Slashdot Mirror
Data Theft and Corporate Irresponsibility?
cjsnell asks: "Today, I received a letter from a student loan provider notifying me that my name and social security number had been stolen along with a contractor's computer. This makes -four- agencies that have lost my personal information, in the last year. Today's letter was the most disappointing yet: the company, Texas Guaranteed, did not offer any credit report monitoring like the previous three had. Their advice? Send a letter to the credit bureaus. Gee, thanks. Clearly, mass identity theft is completely out of hand and there doesn't seem to be any government regulation for handling these situations, nor does there seem to be any punitive action against businesses that lose customers' data. Do we, as consumers, have any recourse against these businesses?"
"You have zero privacy anyway...." "Get over it."
^ agree with above.. that is terrible. wait why does SOX compliance come into mind?
time to goto the courts with that company bud.
There is a growing and growing group of things that seem completely out of hand once it happens to you. I'm not sure who "we" are, but we need to get together either as a nation or a planet or just some concerned human beings and take a serious look at where we are and where we want to go from here.
Start over with a fresh identitiy.
It is a bit off tangent, but I believe Ice Cube said it best: Laugh now, cry later. It is the way both the House and Senate view the problem of ID theft. They aren't doing much to protect the consumers, and allow individuals to consume personal data through public records. They may laugh now while the votes are coming, but eventually we all are going to cry later when our personal information will be the gold nuggets of the Digital Western Frontier.
Someone who never has the data to lose in the first place.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Generally, it has been my experience that people are completely willing to give up very private information whenver demanded by a company or similar seemingly legitimate and authoritative entity. I encourage everyone to be more wary and careful about who they give their SSN to. Identity theft has become a rampant problem for many people all over the world. We have to wise up and Just Say No.
--
http://wi-fizzle.com
Censorship is obscene. Patriotism is bigotry. Faith is a vice. Slashdot 2.0 sucks.
If you're afraid of your identity being stolen, Prepaid Legal can help.
An MLM scheme will help me with my fears? Do they offer counseling to overcome these fears?
I got modded down last time...
No kidding. It's like all these free iPod sites -- you get modded down because you're just hoping people will join your MLM so that you can personally profit from their fears.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
I've stopped worrying about whether or not my information is out there. Having been involved in IT security in the financial services industry for some time now, I know how haphazardly our personal information can be treated. Many company executives don't want to spend the money to turn already functional and profitable systems into secure data stores or the money to hire enough skilled security personnel as they are cost centers, not revenue producers.
Instead I've gone on the defensive and assumed that my identity is already compromised. I coughed up $130 for 3 in 1 credit monitoring services (one of the big three credit bureaus has a two for one going if you call them. got a spouse?). I also keep close tabs on my credit and debit card activities, which doesn't require all that much effort since I cancelled all but 2 credit cards and my debit card. It means some money and time spent up front, but it's not too intrusive and it gives me a reasonable degree of confidence.
As long was we maintain some degree of privacy, identity theft is here for the forseeable future. I'm not saying don't hold companies responsible. I am saying realize that many companies in control of your information will be irresponsible regardless of what they can be held accountable for and that it's a good idea to take some personal responsibility for protecting yourself.
Our company does a lot of data processing on job applicants and up to about three years ago, saying that the collection of SSN's was mandatory wasn't even second guessed. Within the last nine months, two of our customers demanded that not only do we stop collecting the applicants SSN's, but that we also purge our entire DB of previous applicant SSN. This is all due to the growing trend of corporate policy of collecting data that could be linked to identity theft. It's a liability thing for them.
.....
Not to say that we're not taking the proper steps to protect this data. In California there are state laws in place that require encryption of data if you collect any combination of personal data (including last name, home address, etc., etc.). We abide by these laws and use AES-256 encryption within our actual database systems, enforce 128bit SSL for web systems and also implement strict firewall and IDS rule sets.
