Slashdot Mirror
Data Theft and Corporate Irresponsibility?
cjsnell asks: "Today, I received a letter from a student loan provider notifying me that my name and social security number had been stolen along with a contractor's computer. This makes -four- agencies that have lost my personal information, in the last year. Today's letter was the most disappointing yet: the company, Texas Guaranteed, did not offer any credit report monitoring like the previous three had. Their advice? Send a letter to the credit bureaus. Gee, thanks. Clearly, mass identity theft is completely out of hand and there doesn't seem to be any government regulation for handling these situations, nor does there seem to be any punitive action against businesses that lose customers' data. Do we, as consumers, have any recourse against these businesses?"
Mine came from the Dept. of Veterans Affairs. You might have seen the story about the stolen laptop on the news. If the most well-funded military in the world can't keep a lid on our personal data, who can?
Lost: Sig, white with black letters. No collar. Reward if found!
Japan has a strong law and companies must follow certain procedures for storage of over 500 names, which has a major effect on business. It hasn't increased security per se, considering the thefts in the news, but if you could show they did not follow the law they would be liable I think. As for the U.S. my guess (IANAL) would be that you'd have to get info about how they stored your data and what happened, and then prove their negligence, and who knows if there is even a precedent (groklaw?)
Look; Go after the company for negligence. If they used Windows, then show that their useage of windows was irresponsible (it is). If they allowed an employee/contractor to take data that had your information on it, then sue them for not locking down the box or allowing it out in the first place. Sadly, congress is trying to pass laws that make these suits disappear. But if we go after them now, then as suits are won, the companies will actually start caring about the information that they so carelessly allow out. It would be nice if the CIO's could be held legally accountable for choices that they make without consideration to security.
I prefer the "u" in honour as it seems to be missing these days.
You can place a fraud alert on your credit report. An initial alert does not require a police report, and lasts for 90 days. During this time, you may end up having to jump through additional hoops to obtain new credit.
e ssion.do?code=SECURITYALERT
The easiest way to put an alert is to use the online form at Experian; alternately, you can call any of the credit reporting agencies to also set up an alert, if you want to do it by phone, instead.
The direct link for the Experian site to do this is:
https://www.experian.com/consumer/cac/InvalidateS
More advice available here for identity theft victims:
http://www.consumer.gov/idtheft/con_steps.htm
Hopefully, you will not need it.
-- Terry
Damn, just after I posted this I realized I forgot to mention another part (which parts 5 and 6 are also dependent on in the same way they are dependent on parts 1-4)
7. In the case of theft, any and all persons that may have had their information stolen in the theft must be informed within a 48 hour period upon discovery of the theft. No party may with hold or keep secret the theft any longer, or they are subject to further financial obligation to the victims.
Of course "48 hours" is something I pulled out on a whim right now, and "all persons that may be effected" can be intentionally misinterpreted by a party. In reality, if one person's information was stolen, there is a non-zero chance that everyone else had the possibility of having that information stolen.
Hero of Allacrost, a FOSS RPG for *NIX/*BSD/OS X/Win
I am not a lawyer.
Generally, you only have a case if you can prove damages. Most states usually give you 1 or 2 years after you discover you have been damaged to file a case.
It is very hard to prove the link. Even if your identity is stolen within the next year, they will counter with all the other ways it could have happened. You would have to subpoena them to get a list of all the people's data they lost and see if they also had their identity stolen. That would show a correlation.
I do not want to burst your bubble, but there has not been a single major case of identity theft linked to lost or stolen data from a major company. Part of it is it is very hard to prove and part of it is laptop thiefs usually just pawn shop the equipment. Laptop thiefs are usually not CS majors. Most identity theft comes from phishing and spoofing.
