I'm not supposed to talk about that. Forget I said anything, will ya?
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
You shouldn't deal with crappy organizations
Why don't you set up a website that collects information about those who have been actually hurt by identity theft and trace it back to its source company if possible. Then give that information to a land shark for a fee. You could make $200-300 thousand.
I've had my identity stolen twice. Once for UC Berkeley's "snatched laptop" that made the news a while back, and more recently a desktop from Georgia Tech. I applied to both schools (UC in 2003, GT in 1999) but attended neither. But they still held on to my personal information for their own convenience. Furthermore, I wasn't informed of the theft by either school until weeks after it had taken place (so in the mean time while I was unaware, my credit could have been destroyed). A few weeks ago, someone hacked into the UT Austin business school computers and snatched information from current and former faculty, staff, and students. A professor I am currently taking an intellectual property course with was talking about it and how he has all his info on fraud alert right now. The school negotiated with an identity protection service to offer him a major (66%) discount, but he's still paying something like $20 or $70 a year for this (I forget what amount he said exactly).
Anyway to answer your question: IMO (and IANAL), the court would not force the 3rd party who's information was stolen to compensate your ID theft protection service, should you take it to a small claims court. However, if your credit record was destroyed as a result, I think you would have a better chance at winning some financial compensation for your case. So the best short-term answer I guess would be: put ID fraud alert on ASAP and unless you have spare time and a thirst for absolute justice, don't take it to court (although you could ask them nicely to compensate you, at least partially if not fully).
The long-term solution here people, is to get a god damn law passed. This is absolutely ridiuclous how much this occurs, and its usually because of poor/inadequate/incompetent security on the fault of the 3rd party containing the info. I am actually very interested in proposing such a bill to our legislative branch, but I'm an engineer and a grad student, and I have little time to spare right now. If someone is interested in moving this forward, let me know about it because I would like to do what I can to be involved. I believe such a bill should cover:
1. The circumstances under which a company/school/whatever may contain your personal information
2. The length of time under which they may retain that information (with mandatory and permanent removal after a given period of time)
3. A definition of the minimum necessary security measures a party must take when retaining another's personal information
4. Explicitly stating to the person when they will retain their information, for how long, and what security measures they will take to protect it
5. In the case of theft, if parts 1-4 are not satisfied, the party owes full monetary compensation for providing ID theft protection, and also granting the person the right to choose what ID protection service and what level of protection they want
6. In the case of theft, if parts 1-4 are satisfied, the party owes a minimal monetary compensation for ID theft protection that meets certain stated requirements.
How's that for a start?
Hero of Allacrost, a FOSS RPG for *NIX/*BSD/OS X/Win
Generally, it has been my experience that people are completely willing to give up very private information whenver demanded by a company or similar seemingly legitimate and authoritative entity. I encourage everyone to be more wary and careful about who they give their SSN to. Identity theft has become a rampant problem for many people all over the world. We have to wise up and Just Say No.
--
http://wi-fizzle.com
Censorship is obscene. Patriotism is bigotry. Faith is a vice. Slashdot 2.0 sucks.
Look; Go after the company for negligence. If they used Windows, then show that their useage of windows was irresponsible (it is). If they allowed an employee/contractor to take data that had your information on it, then sue them for not locking down the box or allowing it out in the first place. Sadly, congress is trying to pass laws that make these suits disappear. But if we go after them now, then as suits are won, the companies will actually start caring about the information that they so carelessly allow out. It would be nice if the CIO's could be held legally accountable for choices that they make without consideration to security.
I prefer the "u" in honour as it seems to be missing these days.
Notice, they did get A's for Reporting and Notification and Information Dissemination. So they can't be doing all bad.
I would have given them an F for Loosing the F'ing Data in the First Place. But what do I know.
The problem is outsourcing. And it doesn't matter to whom or where you outsource. Now Texas Guaranteed can say, "We followed out procedures, it's not our fault." I work with a couple people who want to outsource almost every function. Why, because you have someone else to blame when there are problems.
Talk about taking no personal responsibility and stepping up and being accountable for yourself.
If illegals can do it, so can you. As the federal ID takes hold, it will only be the illegals who will have an easy time at getting a new ID.
I prefer the "u" in honour as it seems to be missing these days.
If you're afraid of your identity being stolen, Prepaid Legal can help.
An MLM scheme will help me with my fears? Do they offer counseling to overcome these fears?
I got modded down last time...
No kidding. It's like all these free iPod sites -- you get modded down because you're just hoping people will join your MLM so that you can personally profit from their fears.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
You can place a fraud alert on your credit report. An initial alert does not require a police report, and lasts for 90 days. During this time, you may end up having to jump through additional hoops to obtain new credit.
e ssion.do?code=SECURITYALERT
The easiest way to put an alert is to use the online form at Experian; alternately, you can call any of the credit reporting agencies to also set up an alert, if you want to do it by phone, instead.
The direct link for the Experian site to do this is:
https://www.experian.com/consumer/cac/InvalidateS
More advice available here for identity theft victims:
http://www.consumer.gov/idtheft/con_steps.htm
Hopefully, you will not need it.
-- Terry
You [b]can[/b] do it, but it can also be a hassle, since you have to educate people (especially health care people, who seem to be clueless as a whole).
"National Security is the chief cause of national insecurity." - Celine's First Law
I am not a lawyer.
Generally, you only have a case if you can prove damages. Most states usually give you 1 or 2 years after you discover you have been damaged to file a case.
It is very hard to prove the link. Even if your identity is stolen within the next year, they will counter with all the other ways it could have happened. You would have to subpoena them to get a list of all the people's data they lost and see if they also had their identity stolen. That would show a correlation.
I do not want to burst your bubble, but there has not been a single major case of identity theft linked to lost or stolen data from a major company. Part of it is it is very hard to prove and part of it is laptop thiefs usually just pawn shop the equipment. Laptop thiefs are usually not CS majors. Most identity theft comes from phishing and spoofing.
I've stopped worrying about whether or not my information is out there. Having been involved in IT security in the financial services industry for some time now, I know how haphazardly our personal information can be treated. Many company executives don't want to spend the money to turn already functional and profitable systems into secure data stores or the money to hire enough skilled security personnel as they are cost centers, not revenue producers.
Instead I've gone on the defensive and assumed that my identity is already compromised. I coughed up $130 for 3 in 1 credit monitoring services (one of the big three credit bureaus has a two for one going if you call them. got a spouse?). I also keep close tabs on my credit and debit card activities, which doesn't require all that much effort since I cancelled all but 2 credit cards and my debit card. It means some money and time spent up front, but it's not too intrusive and it gives me a reasonable degree of confidence.
As long was we maintain some degree of privacy, identity theft is here for the forseeable future. I'm not saying don't hold companies responsible. I am saying realize that many companies in control of your information will be irresponsible regardless of what they can be held accountable for and that it's a good idea to take some personal responsibility for protecting yourself.
Our company does a lot of data processing on job applicants and up to about three years ago, saying that the collection of SSN's was mandatory wasn't even second guessed. Within the last nine months, two of our customers demanded that not only do we stop collecting the applicants SSN's, but that we also purge our entire DB of previous applicant SSN. This is all due to the growing trend of corporate policy of collecting data that could be linked to identity theft. It's a liability thing for them.
.....
Not to say that we're not taking the proper steps to protect this data. In California there are state laws in place that require encryption of data if you collect any combination of personal data (including last name, home address, etc., etc.). We abide by these laws and use AES-256 encryption within our actual database systems, enforce 128bit SSL for web systems and also implement strict firewall and IDS rule sets.
Recently I spearheaded a corporate IT security review. What were our weak links and how could we prevent our company from falling victim to identity theft in the event of compromised security.
At first my IT department rebuffed this review because they felt that our data systems were secure, and I agreed! Our datacenter systems were under strict lock and key and the data was secure without question and according to California state law.... BUT, what about our desktop computers or company laptops? All too often our data analysis people perform data exports to crunch the data within SPSS or other statistical applications on their work PC's or Laptop computers.
To remedy this issue we've implemented two very simple solutions which solve any data security issues:
1) RSA SecurID Appliances -- We've implemented a two factor password/token system using RSA Key fobs. This is implemented in Domain Logins, File Server Access, Source Control and
2) Hard Drive Encryption (on portable computers) -- We use DriveCrypt Plus Pack to encrypt the entire hard drive using AES-256 encryption using two factor password/token authentication. This way, even if the laptop were lost/stolen, none of the data on the drive could be compromised (unless complete theft of key fob and knowledge of password).