Recently I spearheaded a corporate IT security review. What were our weak links and how could we prevent our company from falling victim to identity theft in the event of compromised security.
At first my IT department rebuffed this review because they felt that our data systems were secure, and I agreed! Our datacenter systems were under strict lock and key and the data was secure without question and according to California state law.... BUT, what about our desktop computers or company laptops? All too often our data analysis people perform data exports to crunch the data within SPSS or other statistical applications on their work PC's or Laptop computers.
To remedy this issue we've implemented two very simple solutions which solve any data security issues:
1) RSA SecurID Appliances -- We've implemented a two factor password/token system using RSA Key fobs. This is implemented in Domain Logins, File Server Access, Source Control and
2) Hard Drive Encryption (on portable computers) -- We use DriveCrypt Plus Pack to encrypt the entire hard drive using AES-256 encryption using two factor password/token authentication. This way, even if the laptop were lost/stolen, none of the data on the drive could be compromised (unless complete theft of key fob and knowledge of password).
Now we can boast complete data security at on our datacenter side AND any device with sensitive personal data is secure from theft.
This entire overhaul only cost our (small) company $25,000 in hardware, software and staff time.
So do I think corporate policys are to blame? Not so much. I think a lot of blame falls on the IT department and their "good enough" stance towards their companies IT security.
If you are victim of Identity theft, I would seriously research the Identity Theft prevention laws in your state, because if the company was not in compliance with those laws, you're within your rights to sue for their negligence.
I don't like the idea of a "safe harbor" or anything like that. If I give my money to a bank and they lose it, even through a "genuine mistake", I get it back. Likewise, I expect that if I give information to a company, and they lose it, they are liable for any harm that comes from that loss. The trouble is that when the governemnt gets involved, then the lawyers at the companies will get involved and they'll look for loopholes and such. There have been a couple of laws passed in the last couple of years that give protection to the companies (Why do you think the submitter was notified of the data loss? Not because the company cares about the submitter, but they get legal protection if they notify of the loss), what we need is to not have those laws and let it up to people to bring civil cases against the companies that lose the data. Yes it will be expensive, but after a few precidents are set, then it'll be easier for the little guy to go after the big companies that lose the info.
This sort of thing is exactly why class action lawsuits exist. Find a lawyer, start one. Companies will do whatever is most cost-effective, so you simply need to make losing your private data expensive.
there is no need to sign your posts. this isn't usenet. your username is right there above your post. stop it.
So why exactly is it up to the schmo to do this? Why not the company?
Cheers,
-b
No, not unless the american people elect a congress that gives a damn about something other than big corporate sponsors. That's the only reason I can think of why the US doesn't have a law that makes businesses responsible for safeguarding personal information. According to "free market" forces your SSN and credit history is only another product, much less something to be protected.
I've been hit three times myself in the last 4 months. What am I supposed to do, sue three $50B corporations?
Oh, and don't believe the neanderthals that tell you the free market lets you "vote with your business" -- not when everyone seems to be involved.
Come to think of it, I doubt a billion bucks would be enough.
I think this is going to be another area where the corporate interests are going to keep the problem happening for years to come, until it finally becomes such a screamingly big issue -- and right now it's not; "identity theft" is still a lot further down on Ma and Pa Kettle's radar screen than gay marriage and abortion and the war -- that the politicans honestly believe that they'll get thrown out of office if they don't support a protective measure against it. In any given year, the politicians (generally speaking) never pick more than a handful of issues which are popular with the people but unpopular with corporations, and nothing makes it onto that short list unless it's really, really obviously popular with a particularly critical demographic.
Then, and only then, will you see a law passed. Until then, it doesn't matter what you propose, the companies who own your information and use it for their own profit will fight any change in the status quo that gives the consumer/citizen more rights, since it must necessarily come at some expense to them.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
One of these days some government employee is going to run an errand with a laptop in his car and a lucky car thief will drive off with every single name and Social Security number in the country. You could fit them all on a USB thumb drive. And they could be all over the Internet within hours. It would be game over for Social Security numbers and the rickety infrastructure that has been built on top of them. It's only a matter of time before this happens. It might not be in a single theft as I described, but smaller thefts will eventually add up to the point where everyone's SSN has been compromised, and someone is going to compile them and make them widely available.
