Slashdot Mirror

← Back to Stories (view on slashdot.org)

Data Theft and Corporate Irresponsibility?

Posted by ryuzaki0 on from the they-lose-we-pay dept.

cjsnell asks: "Today, I received a letter from a student loan provider notifying me that my name and social security number had been stolen along with a contractor's computer. This makes -four- agencies that have lost my personal information, in the last year. Today's letter was the most disappointing yet: the company, Texas Guaranteed, did not offer any credit report monitoring like the previous three had. Their advice? Send a letter to the credit bureaus. Gee, thanks. Clearly, mass identity theft is completely out of hand and there doesn't seem to be any government regulation for handling these situations, nor does there seem to be any punitive action against businesses that lose customers' data. Do we, as consumers, have any recourse against these businesses?"

6 of 352 comments (clear)

  1. I just got "the letter" too by bsartist · · Score: 5, Informative

    Mine came from the Dept. of Veterans Affairs. You might have seen the story about the stolen laptop on the news. If the most well-funded military in the world can't keep a lid on our personal data, who can?

    --
    Lost: Sig, white with black letters. No collar. Reward if found!
  2. You can place a fraud alert on your credit report by tlambert · · Score: 5, Informative

    You can place a fraud alert on your credit report. An initial alert does not require a police report, and lasts for 90 days. During this time, you may end up having to jump through additional hoops to obtain new credit.

    The easiest way to put an alert is to use the online form at Experian; alternately, you can call any of the credit reporting agencies to also set up an alert, if you want to do it by phone, instead.

    The direct link for the Experian site to do this is:

    https://www.experian.com/consumer/cac/InvalidateSe ssion.do?code=SECURITYALERT

    More advice available here for identity theft victims:

    http://www.consumer.gov/idtheft/con_steps.htm

    Hopefully, you will not need it.

    -- Terry

  3. Re:Me too (twice even)! by RootsLINUX · · Score: 3, Informative

    Damn, just after I posted this I realized I forgot to mention another part (which parts 5 and 6 are also dependent on in the same way they are dependent on parts 1-4)

    7. In the case of theft, any and all persons that may have had their information stolen in the theft must be informed within a 48 hour period upon discovery of the theft. No party may with hold or keep secret the theft any longer, or they are subject to further financial obligation to the victims.

    Of course "48 hours" is something I pulled out on a whim right now, and "all persons that may be effected" can be intentionally misinterpreted by a party. In reality, if one person's information was stolen, there is a non-zero chance that everyone else had the possibility of having that information stolen.

    --
    Hero of Allacrost, a FOSS RPG for *NIX/*BSD/OS X/Win
  4. Re:Maybe... by cimmer · · Score: 4, Informative

    A sampling of "crappy organizations" that have lost sensitive peronal information of their clients in the last couple of months:

    Ernst & Young
    Humana
    AIG
    Union Pacific Railroad
    The State of Colorado
    The State of Oregon
    The State of Minnesota
    Hotels.com
    University of Miami
    University of Kentucky
    Miami University of Ohio
    The YMCA
    The Red Cross
    The Department of Energy
    The IRS
    The Veterans Administration
    The IRS

  5. Credit freeze under fire by greeneggs2000 · · Score: 5, Informative
    Don't worry, Congress is on the case. Republicans are trying to overturn state laws protecting against identity theft. Overriding the California law is particularly important, even to people who don't live in California -- it is the California law which has forced companies to disclose identity thefts in the first place (they have to disclose thefts involving Californians, but that's most of them).

    Credit Freeze Under Fire

    'The so-called Financial Data Protection Act of 2006 (HR3997) would also weaken state laws requiring disclosure of security breaches. In California, businesses must notify people if their personal info "was, or is reasonably believed to have been, acquired by an unauthorized person."

    'Under the proposed federal legislation, such disclosure would have to be made only if a company determines that a security breach "is reasonably likely to result in harm or inconvenience" to individual consumers.

    '"Basically, the company would have to know that you're a victim of identity theft before it needs to tell you that you could be a victim of identity theft," said Ed Mierzwinski, director of the U.S. Public Interest Group's consumer program in Washington.'

  6. Re:Recourse by Choco-man · · Score: 4, Informative

    I've had this happen to me 4x in the last 2 months. I urge you all to write your congress-person and state attorney general (not email, write the letter folks) - here's what i am sending:

    Senator Specter,

    I am writing to voice my concern over the lack of control many corporations have over my personal information - and just as importantly, the lack of recourse I have as a citizen should those corporations abuse my information. Over the course of the past 60 days, I've received 4 notices that a given corporation - two of which I don't even do business with, nor have I ever - have had my personal information compromised. Two of them were kind enough to provide suggestions as to what steps I should take to monitor this, one of them simply stated that they'd allowed my information to be compromised, and the final one actually sent me an empty envelope. I contacted them based on their return address to make an inquiry, and obtained confirmation that that too had compromised my information.

    All this within a two-month period. And these are the ones that have voluntarily divulged that my information has been compromised - I'm assuming there have been other incidents that have not been disclosed.

    It's absurdly obvious to me that, at minimum, there needs to be minimum standards of data protection, and recourse for the individual in the event that one suffers personal loss as a result of a corporation not adhering to those minimum standards of protection. In the day of high speed data transmission and very powerful encryption techniques, it's ludicrous that they are transporting these types of sensitive information around on unencrypted computers and on non-secured servers or portable drives.

    I do not want to wait until something detrimental occurs to me before I take action. Identify theft has become so common place that it's become background noise, and we as a society have accepted it as a part of life in the modern world - this can not be the solution. Until there are ramifications for corporations that mistreat personal data that results in personal harm, there is no incentive for them to alter their behavior.

    I certainly do not have the answer, nor would I presume to tell you what should be done to rectify this. I would, however, ask that you expend some resources to find and implement a solution to the issue. I am quite confident that were the tables turned, and I were to disclose damaging information that affected the fiscal health of those companies, that the repercussions I would face as a result from them would be quite serious.

    Thank you for your time.

    Regards,