Slashdot Mirror
Data Theft and Corporate Irresponsibility?
cjsnell asks: "Today, I received a letter from a student loan provider notifying me that my name and social security number had been stolen along with a contractor's computer. This makes -four- agencies that have lost my personal information, in the last year. Today's letter was the most disappointing yet: the company, Texas Guaranteed, did not offer any credit report monitoring like the previous three had. Their advice? Send a letter to the credit bureaus. Gee, thanks. Clearly, mass identity theft is completely out of hand and there doesn't seem to be any government regulation for handling these situations, nor does there seem to be any punitive action against businesses that lose customers' data. Do we, as consumers, have any recourse against these businesses?"
Since we've been using VMware ESX for our infrastructure, the idea of lost tapes (from the mountain people) was a very huge problem for us. As of recently, we found ecnrypted backups (esxpress) for our ESX boxes, now we have no fear of lost backups or tapes.
For most things, organizations don't need much if any of your information. The want it to mine... there is no down side for them. For the companies that do need data, I believe that every field in a credit report should have a complete audit history and companies should have to pay up and fix their mistakes. If legislation also made them accountable for data theft then you would see a lot less information collected. That would be a good thing.
There are two simple prescriptions for this:
1) Create and enforce real liability for loss of personal data. After that it may make sense to introduce "safe harbor" general privacy regulation (unlike domain-specific regulation like HIPAA) where if you comply with the regs, you get relief from liability in the event of a genuine mistake or contingency.
2) Create and enforce real responsibility of credit providers and credit bureaus. Allow consumers to immediately suspend any line of credit, and require true checks before issuing credit (no more instant credit). No more endless paper battles to get credit ratings fixed, charges rescinded, etc. [These previous two were cribbed from Kevin Drum at WashingtonMonthly.com. He expouns on this subject quite regularly]. Liability for failing to properly check that credit is properly issued or used, which is supposed to be the reason why vendors and buyers pay exorbitant credit card rates in the first place.
Get the liability in order and regulation will the preferable alternative.
I've had my identity stolen twice. Once for UC Berkeley's "snatched laptop" that made the news a while back, and more recently a desktop from Georgia Tech. I applied to both schools (UC in 2003, GT in 1999) but attended neither. But they still held on to my personal information for their own convenience. Furthermore, I wasn't informed of the theft by either school until weeks after it had taken place (so in the mean time while I was unaware, my credit could have been destroyed). A few weeks ago, someone hacked into the UT Austin business school computers and snatched information from current and former faculty, staff, and students. A professor I am currently taking an intellectual property course with was talking about it and how he has all his info on fraud alert right now. The school negotiated with an identity protection service to offer him a major (66%) discount, but he's still paying something like $20 or $70 a year for this (I forget what amount he said exactly).
Anyway to answer your question: IMO (and IANAL), the court would not force the 3rd party who's information was stolen to compensate your ID theft protection service, should you take it to a small claims court. However, if your credit record was destroyed as a result, I think you would have a better chance at winning some financial compensation for your case. So the best short-term answer I guess would be: put ID fraud alert on ASAP and unless you have spare time and a thirst for absolute justice, don't take it to court (although you could ask them nicely to compensate you, at least partially if not fully).
The long-term solution here people, is to get a god damn law passed. This is absolutely ridiuclous how much this occurs, and its usually because of poor/inadequate/incompetent security on the fault of the 3rd party containing the info. I am actually very interested in proposing such a bill to our legislative branch, but I'm an engineer and a grad student, and I have little time to spare right now. If someone is interested in moving this forward, let me know about it because I would like to do what I can to be involved. I believe such a bill should cover:
1. The circumstances under which a company/school/whatever may contain your personal information
2. The length of time under which they may retain that information (with mandatory and permanent removal after a given period of time)
3. A definition of the minimum necessary security measures a party must take when retaining another's personal information
4. Explicitly stating to the person when they will retain their information, for how long, and what security measures they will take to protect it
5. In the case of theft, if parts 1-4 are not satisfied, the party owes full monetary compensation for providing ID theft protection, and also granting the person the right to choose what ID protection service and what level of protection they want
6. In the case of theft, if parts 1-4 are satisfied, the party owes a minimal monetary compensation for ID theft protection that meets certain stated requirements.
How's that for a start?
Hero of Allacrost, a FOSS RPG for *NIX/*BSD/OS X/Win
Notice, they did get A's for Reporting and Notification and Information Dissemination. So they can't be doing all bad.
I would have given them an F for Loosing the F'ing Data in the First Place. But what do I know.
The problem is outsourcing. And it doesn't matter to whom or where you outsource. Now Texas Guaranteed can say, "We followed out procedures, it's not our fault." I work with a couple people who want to outsource almost every function. Why, because you have someone else to blame when there are problems.
Talk about taking no personal responsibility and stepping up and being accountable for yourself.