A sampling of "crappy organizations" that have lost sensitive peronal information of their clients in the last couple of months:
Ernst & Young
Humana
AIG
Union Pacific Railroad
The State of Colorado
The State of Oregon
The State of Minnesota
Hotels.com
University of Miami
University of Kentucky
Miami University of Ohio
The YMCA
The Red Cross
The Department of Energy
The IRS
The Veterans Administration
The IRS
Just like it is in Europe, my personal information is mine and I can request removal from the database (except for some special cases) and the maintainer of the database will have to comply with a written statement within two days, and can only charge a reasonable amount (iirc less than 10Euro) for it. Can you imagine the upset Europeans feel for the fact that almost every tiny bit of information has to be send to the government of the United States when we enter the country. (especially with the 'proven trustworthiness')
Credit Freeze Under Fire
'The so-called Financial Data Protection Act of 2006 (HR3997) would also weaken state laws requiring disclosure of security breaches. In California, businesses must notify people if their personal info "was, or is reasonably believed to have been, acquired by an unauthorized person."
'Under the proposed federal legislation, such disclosure would have to be made only if a company determines that a security breach "is reasonably likely to result in harm or inconvenience" to individual consumers.
'"Basically, the company would have to know that you're a victim of identity theft before it needs to tell you that you could be a victim of identity theft," said Ed Mierzwinski, director of the U.S. Public Interest Group's consumer program in Washington.'
[full disclosure: I am European]
m mand=viewArticleBasic&articleId=9001176 "Why isn't Europe suffering a wave of security breaches"
The reason why we see this flood of identity thefts from the US is because they have legislation forcing companies to publicly announce the occurence of such theft or at least notify the individuals affected. In the EU, no such legislation exists and companies will not disclose anything. Yes, we have data protection acts not focusing on particular industries or sectors but that doesn't mean identify theft does not occur. To make matters even worse, a recent study showed that the situation in the EU is actually worse!
Legislation requiring companies and governement agencies to full disclosure on identify (data) theft will drive data protection efforts in the future.
Link to study: http://www.computerworld.com/action/article.do?co
Not about employee blunder.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
If you leave the car unlocked and the key in the ignition, then you should be held liable for any damage caused by the car, no matter who's driving it. A car is a dangerous object, so the owner is responsible for taking at least some basic measures to prevent unauthorized operation of the vehicle.
Oh, you're laughing ? That's the way it is here. We also have data protection laws that would get companies who keep unnecessary records sued to kingdom come.
The long-term solution here people, is to get a god damn law passed.
A starting point might be the EU Directive on Privacy: http://www.cdt.org/privacy/eudirective/EU_Directiv e_.html
Somehow all this trouble with identity theft seems to be a uniquely US problem.
The EU directive establishes rules for:
But that's really only half the problem. The other, and in my opinion more serious, problem is that this information should be of financial value at all. There simply should be no way to set up a line of credit or make other financial use of an SSN and your mother's maiden name. It's, frankly, preposterous that this is the case.
Logi - I can do anything, but not everything.
In many cases the organization doesn't need the information, so don't give it.
0 2_e.asp
Make it illegal for them to ask.
FYI it isn't clearly illegal to ask for a SIN in Canada. But organizations can't collect information unless they have a legitimate reason to use it.
http://www.privcom.gc.ca/cf-dc/2001/cf-dc_011105_
http://laws.justice.gc.ca/en/p-8.6/258076.html see 4.4.1
That same law has a series on data protection, and your right to see the information they hold. A little vague, but I think the intent is clear. It would be interesting to see how many cases have proceeded.
I would like to see them add a notification requirement.
The medical industry has $250,000 fines for breaches of medical data combined with a get out of jail free card from the administration. Examples include doctors just throwing out medical records. The sad thing about that is how many people had to know about that, and nobody said anything.
I've had this happen to me 4x in the last 2 months. I urge you all to write your congress-person and state attorney general (not email, write the letter folks) - here's what i am sending:
Senator Specter,
I am writing to voice my concern over the lack of control many corporations have over my personal information - and just as importantly, the lack of recourse I have as a citizen should those corporations abuse my information. Over the course of the past 60 days, I've received 4 notices that a given corporation - two of which I don't even do business with, nor have I ever - have had my personal information compromised. Two of them were kind enough to provide suggestions as to what steps I should take to monitor this, one of them simply stated that they'd allowed my information to be compromised, and the final one actually sent me an empty envelope. I contacted them based on their return address to make an inquiry, and obtained confirmation that that too had compromised my information.