Now we can boast complete data security at on our datacenter side AND any device with sensitive personal data is secure from theft.
This entire overhaul only cost our (small) company $25,000 in hardware, software and staff time.
So do I think corporate policys are to blame? Not so much. I think a lot of blame falls on the IT department and their "good enough" stance towards their companies IT security.
If you are victim of Identity theft, I would seriously research the Identity Theft prevention laws in your state, because if the company was not in compliance with those laws, you're within your rights to sue for their negligence.
This is one of my pet issues to debate, yet I find myself often torn. On the one hand side I agree with those saying we need better recourse against those companies who sometimes outright blatantly disregard what some may argue is common sense in protecting our information. Then I find myself looking at this from the other perspective. Why is it so easy to steal an identity ? When was the last time somebody asked to see your ID when you used a check and actually compared the information on your ID to your check ? Why can somebody get a bank account, credit card, loan in my name by simply knowing a number ? Does anybody find this disturbing ?
Like I said, I'm mostly torn on this still, but I am increasingly convinced that the ease at which the information can be used plays a major role in why identity theft is thriving.
This sort of thing is exactly why class action lawsuits exist. Find a lawyer, start one. Companies will do whatever is most cost-effective, so you simply need to make losing your private data expensive.
there is no need to sign your posts. this isn't usenet. your username is right there above your post. stop it.
I second the healthcare problem as top on my list.
My data has been lost 3 times in as many years...all by the wonderful work of healthcare related companies. Seriously...how hard is it. Just don't lose it. Better yet...don't store it in the first place.
I've had to put watches on 'my accounts' with the credit reporting agencies myself for each one too. You know how irritating it is that I have to take a couple of hours out of my day to fix some other nimrod's stupidity induced problem? Makes me want to shoot somebody. And supposedly I'm on of the people in the psych evals that proves 'more stable than most'. If I want to shoot somebody then that must mean lots of other people ARE shooting somebody over this stupidity.
Who is this that even the wind and the waves obey Him? Surely this computer must submit also!
So why exactly is it up to the schmo to do this? Why not the company?
Cheers,
-b
I believe that financial institutions that issue credit without properly identifying their customer should bear all the consequences. It's _their_ fckup - giving _their_ money to a stranger - after all.
This way, your personal data would stay what it is - your personal data, not your ID. Grandma's birthday date, mother's maiden name, your SSN, too - noone should ever be able to use this info for their profit.
With the number of high profile data losses one wonders why hipa or some other privacy laws haven't been broadly enacted. Companies that contract out work should require that they contractors 1)can not remove data from premises 2)that all computers that contain customer data be encrypted 3)that all statements of work clearly state the endemification and liabale actions for both parties. It is the responsiblity for all parties to make sure customer data is kept secure and confidential.
Living in Texas and going to school currently I have not had pleasant thoughts about my personal info being released since that story broke a few weeks ago.
No, not unless the american people elect a congress that gives a damn about something other than big corporate sponsors. That's the only reason I can think of why the US doesn't have a law that makes businesses responsible for safeguarding personal information. According to "free market" forces your SSN and credit history is only another product, much less something to be protected.
I've been hit three times myself in the last 4 months. What am I supposed to do, sue three $50B corporations?
Oh, and don't believe the neanderthals that tell you the free market lets you "vote with your business" -- not when everyone seems to be involved.
I don't see why consumers couldn't develop a comprehensive set of agreements and make these institutions sign them as a condition to getting our information. If I did it, they'd tell me to pound sand. But if we all started doing it, and they started losing business, it might just command some attention. I'm talking about agreements like "If you lose my data, you pay for the consequences."
People who do nails have to be licensed because they are doing things that may cause damage if done improperly...
The same is true for companies who maintain these large storehouses of consumer data.
Make it illegal for companies to maintain such data without a Consumer Data Management License. Set up basic rules of conduct and security for such companies and a pull their license when they breach those rules.
Lawsuits from individuals will never be a threat to such companies, but the threat of freezing their valuable databases will.
Here is a link to two proposed bills on identity protection.
One is dated July 14th 2005, while the second version is dated December 8th 2005. Get off your ass and call up your senator and tell them that you feel this bill should be passed into law to protect you as either a former victim, or possible future victim. Cite some recent examples of identity theft from the news. Tell them that this is more important to you as a citizen that they are supposed to represent, compared to whatever other "important agenda" they are talking about right now in the Senate (gay marriage, starting MORE wars with countries in the name of "freedom", etc). Don't just whine and complain because no one is going to want to listen to you. Instead, push and shove so that they will be forced to do something about it!
(Cue Braveheart moment) - FFFFFRRRRREEEEEEEDDDDDDOOOOOOMMMMMM!!!!!
Oh yeah, and don't forget to buy LOTS of stock in identity theft protect companies! Citizens will win, and irresponsible parties will lose!
Hero of Allacrost, a FOSS RPG for *NIX/*BSD/OS X/Win
Wow, that is a lot of steps (6). Seriously, there would be some problems with obeying all those and/or finding cost-effective loopholes. Here's my solution:
1. For each name lost, a fine of $1000 is collected.
Of that amount at least half would go to the individuals affected. Then this "little" mishap that affects 1.3 million would cost TG 1.3 BILLION dollars. I'm sure that it'd ruin the company, but a ruined company is better than ruined lives IMO. After a few of these companies start losing, I'd be willing to bet that information security becomes a little more important. In fact, lets go through your list and identify what items would get done and why.
1. In order to reduce liability, companies would retain less information.
2. Similar as in (1), companies would eliminate old data in a secure fashion to reduce liability.
3. Clearly, companies would invest heavily in securing their customers' information.
4. Although, much would be implied. My solution doesn't guarantee an *explicit* statement.
5. By giving the individuals at least half of the fine they can do what they wish with the money. ID and credit protection services may be a wise investment.
6. This would be partially covered by the fine, perhaps not in full. Overall, with a increase in security and a reduction in theft there would be less lost.
Not only have two (or three? I lose track) different businesses lost my information, but I just got a letter from the Veteran's Administration that military records of tens of thousands of former servicemen and women, including me, have been lost. They were found again, and the VA doesn't *think* that the data was ever in malicious hands, but they can't really be sure.
Who can keep my records safe? No one. The only reasonable answer is that organizations, public or private, should simply not keep any information about me that they don't absolutely need, and the data that they do absolutely need should be (a) very carefully safeguarded and (b) available for my review (which is to some degree in conflict with (a), but sometimes reality is annoying that way).
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
If our legal system had not been corrupted by the loan sharking ( consumer banking/credit cards) industry you would have the right to sue for damages based on whatever this loss of your information cost you plus some measure of punitive damages for their failure to handle your information securely. Until the liability is placed squarely where it belongs identity theft will not be stopped because it doesn't hurt the bottom line.
One of my proposals.
Section 1: No sensitive information is to be stored on a Laptop or home computer of any employee or contractor of any company that routinely handles sensitive personal information. Violations are a misdemeanor punishable by up to a $25,000,000 and no less than a $25,000 fine per violation, and/or up to 1 year in prison to be served by the corporate executive(s) responsible for information security. Section 2: Any company or organization that regularly stores or uses more than 100 social security numbers, credit card, or bank account numbers, or personal and/or confidential information from its customers, contacts, or employees is liable to those on which information is kept for any damage caused by the loss or theft of that information. Section 4. Loss or theft of more than 100 customer or employee's sensitive information including bank/credit account numbers and/or social security numbers may be fined between $1000 and $10,000 per person affected by the loss. (ex. Lose 100,000 SS numbers and you get fined 100M to 1 Billion) Section 5. Individuals have the right of private action and class action to seek compensatory and punitive damages against companies that stored sensitive information on them that was lost or stolen regardless of how many individuals are affected. Section 6. Loss of sensitive customer personal information by corporations engaged in the banking or credit industries forfeit all rights to collect on debts owed by individuals where their sensitive information has been lost or stolen or shared with any third party from which such data is lost or stolen unless disclosure of such loss or theft is made within 4 business days of the discovery of the loss or theft and restitution in the amount of $10,000 per person is made in addition to full cooperation with affected persons in recovering their identity.
My VA letter commented that info on family members might be there too. Great- now you have my wife's info too...
"Seven Deadly Sins? I thought it was a to-do list!"
Would this be a good time to put in a plug for a constitutional amendment that extends personal property rights to personal data?
I will create a sig when innovation restarts in the U.S.
"You've had your shit stolen four times?!?! What kind of loser are you?!?!"