You [b]can[/b] do it, but it can also be a hassle, since you have to educate people (especially health care people, who seem to be clueless as a whole).
"National Security is the chief cause of national insecurity." - Celine's First Law
I second the healthcare problem as top on my list.
My data has been lost 3 times in as many years...all by the wonderful work of healthcare related companies. Seriously...how hard is it. Just don't lose it. Better yet...don't store it in the first place.
I've had to put watches on 'my accounts' with the credit reporting agencies myself for each one too. You know how irritating it is that I have to take a couple of hours out of my day to fix some other nimrod's stupidity induced problem? Makes me want to shoot somebody. And supposedly I'm on of the people in the psych evals that proves 'more stable than most'. If I want to shoot somebody then that must mean lots of other people ARE shooting somebody over this stupidity.
Who is this that even the wind and the waves obey Him? Surely this computer must submit also!
Then again, hiring agencies like usajobs.gov want you to email your SSN as part of your application materials, and if you complain, they fire back some bullshit from their privacy policy...this is what they told me:
* emphasis mine to illustrate the absurdity
I never once argued about whether they could or should be asking for. I was only asking for alternative methods besides frickin e-mail on how to provide it.
There is very little future in being right when your boss is wrong.
Here is a link to two proposed bills on identity protection.
One is dated July 14th 2005, while the second version is dated December 8th 2005. Get off your ass and call up your senator and tell them that you feel this bill should be passed into law to protect you as either a former victim, or possible future victim. Cite some recent examples of identity theft from the news. Tell them that this is more important to you as a citizen that they are supposed to represent, compared to whatever other "important agenda" they are talking about right now in the Senate (gay marriage, starting MORE wars with countries in the name of "freedom", etc). Don't just whine and complain because no one is going to want to listen to you. Instead, push and shove so that they will be forced to do something about it!
(Cue Braveheart moment) - FFFFFRRRRREEEEEEEDDDDDDOOOOOOMMMMMM!!!!!
Oh yeah, and don't forget to buy LOTS of stock in identity theft protect companies! Citizens will win, and irresponsible parties will lose!
Hero of Allacrost, a FOSS RPG for *NIX/*BSD/OS X/Win
The problem is the social security number. It sure made it easier for creditors to track people but it has set everyone up for identity theft. Creditors would be a lot more careful handing out credit if all they had was a name and birth date. It would also lower the cost of every THING.
I think most people have no idea how the world works. People think of business as this sort of regal, professional operation. It is anything but!
Wakeup #1... seeing an entire law firm running off of a single rinky dink windows 95 computer as file server, backups done by tape every night, long term backups on cdr - very time consuming and labor intensive operation. This is a very successful firm.
Wakeup #2... someone I know (let's call her Sally) is basically a contractor for a company that takes part in a very successful multi billion dollar industry. Sally is just a little old lady who wanted to make a few extra dollars in her retirement. She is responsible for transporting large numbers of people for her company.
For each flight/bus, she is forwarded an email containing extensive contact and personal information about each passenger. She formats the list, sees that everyone gets to where they're going, etc. Fortunately, Sally is smart and cares about her job - she carefully shreds any paper records, and otherwise takes her computer security seriously when dealing with the data. But the huge corporation that contracts her out - they have offered no guidelines or recommendations on procedures when dealing with the data. Sally might as well be selling it and the corporation wouldn't know, and wouldn't care.
A lot of business is done by little old people like Sally. Big business puts on a great show - really it is just little people here and there, filling in where they can, and working at their own discretion.
So - no, your data is not safe, and it's not about to be safe. I've already received "the letter" from my college. I hope we can work together to develop awareness of this issue.
Another critic of that proposed law is Consumer advocate Clark Howard. His article is here:
Contact your reps over credit freezes
According to his article, 23 states now have credit freeze protection laws. The proposed law in congress would essentially invalidate all of these state laws. After reading both the article you mention and his, it sounds to me like congressmen LaTourette and others are more concerned about the wishes of large financial institutions than protecting average consumers. The article you mentioned says this:
For their part, financial institutions tend to dislike credit freezes because such measures serve as an impediment to easy plastic and impulse purchases (such as expensively financed new cars).
What I find particularly troubling about the issue of identity theft is the question of "Why is the burden of proof always on the average consumer?" Identity theft victims can spend months trying to convince angry creditors that they really never did open those new charge charge card accounts. Shouldn't it be the financial instition's problem for failing to properly verify the identity of the person they granted credit to? The fact that an applicant knows a few basic facts such as a social security number and a mother's maiden name does not even begin to prove that they are who the say they are. If congressmen LaTourette and others don't like credit freeze laws then they should find some other methods of protecting identity theft victims before eliminating those laws. Congress seems more concerned about the interests of big business lobbyists and their campaign contributions than about identity theft victims.
I don't hate the stupid companies who loose SSN numbers, instead, I'm bothered on how we as a country got into this mess into the first place.