That would be the most bitchin' thumb drive, wouldn't it? You could show it to all your friends and taunt them. I'd better not lose my keys or you're all screwed!
Would this be a good time to put in a plug for a constitutional amendment that extends personal property rights to personal data?
I will create a sig when innovation restarts in the U.S.
And, in general, you need their services more than they need your business. And it's not like you can count on competition to solve the problem: they're all like this, and it's likely there's a "gentleman's agreement" in place to keep things as they are. After all, nobody (except the customer) really benefits if someone steps up to the plate with a smaller information requirement.
Which means you'll have to just suck it up and deal, because your only other option is to not make use of the type of service in question at all.
Which is why it won't happen.
Welcome to the 21st century, where corporations, not you, control what happens to your information.
Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
If a credit reporting agency falsely claims that a person has gone into massive unpaid debt when actually they are the victim of criminal theft, the credit reporting agency should be liable for damages (denied loans, higher interest rates, pain and suffering) due to their libel. I think even the threat of a class action lawsuit based on these grounds would significantly clean up the big credit reporting agencies' act.
You can place a fraud alert, valid for 90 days, which will cause credit institutions to check who they give their money to before doing so. Is it just me, or is there a touch of surreal in this?
Anyway, the obvious thing to do is to put yourself on fraud alert *before* your ID is stolen, not after. And keep the alert updated at all times. This is the easy way to bounce back the cost of carelessness to those that should be careful to begin with, banks and other credit institutions.
Make the Social Security Number public to EVERYONE.
That's right, cat's out of the bag. Can of worm has been opened. Too late.
Ban use of Social Security Number as an identifier, except for Social Security, like it was supposed to be in the first place.
Each business entities must use their OWN issued numbers.
Wide-reaching Identity Theft Containment problem limited to just the affected business.
Now, it is time to look into three-way public keys to ensure that consumer data is not misused:
1. Merchant/Business/Corporation
2. End-user/User/
3. Arbitrator/Government
With keys signed by each other in 3-ways, secured identification and security of data compartmentilization has been greatly enhanced.
Each and every transaction is signed, sealed and delivered by all 3 parties.
Now, let's get an infrastructure going on this...
Even Bruce Schneier agrees to this.
Yeah, you've got no privacy, but that's not cause to "get over it." The reason you've got no privacy is that you are coerced into giving up your private information -- coerced by government identity-tracking, supposedly for tax purposes but far, far expanded; coerced by effective cartels, like the credit and banking industries; and coerced by laws which support those cartels in their demand for your private information. You don't even have a choice, unless you want to live as a hermit, and at an incredible economic disadvantage.
Having no privacy isn't the problem in itself; the problem is other people exercising control over you with that information. Don't "get over it." Stand up to it.
Ask yourself this.
Who would benefit from such laws, who would have to spend more money.
Then ask.
Who gives money to politicians.
Then ask.
What percent of eligable voters voted last election.
By now I think you would get the point. It will never happen. Not till americans are pissed off enough to vote. The only thing I can think of that would piss them off is the superbowl being cancelled or a blackout on american idol or something. They don't care about anything else (except the fags getting married of course).
evil is as evil does
Easy ! lets steal all Senators and Congressmen info's and post it somewhere anonymously. Then i'd bet they start to care !
No excuses. The worst are the companies that advertise their Identity Theft Protection Service for $13.00 a month in their very own letter of apology to the victims (like mine, and yes, sadly it was authentic) when they should offer a free lifetime subscription due to the heinous nature of the offense. Who wants to look forward to some idiot attempting to sell all assets 5-15 years down the line? So now "Identity Theft Protection" is the most important service to have, a service that you wouldn't have needed if the original company had done its job correctly? You've got built-in customers if you simply "lose" some files - that's so sick - that stuff needs to be protected with potent cryptographic schemes or a new identity scheme needs to be created immediately!