Then I looked around, realized I had no wood to knock on, and decided to just say, "Best of luck, brother," instead.
I am not left-handed, either!
This is one of the consequences of having our Congress beholden to the corporations. I know Congress will not take any serious action. If the VA fiasco have not prod them to actually act, nothing will.
Vote for Congressmembers who will amend the Constitution to reiterate our 4th Amendment right to security in our "homes, papers and effects" as our "right to privacy", just as the Bill of Rights reiterated our rights for those who'd pretend the Constitution doesn't require the government to protect them.
--
make install -not war
As long as congress is owned by the corporations. The name of the game is avoidance of responsibility. No legislation that threatens to even slightly reduce their precious profits will probably pass. In addition, our ability to file class actionn law suits is also being gutted. Once again to protect the large corps.
Welcome to America.
putting the 'B' in LGBTQ+
If a credit reporting agency falsely claims that a person has gone into massive unpaid debt when actually they are the victim of criminal theft, the credit reporting agency should be liable for damages (denied loans, higher interest rates, pain and suffering) due to their libel. I think even the threat of a class action lawsuit based on these grounds would significantly clean up the big credit reporting agencies' act.
I already ruined my credit. Or more to the point being an independant contractor nonpayment from clients ruined my credit. If they try to buy a toothpick on credit with my info they are in for one hell of a surprise.
Credit Freeze Under Fire
'The so-called Financial Data Protection Act of 2006 (HR3997) would also weaken state laws requiring disclosure of security breaches. In California, businesses must notify people if their personal info "was, or is reasonably believed to have been, acquired by an unauthorized person."
'Under the proposed federal legislation, such disclosure would have to be made only if a company determines that a security breach "is reasonably likely to result in harm or inconvenience" to individual consumers.
'"Basically, the company would have to know that you're a victim of identity theft before it needs to tell you that you could be a victim of identity theft," said Ed Mierzwinski, director of the U.S. Public Interest Group's consumer program in Washington.'
It's up to him to set the fraud alert because he's the only one allowed to do it. It's also a conscious decision to make certain transactions more difficult for the period of the alert, which is not something you'd want someone else to be able to do "for" you.
-- Terry
A credit card is the property of the bank that issued it, and is provided to the account holder for the purposes of use within the bounds of the cardholder agreement. A SSN should be treated the same way - in the context of a personal identifier, it should be treated as intellectual property of the Federal government (since it is a method of theirs to keep tabs on people). As intellectual property, the Feds can easily restrict its collection, distribution, and use.
I did not create my SSN, nor did I devise this horrible system known as Social Security. If the Feds are FORCING me to retain and use this number, they can damn well take some responsibility for it.
Maybe it is time to pass consumer protections that would allow you to create an alter ego to limit the exposure of personal information. Essentially an S-corp entity but without all the overhead. Then we go to court to setup our alter egos and then we lock up things like our SSN and the like, maybe turn them off so to speak. Then should there be a proven case of identity theft the alter ego is killed in court and a new one setup.
Ok.. much more work than it sounds, but it could still be fun.
how many people actually suffer from identity theft after incidents such as these. It seems that whenever I hear about "thousands of social security numbers" being stolen it is via the theft of a laptop which they were stored on. Most people who do this sort of snatch and grab are usually interested in the pawn shop money for the item. Even if they did find the information I would argue most aren't sophisticated enough to use it themselves and probably don't know anyone who is either. Does anyone have statistics on crimes like these. I would bet that the greater number of identity theft that results in information such as your SS# takes place in the on line world where the criminals have the knowledge to do something with what they've stolen and are actively searching for this specific information. I know in the cases (yup, plural god dammit!!!) that affected me, this was true. Granted this shouldn't go unpunished for the company that lost the information, but at least you know, I'm sure their are quite a few times when no one tells or even knows for that matter. Just remember, nothing is safe when someone is determined enough, your best bet is to make yourself a less appealing target.
*RANT ON*
Nothing will change until the "important" people get their personal information outted -- and on a regular basis.
The government (Congress, President) don't really care about folks like the veterans beyond paying lipservice to the data thefts.
Now if we'd see where all the personal information of people in the Executive and Legislative branches was stolen and published we might see some action.
I'm surprised nobody regularly publishes the information of the upper management teams of the major credit reporting agencies. Actually I'm not. Clearly these folks are helping to support ID theft by lobbying Congress to NOT allow any crackdowns. They are probably provided immunity from ID theft as a courtesy by the major ID theft organizations.
It was recently reported that Congress is working on a bill to override the 17 state laws cracking down on ID theft. One change would be the right to "freeze" your credit information. Some states allow you to do that whenever you want. The proposed change would be to allow you to freeze it only AFTER your ID had been stolen and misused (you'd have to prove it).
Nice...
*RANT OFF*
Invalid Checksum. Retrying.
is what everyone should feel approaching on the horizon when identity theft is being so mishandled and they're thinking about implementing a national ID system for immigration control/passports? More windows and doors of opportunity/motivators for the criminal element to hijaak people's personal information. I agree with the first reply that congress needs to wake up or be woken up. Till these issues are taken seriously, individuals will continue to pay the highest price personally in so many ways for this, not larger interests.
Scientia et Potentia
Just wanted to say thanks and mention to to those Active duty people that had there data stolen in the VA theft that they (Experion) also have an Active Duty alert thats valid for 1 year (added bonus is you wont get pre-approved credit cards for 2 years).....
M$ it's whats for diner!!!!!
I too have recently recieved a nice letter from the VA no less. "We've been careless with your data, sorry." Unfortunately this and more of the same are going to quickly necessitate human barcoding and National Identity. I hate that it's come to this.
Have you been DaMa9eD today?
Here at CalPoly (San Luis Obispo), they use our social security number as our student ID. Our student ID goes on pretty much any and all paperwork. You can't buy a soda without giving your SSN (literally! We can use our ID cards to buy sodas.)
What could possibly go wrong?!
(Well, for one, the accounts office lost my direct deposit form with SSN and checking account information. I turned in the form and two months later, "We don't have it!")
CalPoly is begging to be the next big identity theft story.
This won't stop until this kind of carelessness gets really expensive for these idiots.
I am going to risk the ire and wrath of the Slashdot community here,
and I am surprised by my own take on the matter, since I have long
been a Free Software advocate and a libertarian/free market type.
A big part of the answer to this problem is Trusted Computing. Another
part of the answer is privacy legislation. I am with Schneier on this
one. The costs associated with identity fraud due to negligence on the
part of trusted parties handling identity information need to be
placed squarely on the shoulders of the organizations that fail to
protect that information. Then maybe companies will adopt responsible
data handling policies.
But corporate data handling policies are not nearly enough. People
will circumvent or ignore them. These policies must be enforced on a
technical level. That means that IT departments need to be fully
empowered with the ability to define exactly how information is
transferred and stored via hosts who are at any time in the corporate
network. That means something like this:
- Hosts must be running a Linux distro locked down with strict SE
Linux Mandatory Access Control policies, so that only certain
applications can access sensitive corporate data and then utilize
certain system services. That generally means that your email
client can't attach the database file containing 1.2 million SSN's
to an email message and blast it unencrypted to some Hotmail
account.
- Hosts must have a Trusted Platform Module (TPM) chip and must
remotely attest to the corporate server *prior* to any data being
transferred to the machine.
- Hosts must be running a cryptographic filesystem that is
configurable via a dynamic policy. That policy is sent to the host
from the corporate server *prior* to any data being transferred to
the machine. Any and all data written to secondary storage must be
encrypted according to that policy.
- The TPM chip in each host holds a key that is used to encrypt the
data written to *any* storage medium accessible from the host. That
key will only be accessible when the machine is booted into the
trusted Linux distribution that is provided and supported by the
corporate IT department.
- The user must authenticate on the host prior to being given access
to the encrypted contents of the storage devices attached to the
host.
Some of this is on the bleeding edge of what we can do, and the
technology to enable all of this is already either here or is not that
distant. As far as a cryptographic filesystem that is getting very
close to meeting these requirements, check out eCryptfs, which is now
in the -mm tree of the Linux kernel. The kernel also has full TPM
device driver support, and there is an Open Source library, TrouSerS,
for interfacing with the TPM. Trusted GRUB is also available for TCG
measurement capability. The pieces are there, and I predict that we
will soon have a base Linux distro from which IT departments can build
a system that does what I describe here. Hell, maybe I'll build it
myself.