All this within a two-month period. And these are the ones that have voluntarily divulged that my information has been compromised - I'm assuming there have been other incidents that have not been disclosed.
It's absurdly obvious to me that, at minimum, there needs to be minimum standards of data protection, and recourse for the individual in the event that one suffers personal loss as a result of a corporation not adhering to those minimum standards of protection. In the day of high speed data transmission and very powerful encryption techniques, it's ludicrous that they are transporting these types of sensitive information around on unencrypted computers and on non-secured servers or portable drives.
I do not want to wait until something detrimental occurs to me before I take action. Identify theft has become so common place that it's become background noise, and we as a society have accepted it as a part of life in the modern world - this can not be the solution. Until there are ramifications for corporations that mistreat personal data that results in personal harm, there is no incentive for them to alter their behavior.
I certainly do not have the answer, nor would I presume to tell you what should be done to rectify this. I would, however, ask that you expend some resources to find and implement a solution to the issue. I am quite confident that were the tables turned, and I were to disclose damaging information that affected the fiscal health of those companies, that the repercussions I would face as a result from them would be quite serious.
Thank you for your time.
Regards,
Insurance isn't so much about punishing you for bad behavior as it is about trying to price itself based on what you're likely to do during the policy term. There's a lot of research that has shown this to be overwhelmingly a sound practice. From Insurance Information Institute:
The Privacy Rights Clearinghouse keeps a list called "A Chronology of Data Breaches Reported Since the ChoicePoint Incident." That list shows over 200 incidents reported in the last 17 months, totalling over 88,000,000 breaches.
The source:s .html
http://www.emergentchaos.com/archives/cat_breache
(anonymous because im at a public computer)
cimmer
"Their advice? Send a letter to the credit bureaus."
Not if Congress can stop you:
"Keep control of your credit
Fight for your state's credit freeze law!
Several men and women in Congress are trying to undo the laws states have enacted that allow you to freeze your credit. Freezing your credit helps prevent ID theft and helps minimize the damage if it's already happened. This bill will leave citizens more vulnerable than ever to ID theft. Give your reps a piece of your mind!
States that allow credit freeze laws
Find your representative "
http://clarkhoward.com/
First off, yes I do recognize the parent post as a parody, and yes I do have a sense of humor. I found it somewhat amusing... but misleading in its intent.
I am a conservative libertarian. I subscribe heavily to libertarian thought and philosophies... and while I can't speak for the Libertarian Party (with whom I disagree on several issues), I CAN say that your parody of what libertarians stand for is way off base. So in the interests of people who don't know much about libertarians and might be confused:
Libertarians are not corporate whores. We believe in personal responsibility, which also extends to the level of corporate responsibility. The collection of personal information without my knowledge is a breech of trust, though not necessarily illegal. It's commonly accepted that the collection and controlled distribution of personal information is necessary to facilitate the modern marketplace. Whether this is the actual case or not is up for debate (I'd vote no), but a lot of people think it is, and so the marketplace proceeds as if it were true. Yes, you have the choice not to give out any personal information... if you want to live in a cave. These days you can't even rent a movie without handing over some information that will eventually be used to market crap to you. Such is life until we decide to change it. Like it or not, that is the marketplace as it stands today, and none of it is illegal unless that information is collected by force or fraud (which it IS in some cases). According to libertarian philosophy, the government has the right to protect the marketplace from force, fraud, or other criminal activities. I consider the mishandling of personal information to be a gross negligence that is well within the government's field of concern and that should be punished by law even if it does not cause me harm. No, the government doesn't necessarily need to regulate anything (and I would be against such regulation on principle)... the courts just need to put the hammer down when somebody pulls a Choicepoint. Put it down hard... not just a slap on the wrist. Some of these companies shouldn't even exist right now. That is the opinion of a real, conservative libertarian. Not quite how it was parodied, eh?
Now that I've said that, watch the Libertarian Party come out and say something stupid...
Dark Icon