--I gots 99 problems but a new machine ain't one!
AMD! Asus! Whoot! 6 years!
If the bank stores all their customers' cash in cardboard boxes behind the building, then yes, prosecuting the bank would be in order.
Also, your rhethorical question is wrong. The robber will be prosecuted in any case (for robbery), even if the bank is prosecuted for gross neglegience.
Fsck that. Pure and simple. Keep the thing locked and the key under your control, that's what it's for.
Garages are much easier to break into than starting a car without the key (the latter can be fairly easy, but requires a modest amount of technical knowledge instead of just a crowbar or a sledgehammer). And once the engine is running, getting out of the garage is not a big problem (there's enough salvageable parts on the car even after it breaks through the gate or the wall. And even that is just a concern if the car is stolen for the parts).
but I leave the vehicle door unlocked and the key in the ignition for the sake of convenience.
If your quest for the ultimate convenience allows other people to be injured or worse, then be prepared to face the consequences. Putting your own convenience before other people's safety is plain reckless. It is the same thing for leaving loaded guns lying around in the house in order to save the three minutes required to get them out of the gun safe and pick up the appropriate ammo when going hunting.
http://www.smithfam.com/news2/july02a.html ;-)
http://www.answers.com/topic/credit-card-fraud
One of the two (answers/wikipedia) plagerized the other.
http://en.wikipedia.org/wiki/Credit_card_fraud
Make the credit card companies take responsibility. Make it them that has to pay for fraud and the situation will rememdy itself overnight!
Restore America: Dr. Ron Paul for President!
Nope.
If you choose to live in a country where the government is pro-corporation instead of pro-people, you've got to accept that you're powerless. If you don't like the heat, get out of the kitchen -- or do something about the chef :-)
WTF are people thinking?? I have a corporate laptop myself and there is NOTHING on it. No files with hundreds of names and SSN's on it. NOTHING. I could totally SCREW my hard drive and would loose nothing of value to the company. I could have my laptop stolen and there would be NO data of value to anyone on it(go ahead....take my pictures, I don't care). Anytime I need to work, I remote desktop to my desktop which, other then non secure departmental info, has NO COMPANY RECORDS ON IT! Granted, we have no policy that specifies what is ok and what is not ok. The problem is usually NOT the computer guys in this situation....it's clueless users trying to do a little work at home and WHUPS.....the laptop gets ganked....
Few things....
1. Treat the laptop like it's your own. Make sure it's always in a safe place. If you have to park in a shady area, take it with you.
2. If you absolutely MUST have data on the laptop, it should be corporate policy that the file is encrypted and passworded. The compny needs ot invest in security software. Maybe something that trashes the file once the password has been entered incorrectly more then 3 times.
Gorkman
An initial alert does not require a police report, and lasts for 90 days.
Why should any request for an "alert" require a police report and why does it last only 90 days? I want the bloody "alert" on my "account" to be there PERMANENTLY.
Now if there is a police report and there is evidence of someone actually using the information you can have it bumped up to 7 years but that's still far from permanent.
Why are we, the consumer (the victims in this case) required to repair the screwups inflicted on us by the credit reporting industry who largely created this problem in the first place.
So
Encryption will do the job without requiring the thief to be phenomenally stupid.
The comparison is a bit slanted, if a someone robs your bank, you're not really inconvenienced, as the bank is insured - your money is safe.
This particular case is more like you depositing a copy of your house key with your neighbour (in case you should lose yours), and that KEY gets stolen. Your neighbour might tell you that the key is gone - and worse yet, that the key actually has a tag with your name and address attached to it. So, until you can go and change your locks, your home is basically compromised and it takes a lot of effort keeping it safe, until the locks are replaced.