IT folks need control over their machines and their data. They need to
be able to dictate where information goes, how it is stored, who may
access it, and for what purpose. Trusted Computing combined with
transparent cryptographic filesystem technology is the answer to this
problem. Either that, or stop making backups, drill our workstations
to the walls, and switch off all the USB ports. We have learned many
times over that we cannot depend on machines not getting stolen and we
cannot depend on users adhering to corporate data handling
policies. The machines responsible for handling sensitive data must be
locked down, draconian style. *No* printin
The problem is the social security number. It sure made it easier for creditors to track people but it has set everyone up for identity theft. Creditors would be a lot more careful handing out credit if all they had was a name and birth date. It would also lower the cost of every THING.
You can place a fraud alert, valid for 90 days, which will cause credit institutions to check who they give their money to before doing so. Is it just me, or is there a touch of surreal in this?
Anyway, the obvious thing to do is to put yourself on fraud alert *before* your ID is stolen, not after. And keep the alert updated at all times. This is the easy way to bounce back the cost of carelessness to those that should be careful to begin with, banks and other credit institutions.
1 they are liable in court for damages. remind them of this. such damages could be id theft, time wasted, them having to buy you a house if your credit gets messed up.
2 ask them if sending these letters constitutes legal advice.
3 let them know that it they should be sending these letters, and if they insist on you doing so, bill them for your time.
4 tell them that if anything even remotely funny happens, you will expect them to cancel your loan, or there will be a due dilligence investigation followed by another possible lawsuit.
if more people gave these lazy companies a kick in the ass then this would quickly cease to be a problem, and those hurt by it would get the maximum compensation, plus punitive for gross imcompetence...
Make the Social Security Number public to EVERYONE.
That's right, cat's out of the bag. Can of worm has been opened. Too late.
Ban use of Social Security Number as an identifier, except for Social Security, like it was supposed to be in the first place.
Each business entities must use their OWN issued numbers.
Wide-reaching Identity Theft Containment problem limited to just the affected business.
Now, it is time to look into three-way public keys to ensure that consumer data is not misused:
1. Merchant/Business/Corporation
2. End-user/User/
3. Arbitrator/Government
With keys signed by each other in 3-ways, secured identification and security of data compartmentilization has been greatly enhanced.
Each and every transaction is signed, sealed and delivered by all 3 parties.
Now, let's get an infrastructure going on this...
Even Bruce Schneier agrees to this.
Tell them that if you don't get your credit card watched, you're going to burn the place down. Burn it to the ground, and then take a vacation in some far off tropical place.
"We've got a Destination Cuba, I repeat, we've got a Destination Cube on our hands."
ian
Forget about new accounts. With one's SSN, name, address, etc, evildoers can wreak havoc on your existing accounts.
What info is required when you call a broker by phone? Exactly.
And how does your #1 stand with respect to governmental organizations? Its great that all corps are doing Sarbares-Crap, but what about the governments??? What is the recourse when they make an entire state's taxpayer info public on the web?
Corporate accountability, their acceptance of their responsibility, and their internal support to help fix their own issues is in a laughable state anymore. Its funny when you get these letters from them how its your own problem to correct their mistake at your own time and expense. This is obviously because they have not found it financially justifiable to manage their data in a secure means or provide support agencies to work on behalf of customers to resolve issues. Why should they when they can sell you another product that sort of fixes these problems or get away with not doing it at all.
.02
You always get the same bs from some what is usually subcontracted support groups. "sorry sir, its not my fault...I'm trying to help you...please don't be upset with me sir." You know you have a real problem as a corporation when you subcontract out your only direct line of feedback...whether said support is in the country or not its turning a deaf ear on your own problems and is completely irresponsible.
Personally I think its just part of a larger problem. Nothing matters but the almighty dollar. Companies have to make money. They can't be plagued with or expected to do things like clean up their own mess. Pick your company, pick your product, call up with a problem and this is what you get. There is no such thing as customer service anymore. It isn't a revenue generating device but operating expense and that is why it is in its fucked state. LIke I said, could be a hair dryer, fork, microwave, software, your credit products, corporations universally neglect these details unless they stand in the path of generating revenue.
I can't help but think there is a real need for regulation in these areas before to long. If our information can be stolen that so can information of government partners, or government agencies, insert people where it might not be a good idea for this to be disclosed. Something needs to be done in order to mandate responsiblity on to corporatations since they are, as usual, completely incompetent of self governance. It would certainly be a better use of the representative's time than deliberation over gay marriage ammendments and other completely ridiculous spends of government cycles and resources.
The law isn't an approporiate application for everything but this matter needs that sort of attention. Right now nobody is responsible and the information compromsed belongs to us, not them, and that is why we are charged with fixing these issues. Law needs further detail on what happens in these areas to protect us from what is basically their negligence. Corporations won't fix it until it is a revenue stream or until neglect costs more money or pain than solving the problems. Go back to SOx, before that nobody gave a shit about backups and integrity of data because it was cheaper to pay the fine than fix the problems...after SOX its a re-emerged space and everybody is talking about IP management, legal discovery, and stuff like that.
My
Yeah, you've got no privacy, but that's not cause to "get over it." The reason you've got no privacy is that you are coerced into giving up your private information -- coerced by government identity-tracking, supposedly for tax purposes but far, far expanded; coerced by effective cartels, like the credit and banking industries; and coerced by laws which support those cartels in their demand for your private information. You don't even have a choice, unless you want to live as a hermit, and at an incredible economic disadvantage.
Having no privacy isn't the problem in itself; the problem is other people exercising control over you with that information. Don't "get over it." Stand up to it.
Is there such a thing as Identity Insurance? If this happened to me, I'd definitely want to call my insurer, get immediate compensation and, preferably, sic them on to the scummy low-lives that f'ed up in the first place.
Cheaper than sending my rottweiler-like lawyers after them...
I think most people have no idea how the world works. People think of business as this sort of regal, professional operation. It is anything but!
Wakeup #1... seeing an entire law firm running off of a single rinky dink windows 95 computer as file server, backups done by tape every night, long term backups on cdr - very time consuming and labor intensive operation. This is a very successful firm.
Wakeup #2... someone I know (let's call her Sally) is basically a contractor for a company that takes part in a very successful multi billion dollar industry. Sally is just a little old lady who wanted to make a few extra dollars in her retirement. She is responsible for transporting large numbers of people for her company.
For each flight/bus, she is forwarded an email containing extensive contact and personal information about each passenger. She formats the list, sees that everyone gets to where they're going, etc. Fortunately, Sally is smart and cares about her job - she carefully shreds any paper records, and otherwise takes her computer security seriously when dealing with the data. But the huge corporation that contracts her out - they have offered no guidelines or recommendations on procedures when dealing with the data. Sally might as well be selling it and the corporation wouldn't know, and wouldn't care.
A lot of business is done by little old people like Sally. Big business puts on a great show - really it is just little people here and there, filling in where they can, and working at their own discretion.
So - no, your data is not safe, and it's not about to be safe. I've already received "the letter" from my college. I hope we can work together to develop awareness of this issue.
What kind of 3rd world country morons use social security numbers to identify ANYBODY?
Welcome to new millenia. Get yourselves first unified national ID's (drivers license, id card, passport) and privacy laws (how private data should be handled, backed up, protected and who can acceess or require it wheter it was private enterprise nor gov't) then complain about ID theft.
The IRS did the same thing to me. They sent a letter to me stating that something had gone wrong with my online taxes. When i got the letter, then envelope had been opened. In plain sight, right on the front of the first page was my full social security number, full name, address, and telephone number. They might as well have given them my credit card numbers and bank accounts while they're at it. I'm still furious that it was their own stupidity that did this, despite dealing with millions of taxpayers that receive the same letters.
"What happend to just paying for a product without being constantly nibbled to death by Credit Card Ducks?"
As long as the US keeps using the SSN as both identification (like your username) and authentication (your password), we will see stuff like this happening every day. You either use it as identification (to claim an identity), in which case it doesn't matter who has the number, or you use it as authentication (to prove the claim of identity), in which case it is a secret.
i ewpoint/2006/04/a_modest_propos.html "A Modest Proposal to Eliminate the SSN Façade"
The analogy of the SSN in the computer world would be like using your password as authentication in some places and as your username in other places. The moment the usage spills over from one (identification) to the other (authentication) strange things start happening and security becomes non-existant.
Conclusion: as long as providing an SSN will be regarded as proof of your claim of being a certain identity (used as authentication token), there will be issues with every construct you build around the number.
Have a look at this article: http://spiresecurity.typepad.com/spire_security_v
There's a difference between someone stealing a laptop that has your personal information on it, and someone stealing your identity. Sure, the person who stole that laptop may go on to steal your identity, but then again, he may not. It's probably just some punk looking for something expensive to sell to a pawn shop. Or some jerk student who figures on getting a laptop the cheap and illegal way.
Now, someone accessing a database with that kind information hints at a different kind of intent. But that doesn't mean you shouldn't have a 90 day fraud alert put out in your name, either way.
tasks(723) drafts(105) languages(484) examples(29106)
In the name of the Libertarian Party, I would like to speak on this issue.
I'm appalled by all the anticapitalist rhetoric that is being spewed on Slashdot regarding the corporate use of your personal information and the occasional leak of your SSN into the wrong hands.
You people talk like you want absolute ownership over your personal information. Like you want a corporation - an entity that only exists for the purpose of maximizing net profit - to take responsibility for handling your personal information. Then you'll be holding them liable for mishandling your info. Do you realize what damage this will do to corporate profits?
That utterly reeks of communism. What's next? Treating your personal information as your own property to be handled on your terms and not theirs? Heck, if we follow that line of reasoning, the Government will have to intrude even further into our lives and implement a law to treat personal information brokers like Choicepoint and Unicru as potential data pirates. I can see it now: the Digital Millenium Privacy Act.
Corporations made America, and now you pink commies are about to create a kleptocracy in the name of your overzealous attack on public access to personal information. Sheesh.
[...end Right wing parody]
--- Grow a pair, liberals... stop letting the Republicans bully you!
No excuses. The worst are the companies that advertise their Identity Theft Protection Service for $13.00 a month in their very own letter of apology to the victims (like mine, and yes, sadly it was authentic) when they should offer a free lifetime subscription due to the heinous nature of the offense. Who wants to look forward to some idiot attempting to sell all assets 5-15 years down the line? So now "Identity Theft Protection" is the most important service to have, a service that you wouldn't have needed if the original company had done its job correctly? You've got built-in customers if you simply "lose" some files - that's so sick - that stuff needs to be protected with potent cryptographic schemes or a new identity scheme needs to be created immediately!
--I gots 99 problems but a new machine ain't one!
AMD! Asus! Whoot! 6 years!
Whether someone in government deliberately or accidentally leaves the barn door open and all SS#s and data gets blown out into the public, getting "justice" would be moot. Suppose a bribed employee takes $25 million from Kim Jung Il for the records?
You can NOT sue the Feds without an act of Congress. Congress has shown little tendency to hold government liable even when there is gross negligence.
Furthermore, I seriously doubt that the Feds have an alternate backup system to put in place if that happens. I doubt corporate data centers are preparing for the day that other ID is mandatory to verify who they are dealing with, but they should be planning for what is inevitable.
Biometric verification may well be the only way to stop identity theft, yet a lot of naysayers worrying about "big government" have failed to see we already have incompetent big government, and something needs to be done that puts the power back with the individual. A biometric could be any one of say 3 items, Iris, Finger-blood vessel, & Facial, and anyone seeking to use a financial transaction simply has to get his eye, finger, or face scanned.
Do we, as consumers, have any recourse against these businesses?
Yes. Stop doing business with them.
If the 'contract' you have/had with them said nothing about their willingness to safeguard the data, you might have a case. But somehow you'd have to prove it was 'them' who caused your loss or future loss. Good luck on that court case.
(See? Not doing business with them is simpler.)
Another 'solution'
I have worked hard to trash my credit rating. So if anyone 'steals' my identity, it won't be worth anything to them. I'm OK with any 'blowback'.
Allow me fill in some blanks...
The Hummingbird, Ltd. Corp. is in beautiful Ontario, CA if it matters.
From the TGSLC website on the issue: "Based on our continuing investigation, we have determined the number of affected borrowers is approximately 1.75 million."
Let me repeat that, it sounded vaguely important: 1.75 MILLION people!!!!
"The data set on the missing equipment only included names and Social Security numbers. No other personal information was included in the data set." Wow that should help a lot!
"Hummingbird indicated that one of its employees then downloaded the files, decrypted them, and stored them on the piece of equipment that was subsequently lost." WTF??? No really, WTF???
So is there a class action suit yet or do I need to get out the baseball bat myself?
Seems to me as long as people need to show a Social Security Number to get a Cell phone, rampid identity theft will continue. You know how many social degenerates work at cell phone stores? How many geeks like me get called to fix their PC and have access to all those Secial Security Numbers? Why my State issued ID can get me whiskey and a pistol, but not a cell phone, is a mystery to me. It is clearly time to outlaw Social Secrity Number usage by businesses like utilities that have no need for it. They are not withholding my wages for federal taxation so why do they get the number? They say it is for a credit check but they did not perform one.
"A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt
Instead of saddling businesses with another thousand-page book of regulations, how about we make it so there are no "Social Security" numbers to be stolen.
That means, of course, shutting down the entire "Social Security" system, and repealing all laws that necessitate the use of "Social Security" numbers by requiring private banks to report financial data and "verify" the identities of their customers.
No Social Security numbers means that banks and creditors have only account numbers, which usually means many numbers for any single individual, which makes identity fraud that much harder.
But of course, a simple solution like this is completely lost on the statist "There ought to be a law!" crowd here on Leftdot, not to mention the demented who, for reasons known only to them, would holler "Fascism!!!" at any attempt to shut down the "Social Security" system.
Not about employee blunder.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Companies want more and more information about us, very personal and private information, right down to your SSN and shoe size if it suits them, but they can't be held responsible for it should it show up in undesired places. Why do you think they admit so freely that they lost your info? If you had any chance to sue them over it, it would be like pulling teeth to get them to admit that anything was lost.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
One of these days some government employee is going to run an errand with a laptop in his car and a lucky car thief will drive off with every single name and Social Security number in the country. You could fit them all on a USB thumb drive. And they could be all over the Internet within hours. It would be game over for Social Security numbers and the rickety infrastructure that has been built on top of them
And the sooner the better. The system is broken in so many different ways that don't affect anyone who has the power to change it that it just needs to burn to the ground for something else to be erected.
Somewhat like the American electoral system...
Logi - I can do anything, but not everything.
http://www.smithfam.com/news2/july02a.html ;-)
http://www.answers.com/topic/credit-card-fraud
One of the two (answers/wikipedia) plagerized the other.
http://en.wikipedia.org/wiki/Credit_card_fraud
Make the credit card companies take responsibility. Make it them that has to pay for fraud and the situation will rememdy itself overnight!
Restore America: Dr. Ron Paul for President!
The long-term solution here people, is to get a god damn law passed.
A starting point might be the EU Directive on Privacy: http://www.cdt.org/privacy/eudirective/EU_Directiv e_.html
Somehow all this trouble with identity theft seems to be a uniquely US problem.
The EU directive establishes rules for:
But that's really only half the problem. The other, and in my opinion more serious, problem is that this information should be of financial value at all. There simply should be no way to set up a line of credit or make other financial use of an SSN and your mother's maiden name. It's, frankly, preposterous that this is the case.
Logi - I can do anything, but not everything.
I don't hate the stupid companies who loose SSN numbers, instead, I'm bothered on how we as a country got into this mess into the first place.
I helped my parents this last week with a garage sale. During the sale, my mom noticed that an old table for sale had her SSN engraved in the wood! Why? Because back in the late '70s early '80s, the local police department told citizens to put a SSN on your assets in case they were stolen (Ironic, Eh?). She spent 20 minutes frantically trying to rub out her ID, she was visibly shaken.
OK, I understand the need to pass SSN/Taxpayer ID information between the Social Security Administration, IRS, Banks/Credit Unions, and your Employers.
The real problem is that there are so many other business segments who need to validate your identity, that they have piggy backed usage of the SSN as the de facto form or Identity verification. This is the real segment that needs to change their behavior!
I mean, how hard is it to go into the local Car-Toys, order a bitchin' stereo on zero money down, and forge the credit application with a stolen SSN and other personal info? And the problem is not just limited to your SSN! Your credit card number(s) have the same problem. If you know the number, expiration date, and Security code on the card, that's all it takes for many purchases over the phone or internet.
The real problem in our modern society is identity verification. Anyone who has ever forgotten a password to a website (what is up with all the different password complexity rules?), everyone who has ever wondered if that waitress is taking so long is because she is ordering a new dress from Victoria's Secret on your card, and everyone who wondered why their bank insists on a utility bill to verify your place of residence due to a clause in the "Patriot Act". You know what I'm talking about.