With the stolen social security numbers, you can't switch your social security number easily, if at all? Is it possible at all to apply for a new social sec no in the US moving your data to the new one, but invalidating the old one?
In the example with your key getting stolen from a neighbour's property; of course, it's not really the neighbour's fault, if someone breaks into his house.
BUT - the neighbour might be liable, if gross negligence aided losing the key in the first place (i.e. putting up a sign with an arrow pointing to the key with all the data as to whose key it is, right outside on the front lawn - without any protective measure).
If an agency hands over your data to an outside contractor - they HAVE to put safeguards in place (check out the contractor's background/reputation, and *his* security measures), because they are handing away data that you *entrusted* to them. Just handing out blanket data, without properly protecting it (really good encryption, at the least, with the key being nowhere near the laptop during transport), is them breaking your trust.
And THAT is something that might make them very well liable for what happens.
(Needless to say - even those that will pay for free credit checks for a year, what's that to say, at all? THEY broke your trust by not safeguarding the data, and while they pay for the checks (for a limited time), they are not paying for your time following up the checks and/or the hassle in case something happens.)
It seems the root of this problem is identity thieves and the credit companies that will hand out credit to people with no waiting period and minimal identity checks. Do people REALLY need to go into Best Buy, apply for a credit card, and have a $5,000 line of credit to use immediately? Wouldn't it be worth the inconvenience of waiting a day or two for credit approval in order to nip the massive identity theft problem in the ass? It basically comes down to the greed of the credit houses, the greed of the stores and banks giving out the credit cards, and the greed of the assholes actually stealing other peoples identities. If congress would start holding the credit companies and stores giving credit to task in cases of identity theft (instead of just letting them harass the hell out of innocent people) I think we'd see a sharp decline in the number of identity theft cases. Then, just for icing on the cake, why not make create some police task forces that deal strictly with identity theft cases and make the crime itself have some incredibly severe punishment (after all, you are stealing someone else's LIFE!).
Anway, that's my rant for the day.
I find laziness to be an excellent motivator.
It depends on the type of consumer you are. If you're a net-debtor, you have to bow down before them and accept your role as a peon. However, if you live within your means, you always have the option of telling them to stuff it. You can't do anything about the companies who amass and lose your data, unless you can afford to sue all of them.
What I don't understand is why people spend unlimited time negotiating with companies they have no legitimate association with. If a company is reporting that I owe them $10k, that's an actual monetary damage that I'm sufferring, which gives me a basis for taking them to court. I'd sue the creditor at that point because they are an active participant in the fraud being perpetrated. The companies granting credit based on information that is widely disseminated know that a certain percentage of the applications are fraudulent, but it's more cost effective to put the burden back on the individual in those cases. I think the burden should be put back on the companies to make it less cost effective. Talking to customer service people about a debt that isn't yours is painful and not likely to get any assistance. They can only walk all over you with your permission. Of course, the only way to make this work is to be willing to accept black marks on your credit report until it's resolved.
The UK (and, I believe, most of the EU), has a Data Protection Act.
Briefly, this states that data must be:
* fairly and lawfully processed;
* processed for limited purposes;
* adequate, relevant and not excessive;
* accurate and up to date;
* not kept longer than necessary;
* processed in accordance with the individual's rights;
* secure;
* not transferred to countries outside the European Economic area, unless there is adequate protection.
Does such a thing really not exist in the US, an economy where information is king?
Here's the difference. If I secure my car properly it will not get stolen, and if it does then it truely wasn't my fault.
If I leave the key in the ignition, then I was negligant
If a corportaion has sensitive information inside a secure file, with high security, encryption, not easily accessible, behind secure firewalls, and it gets stolen then yeah, not their fault.
If one of their employees decided to download something while at work and it turned out to be a trojan, and eventually led to compromising private information, then it is the company's fault for not being secure.
Stolen information should be rare, not commonplace.