IMHO, what we really need in this country is not a credit score, but an identity score for identity(ies) that are independent from our SSN/Taxpayer ID (not government controlled, sorry). If I purchase a candy bar with a credit card, the level of identity verification required is low, if I purchase a new car with a loan, then I suspect the level of identity verification would be much higher! The credit score should be weighted against the integrity of the identity given too. If someone fills out a credit application with just a name, address, and SSN, then the chance for fraud is high, and the integrity of the information is low. If the person supplies a trusted smart card certificate, with a complex PIN, along with some other kind of biometric data, then the integrity is much higher.
<Sigh...>
UK drivers are having their personal details *sold* by a government agency.
I think the problem is a general ignorance and apathy. towards the importance of personal data. The only solution is what I call a RAL (Retard Abstraction Layer) which basically consists of all IT going through somebody who actually understands computers and IT issues.
If we can put a man on the moon, why can't we shoot people for Apollo-related non-sequiturs?
Either the cat is all the way out of the bag, or it is close to being so already. I just operate under the assumption that someone with the desire to can find such information about me and use it to his or her advantage.
People need to quit worrying about stuffing genies back into bottles and learn to adapt. Government, businesses, and credit agencies need to learn to adapt, as well.
Yes, you lazy schumcks, this means you actually have to read your bills and check your credit report occasionally.
WTF are people thinking?? I have a corporate laptop myself and there is NOTHING on it. No files with hundreds of names and SSN's on it. NOTHING. I could totally SCREW my hard drive and would loose nothing of value to the company. I could have my laptop stolen and there would be NO data of value to anyone on it(go ahead....take my pictures, I don't care). Anytime I need to work, I remote desktop to my desktop which, other then non secure departmental info, has NO COMPANY RECORDS ON IT! Granted, we have no policy that specifies what is ok and what is not ok. The problem is usually NOT the computer guys in this situation....it's clueless users trying to do a little work at home and WHUPS.....the laptop gets ganked....
Few things....
1. Treat the laptop like it's your own. Make sure it's always in a safe place. If you have to park in a shady area, take it with you.
2. If you absolutely MUST have data on the laptop, it should be corporate policy that the file is encrypted and passworded. The compny needs ot invest in security software. Maybe something that trashes the file once the password has been entered incorrectly more then 3 times.
Gorkman
You think you're going to get accountability from a Republican congress? HAHAHAHAHAHAHA!!!! That's a good one.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
An initial alert does not require a police report, and lasts for 90 days.
Why should any request for an "alert" require a police report and why does it last only 90 days? I want the bloody "alert" on my "account" to be there PERMANENTLY.
Now if there is a police report and there is evidence of someone actually using the information you can have it bumped up to 7 years but that's still far from permanent.
Why are we, the consumer (the victims in this case) required to repair the screwups inflicted on us by the credit reporting industry who largely created this problem in the first place.
PERSONAL responsibility has gone in the crapper. Because of that, companies need to crack down because most users are stupid.
In many cases the organization doesn't need the information, so don't give it.
0 2_e.asp
Make it illegal for them to ask.
FYI it isn't clearly illegal to ask for a SIN in Canada. But organizations can't collect information unless they have a legitimate reason to use it.
http://www.privcom.gc.ca/cf-dc/2001/cf-dc_011105_
http://laws.justice.gc.ca/en/p-8.6/258076.html see 4.4.1
That same law has a series on data protection, and your right to see the information they hold. A little vague, but I think the intent is clear. It would be interesting to see how many cases have proceeded.
I would like to see them add a notification requirement.
With the high visibility of the rash of incidents of Laptop thefts lately, I read an article, I think it was here on Slash Dot, of a couple of companies that produce a software product that will erase the sensitive data upon receiving a special erase phrase or code via the InterNet. I think this is an idea whose time has come. This should be mandatory for all government and business computers containing sensitive data. I am highly aware of the problem as I recently purchased a top of the line Dell laptop to automate my small business customer and invoice database. I am gun shy to take this machine out of my house and will look futher into the above options.
I work for a small insurance company that has recently gone public. With all the regulations in place to protect investors (SOX, thank you very very much Enron, Tyco, MCI Worldcomm, and Adelphia), I can see the burden only getting worse, as our company deals with the Healt Industry I expect HIPPA to come crashing down on our heads in the next few years. We live and work in the Information Age , where "He who has the most information wins.". In the old west you lived by your wits and your gun. In the Rennasiance you lived by your wits and your sword. Today, we must learn to live by our wits alone.
Meddle thou not in the affairs of Dragons, for thou art crunchy and with most anything.
Since identity theft is a problem, the cause of the problem would be carelessness. That was the second company I have heard of that haven't been practicing good security. Now, coincidentally, a company that I was workng for (not naming any names), just took their shread pile (full of social security numbers, names, addresses, and probably phone numbers) and put it outside in broad day-light! Now, to make the situation worse, the containers were clearly marked as a certain type of form (if I mention the form type, I'm pretty sure someone would be able to figure out where I was working). Now, to put icing on the cake, I saw one of the sheet of paper that had a Social Security Number clearly marked, like the boxes, in broad daylight.
Now, something interesting to point out. Although the building is equiped with a eye scanner and doors that are always locked (obviously you would have to call the company to get in, or have your eyes scanned to see if you are allowed in the building) and the building is full of cameras, it doesn't stop someone from making a moronic mistake like that. I would be very surprised if that company wouldn't be sued for identity theft.
jagossel
The UK has the answer.
You'd be ok if you lived somewhere that individual rights were respected. Unfortunately you probably live in the US, which not only disrespects individual rights, but is getting into a pissing match with Europe because it wants to force the publication of personal information on European airlines...
The credit agencies definately have too much power. A friend of mine just had auto insurance rates go up because of credit card debt. Tell me how that affects your driving record? The same applies to the cell phone providers. Why do they need to know your credit rating to issue a phone plan? It's because they sell contracts and want paid. Reform is needed, but who will actually make it happen? The politicians are on the payroll of the companies that like the status quo.
Of course we have no recourse ... we are just stupid, mindless automatons who blindly follow and purchase what they tell us to and we'll enjoy it.
...
Big business (like the government) doesn't give one flip about us or our well being. All they care about is the allmighty dollar that they can line their pockets with.
Big business (and the government) will f**k us at the drop of the hat if they think it is in THEIR best interest and they won't lose any sleep over it.
nuff said
It seems the root of this problem is identity thieves and the credit companies that will hand out credit to people with no waiting period and minimal identity checks. Do people REALLY need to go into Best Buy, apply for a credit card, and have a $5,000 line of credit to use immediately? Wouldn't it be worth the inconvenience of waiting a day or two for credit approval in order to nip the massive identity theft problem in the ass? It basically comes down to the greed of the credit houses, the greed of the stores and banks giving out the credit cards, and the greed of the assholes actually stealing other peoples identities. If congress would start holding the credit companies and stores giving credit to task in cases of identity theft (instead of just letting them harass the hell out of innocent people) I think we'd see a sharp decline in the number of identity theft cases. Then, just for icing on the cake, why not make create some police task forces that deal strictly with identity theft cases and make the crime itself have some incredibly severe punishment (after all, you are stealing someone else's LIFE!).
Anway, that's my rant for the day.
I find laziness to be an excellent motivator.
When one of the "Ruling" class gets impersonated.
I'd be willing to be that once a congressman gets zapped, things change overnight.
---- The price of freedom is eternal vigilance. -Thomas Jefferson
Seriously, you say they informed you this contractor had your name and SSN on their computer (obviously an insecure computer)? The question I would ask of the loan provider is WHY did this contractor need your SSN?
And I would most certainly not settle for the canned response of "they required your information to carry out value added services available with your account". That's bull, they only need an account number, which should NOT be the same as your SSN. Even the Fed finally figured this one out - it is now prohibited by federal law for new driver licenses and renewals to be issued with the licensees' SSN on the license, as my wife just found out when she renewed.
This loan provider should have a very good reason for handing out your SSN to anyone. I suspect that if you checked, every phone support person at your loan provider - in fact, everyone with access to any records with SSNs - is bonded. If it turns out they unnecessarily handed out your personal info, I'm sure it would be of great interest to the agency that bonded their employees. If this contractor is not bonded, you're looking at an opportunity to make sure the midden hits the windmill. Look up this contractor at the Better Business Bureau, and see what else you can find out. Call them if you can and find out about their bonding status; ask what measures they take to secure personal data, etc.
This would also be of great interest to your states Attourney General.
Following up on this to that extent is probably a great deal of hassle on your part, but keep in mind, it will almost certainly affect your ability to buy a residence in the future, whether you get things corrected or not.
Good luck with that.
The VA sent me a letter last week telling me that my SSN was one of the ones on the laptop stolen last month. Like I don't already have enough to worry about (a doctor is going to stick a needle in my eyeball and suck the lens out and replace it with a piece of plastic next week).
If somebody steals my identity, I'm fucking suing the VA for thirty shitloads of money.
...maybe we should go ahead and just post all our personal info on the web ourselves, and save these idiots the trouble? "Haha, nothing to steal now, b17ch3z!"
I saw it on Slashdot, it must be true!
One of the main issues on this matter is that the United States has repeatedly failed to put together effective legislation to manage privacy rights. Over the past 5 years the US has fallen substantially behind the EU and most notably Australia and Canada with respect to privacy legislation. While these Commonwealth nations still have work to do, they have built a framework that the US could and should build upon.
http://www.privcom.gc.ca/legislation/index_e.asp
At the very least it's negligence.
I received this same letter and ranted and raved about it. . . I'm still pissed.
I don't see why the media isn't outraged yet, despite that they report these stories they just gloss over them like it doesn't matter. And then they obsess over the horror of identity theft and what WE can do about it. All of our efforts are mute when the a$$hole companies/agencies are just handing data out.
I do believe that, at a minimum, 10% of my loans should be forgiven as recompense.
The Privacy Rights Clearinghouse keeps a list called "A Chronology of Data Breaches Reported Since the ChoicePoint Incident." That list shows over 200 incidents reported in the last 17 months, totalling over 88,000,000 breaches.
Applicants must provide their Social Security Number (SSN) to identify their records because other people may have the same name and birth date
But what are the chances of having the same name, borth date, and address?
"Your" government doesn't give two shits about you. Because it's not really "your" government, it's Sony's and Experian's and Best Buy's and Microsoft's government, bought and paid for.
Only fools vote for Republicans, and only fools vote for Democrats, and only fools fail to vote at all.
I agree with you. But, isn't this just like insurance? They are all scams. You need pre-paid legal to make sure your insurance company pays your claim. You need a couple of mafia hitmen to make sure pre-paid legal covers your insurance case. The hitmen have the most integrity. You pay them, they will do the job. Just make sure you don't hire any hitmen that have an MBA.
I guess this bill is better than nothing, but just barely. All-in-all, it looks like another "lets do a (very) small thing for the consumer that we Congress-people can trumpet while making sure they actually have no legal recourse" bill.
That is all.
I am in the military. The government, or its contractors, has lost my information four times.
Did they offer to do anything about it? Nope.
They told me to watch out.
Can I do anything about it? Nope.
what they're really asking for is your health insurance account number. The vast majority of insurance plans use the SSN as an identifier, although that is slowly changing. If you have a non-SSN account number, they're typically also 9 digits. When they ask for your SSN, just give them that 9 digit number. If you try to explain or argue, they get confused.
"National Security is the chief cause of national insecurity." - Celine's First Law
I would like to see someone sue a company for negligence when they issue a fraudulent line of credit with only a SSN to prove identity. If some company is so negligent that they identify someone by a practically public identifier they deserve whatever fraud they get hit with. If their negligent authentication practices cause someone harm then they have committed a tort and need to be sued.
Because, and this is key if you're to understand exactly how the entire world system works, you're the schmo !
--Rob
Towards the Singularity.
[shameless showoff plug] I work for an insurance company that handles large ammounts of personal data who, contrary to the current trend actually cares about data security on our laptops. I am absolutely an advocate of holding companies responsible for data theft, particularly given the options available to safeguard against it. We recently implemented hard drive encryptions software, and the implementation start to finsh took less than 2 months. It was a rediculously easy step to add a solid layer of security in the event that a laptop is stolen. The fact that this is not more widely adopted points to laziness and indifference on the part of corporate America. [/shameless showoff plug] What disturbs me as much as the frequency in which this "data loss" happens is the growing attitude that people should react to this merely by putting a hold on their credit and waiting it out. For the love of God people, when this happens to you STOP DOING BUSINESS WITH THESE INSTITUTIONS. By simply waiting it out, you are sending the message that security of personal data really isn't that important. Where's the benefit for profit-churning corporations to change their security model if loss of data does hurt them in any way? Now, if people started fleeing from companies that lost their data, then the message to rich execs would change to "Hey, if you customer data gets stolen, you will lose market share." That is guaranteed to produce a reaction. Pass the laws, avoid companies that don't secure their data, and we may actually be able to change something here.
No one is legally required to heed a fraud alert. They are commonly ignored. Even if reputable banks, etc. pay attention, the disreputable ones won't.
A credit freeze is much more useful, but the banks and credit reporting agencies are fighting it tooth and nail. There are a few states that allow them, but you can't get them if you live anywhere else.
What I say does not represent the views of my employers, my friends, my cats, or myself.
http://numsum.com/spreadsheet/show/11573
I'd like to log all personally identifiable info, ssn, dob, phone, address, email, mother's maiden name, etc that I choose to give to each company in this app. Note: I may not log the REAL values for each item.
The app should also let me create a log of interactions with the company. Whenever I'm on the phone with the company, I should be able to create a Reverse CRM entry to record the outcome. I'd collect date, phone number used, name of customer service rep, time of call, comments, and personal information used.
TOS/EULA collection should also be a feature: I should be able to save a copy of any online or offline agreement that I sign or "click-through" into this app. If it's a paper agreement, I should be able to scan a copy into the app (via PDF or whatever). The agreement will be bound to my Reverse CRM interaction record with the company.
All of this information in this self-created Reverse CRM app should be searchable. All of the data should be encrypted, and bound to this my computer with strong digital rights management (DRM) techniques. This would reduce it's usefulness when a trojan invades and copies all files into the ether.
This application should be created as a Free and Open Source application. It's development should be funded by the credit bureaus. Funding and support should be mandated by a federal law.
Seeing some information that I'm asked for at every freakin' step, just makes me wonder if they even have thought some legitimate use up. Some stuff can't even be really mined, because it's useless at that fine grained level.
And in some cases it irks me that they even ask for it. E.g., ok, I can see how a bank would want my home address, birth date, etc, but FFS, nowadays you can't even register a forum account in some places without giving that info. Or the one that irked me was having to submit that info to be allowed to download a patch for a game I had bought. I mean, ffs, I thought patches were more like a late apology for releasing a half-arsed untested game, not as some token to barter against someone's personal data.
And how are they going to mine that level of detail anyway? There's a not-so-fine line between a statistic and useless trivia. E.g., it may be a statistic to track the number of wins vs loses for football teams, but it's useless trivia to track stuff like "which team has won the most games played on a rainy Tuesday evening under artifficial light?"
So let's look at some of the stuff everyone asks for, and speciffically that patch download required:
- street and house number. What useful correlation can you draw from _that_ level of detail? It can be a useful statistic to see if, say, New York sells more games per capita than Chicago, or the other way around. But going datamining at the level of street an house number? Are they going to mine some trivia as "people living on a street ending in a vowel, and whose house number is prime, buy the most games"? Or what?
- exact date of birth. Seriously, wth. I can imagine how they could use the age in years in a statistic (hence the year of birth.) But what use do they have for the day of month there? Exactly what meaningful correlation can be extracted that needs that level of detail.
So it seems to me that even data-mining is used more as an excuse than anything else. Noone seems to have sat and given some serious thought as to exactly _what_ data they need for their mining operation. Everyone seems to just assume that the more data they have, the better, and that maybe just one more piece of personal information from everyone is all they need to reach that covetted critical mass and make the discovery of the century.
So, yeah, I'd like to see a law that makes them pay for every single piece of personal data lost. Not just per account lost. Each piece of extra data they have about someone should raise the total. Maybe _then_ they'll actually stop and think about whether they actually need each of those pieces of info.
A polar bear is a cartesian bear after a coordinate transform.
Of course. Sue them. Can't afford to? Tough. You'll have to wait for Elliot Spitzer to do it for you. No-one can be trusted to keep PII private, because secure working practices are always viewed as a nuisance & data security as an unwelcome expense. Until there are some massive class-action lawsuits, that won't change.
1. What you are seeing is simply the product of a) pressure from the government and b) pressure from publicity and c) actually having to compete by "doing the right thing" because their competitors are also "doing the right thing".
2. This sort of thing has always been happenning since your financial information was on electronic media and computers/media have been portable (you are just hearing about it now because of #1).
3. It has been shown that the odds of being affected by mass theft/inadvertent loss-of-copies of data is very low. As long as the "leak" has been caught quickly enough your only problem is that they send you a new card. Credit histories are unlikely to be mass-used because it is very labour intensive: sure someone will be scammed but why would you be picked on specifically out of, say, the 100,000 or so "stolen".
4. Worry more about the thieves that steal a few hundred card #'s etc. from a local store by spying your use of your cards. They actually have time to turn this information into "false instruments" before they are actually invalidated by your or the Card company's actions.
Conclusion: Yes be afraid, very, very afraid. But don't expect there to be any remedies other than your own caution.
Wrong. This about privacy, not data. We all have a right to privacy, it is already the law.
http://www.usdoj.gov/foia/privstat.htm
keep your credit rating low. like i do.
Think about those requirements and the loss of revenues plus the extra cost of doing business. Even if the U.S. export laws improve, companies still need to deal with import laws in other countries. If you think it is easy to export effective cryptographic software, the take a look at Back Doors, Export, and the NSA. Take a look at the snake-oil article in that same issue of Cryptogram.
The real problem with ID theft is that the security of my "identity" is based on the secrecy of non-secret information. Far too many people and organizations have access to my name, address, DOB, and SSN for that info to be considered reliable for authenticating me. And, in fact, it isn't reliable, which is why so much stinking fraud takes place.
Frankly, I'm sick of hearing about organizations losing information. What I really want to hear about is organizations granting fraudulent credit based on flimsy authentication procedures. That's the real problem, but nobody is talking about it.
Instead I've gone on the defensive and assumed that my identity is already compromised. I coughed up $130 for 3 in 1 credit monitoring services (one of the big three credit bureaus has a two for one going if you call them. got a spouse?)
Nice credit score you got there... would be a pity if something were to ... happen to it. We got this great "protection" plan here, and if you want to sign up today, we're running a "discount".
/cue gangsta chuckle
Make sure everyone's vote counts: Verified Voting
Yeah, well, that's the other aspect of it, and I must thank you for illustrating it: that all these intrusive questionnaires just make people lie. Which, if done for any real data mining purposes, will just taint any conclusion there.
E.g., yeah, I'm sure that if someone at EA mined my registration data, they'll conclude that Emma Ng'bendu, the widdow of the former Nigerian finance minister, is one _hell_ of a gamer in spite of her old age. (Maybe I should ask them to help me transfer 80 million out of Niger while I'm at it;)
Hmm... wonder if my kind of people are to blame for the recent rush to make games for older casual gamers...
And I'll go and say that I'm even more paranoid than that when a company starts wanting personal data without a good reason to _need_ it. Even if they tried finding me by the email, it's a bogus Yahoo account, registered with a bogus SoftHome account, registered with a bogus DejaMail account (Deja doesn't even exist any more), registered with my old AOL account (hey, I was young, stupid, had just bought a modem and all I had at 9 PM was this AOL CD;). Now a government agency would probably have no problem tracing all that back, but I like to think that your average corporation isn't that determined (or has the finances) to get to the bottom of it for every single subscriber to their forums.
Still, you know, it rubs me the wrong way that they even ask for that kind of personal info.
A polar bear is a cartesian bear after a coordinate transform.
This has happened in Portland, OR. A health system employee left his laptop in his car with an entire database of patient information stored on it. A passer by saw the free laptop and took off with it... they left the car though. It's been a huge mess for the health system and everyone involved is fairly ticked that their data was in the back of some schmuck's car.
Someone mentioned HIPAA in an earlier post and it's worth mentioning that since its inception in 1996, there have been exactly two convictions of HIPAA related infractions. Hospital systems, doctor's offices and insurance companies spend a significant amount of their resources becoming HIPAA compliant but the fact is that as long as data is stored electronically, there will always be a way to lose and abuse it. HIPAA is a toothless tiger and a national privacy policy similar to HIPAA would be horrible to implement; it's overly expensive and rarely enforced.
We need to make the consequences of data theft severe to the company that lost it and marginal to the consumer (you and I). Perhaps by some sort of version control and mutual agreement we could get there: credit agency could ask, "does this look good?" I confirm that it is representitive of my credit score and version one is created. This occurs periodically. If my credit score ever reflects inaccuracies, we go back to reporting the previous version until it is resolved. Some punishment mechanism would exist for allowing the innacuracy and we'd all live in harmony.
My student loan company just sold my loan to Citibank. The only way I found out was an "past due" letter they sent me. For the previous 2 months I had been sending my bills to the old company who didn't bother to forward them on to Citibank. Citibank had a field day on my credit score at the same time I was getting qualified to buy a house. Citibank didn't care when I called them and neither did the original loan company. Something must change and I'm sure things are heading that way.
Has anyone noticed the steep logrithmic rise in ID theft and related crimes? The trickery and sheer number of successful thefts keeps them coming back for more and more every day!
The problem is that Congress is unwilling to deal with the problem. The laws that apply to someone who commits ID theft are comparable to "petty theft". They absolutely won't do anything about changing it either. I wonder why that is??
Fact is that suing the companies that had an asset stolen, or have employees that fell victim to a well socially engineered web page that was broght up by a DNS hack, or who knows what, is not the solution.
We're flat-out making it profitable and easy to do for these thieves. Why are we not changing the laws to make it painful for someone who commits this???
Think about it.
All content in this message is copyright (c) 2008. All rights reserved. RIAA is prohibited here.
"Their advice? Send a letter to the credit bureaus."
Not if Congress can stop you:
"Keep control of your credit
Fight for your state's credit freeze law!
Several men and women in Congress are trying to undo the laws states have enacted that allow you to freeze your credit. Freezing your credit helps prevent ID theft and helps minimize the damage if it's already happened. This bill will leave citizens more vulnerable than ever to ID theft. Give your reps a piece of your mind!
States that allow credit freeze laws
Find your representative "
http://clarkhoward.com/
> Do we, as consumers, have any recourse against these businesses?
Nope.
You, as consumers, do not have any recourse against any business.
There used to be a time where people had rights and corporations were non-entities.
Now it's the other way around.
This identity theft is getting out of hand. I am a retailer and receive fraud or stolen cards every day. The sad part is that they actually clear with the merchants because these people have enough information to make them pass. I then send them the products. Before I know it, a charge back for hundreds of dollars sometimes is sucked out of my bank account plus I am out the product. Nobody can tell me what to do either, except for contact my local police. The credit card companies don't even have a way to file a merchant complaint. Only if you are the person who got your card stolen, can you file. They need to come up with better ways to protect consumers AND merchants.
The UK (and, I believe, most of the EU), has a Data Protection Act.
Briefly, this states that data must be:
* fairly and lawfully processed;
* processed for limited purposes;
* adequate, relevant and not excessive;
* accurate and up to date;
* not kept longer than necessary;
* processed in accordance with the individual's rights;
* secure;
* not transferred to countries outside the European Economic area, unless there is adequate protection.
Does such a thing really not exist in the US, an economy where information is king?
jeremy111, if you read "Lizzy Fair's" (Travoltus, actually) post carefully, you would see that it is a parody:
"[...end Right wing parody]"
Travoltus is actually making fun of the (alleged) corporate standpoint, not supporting it.
The problem with credit card fraud as a result of identity theft is that most local police will not have the resources to handle that crime. The FBI's department of Cyber Crime starts handling crimes involving theft of customer data and identity theft when they either cross into more than one state or do more than $5000 in damage. Plus California is currently the only state that requires by law that companies report a loss of computer data to the police.
to rent an apartment from anyone who's too ignorant to know that SSNs are not required to do a credit check.
"National Security is the chief cause of national insecurity." - Celine's First Law
No matter where your sensitive information is held you have to be careful. Especially when you apply for things online. It is tough to keep your sensitive information safe and at the same time do commerce online. Some of the biggest offenders are website owners with online applications for credit. You may apply at one place, but have your application seen by multiple lenders. If you need a particular payday loan tip on what to do first with a credit offence made from a cash advance lender it would be to contact the lender directly. For payday loan tips you may visit http://www.pliwatch.org/tips_howtocomplain.html or FTC.gov for more information.
As with anything you should seek expert legal advice from a PROFESSIONAL before taking action against an individual or company. The center for responsible lending or your local community organizations should be able to help you find more resources when dealing with sensitive information issues online or offline.
All the best,
Robert James
Payday Loan Industry Watch (PLIWatch.org)