I helped my parents this last week with a garage sale. During the sale, my mom noticed that an old table for sale had her SSN engraved in the wood! Why? Because back in the late '70s early '80s, the local police department told citizens to put a SSN on your assets in case they were stolen (Ironic, Eh?). She spent 20 minutes frantically trying to rub out her ID, she was visibly shaken.
OK, I understand the need to pass SSN/Taxpayer ID information between the Social Security Administration, IRS, Banks/Credit Unions, and your Employers.
The real problem is that there are so many other business segments who need to validate your identity, that they have piggy backed usage of the SSN as the de facto form or Identity verification. This is the real segment that needs to change their behavior!
I mean, how hard is it to go into the local Car-Toys, order a bitchin' stereo on zero money down, and forge the credit application with a stolen SSN and other personal info? And the problem is not just limited to your SSN! Your credit card number(s) have the same problem. If you know the number, expiration date, and Security code on the card, that's all it takes for many purchases over the phone or internet.
The real problem in our modern society is identity verification. Anyone who has ever forgotten a password to a website (what is up with all the different password complexity rules?), everyone who has ever wondered if that waitress is taking so long is because she is ordering a new dress from Victoria's Secret on your card, and everyone who wondered why their bank insists on a utility bill to verify your place of residence due to a clause in the "Patriot Act". You know what I'm talking about.
IMHO, what we really need in this country is not a credit score, but an identity score for identity(ies) that are independent from our SSN/Taxpayer ID (not government controlled, sorry). If I purchase a candy bar with a credit card, the level of identity verification required is low, if I purchase a new car with a loan, then I suspect the level of identity verification would be much higher! The credit score should be weighted against the integrity of the identity given too. If someone fills out a credit application with just a name, address, and SSN, then the chance for fraud is high, and the integrity of the information is low. If the person supplies a trusted smart card certificate, with a complex PIN, along with some other kind of biometric data, then the integrity is much higher.
<Sigh...>
Either the cat is all the way out of the bag, or it is close to being so already. I just operate under the assumption that someone with the desire to can find such information about me and use it to his or her advantage.
People need to quit worrying about stuffing genies back into bottles and learn to adapt. Government, businesses, and credit agencies need to learn to adapt, as well.
Yes, you lazy schumcks, this means you actually have to read your bills and check your credit report occasionally.
Nice USB disk. Not to diminish your post, but let's do the math so people can see EXACTLY how much info would be there. 4 bytes (SSN) + 14 bytes (avg) for a name + null byte = 19 bytes each. 262 million US citizens * 19 bytes is 4.64GiB. If you keep the optimal binary format, and want to add DOB, add another 4 bytes per record for a total of 5.6GiB. First and last names are seldom unique in the US, so assume it could be compressed by 50% for a backup.
If it was someone's goal to walk away with the data, they might actually be able to fit it all on a flash drive or DVD. If they want addresses, school records, credit history, any genealogical information (to link children to parents), maiden names, race, ethnicity, gender, marital status, etc., these would all add to the total.
We're not quite to the point of worrying about a flash drive yet, or really even a laptop, because laptops don't tend to have that much free space. But if someone were to buy an iPod or similar player for the purpose, they could put a few albums on it and use the rest of the disk to walk away from a data center with all the information. Hell, they could be on the next flight to a country with no extradition, still listening to their favorite band, before anyone knows what happened.
What I worry about is smaller databases, like you said. Whilst the Fed's complete database might be around 40-50GiB in compressed form, State Agencies' complete files could be 1-3GiB after gzipping. Considering the payout involved, the collusion of 50-100 people isn't out of the picture.
True science means that when you re-evaluate the evidence, you re-evaluate your faith.
Precisely. How many of the organisations that collect personal data about you actually need all of that data to fulfill whatever relationship they have with you?
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Seriously, you say they informed you this contractor had your name and SSN on their computer (obviously an insecure computer)? The question I would ask of the loan provider is WHY did this contractor need your SSN?
And I would most certainly not settle for the canned response of "they required your information to carry out value added services available with your account". That's bull, they only need an account number, which should NOT be the same as your SSN. Even the Fed finally figured this one out - it is now prohibited by federal law for new driver licenses and renewals to be issued with the licensees' SSN on the license, as my wife just found out when she renewed.
This loan provider should have a very good reason for handing out your SSN to anyone. I suspect that if you checked, every phone support person at your loan provider - in fact, everyone with access to any records with SSNs - is bonded. If it turns out they unnecessarily handed out your personal info, I'm sure it would be of great interest to the agency that bonded their employees. If this contractor is not bonded, you're looking at an opportunity to make sure the midden hits the windmill. Look up this contractor at the Better Business Bureau, and see what else you can find out. Call them if you can and find out about their bonding status; ask what measures they take to secure personal data, etc.
This would also be of great interest to your states Attourney General.
Following up on this to that extent is probably a great deal of hassle on your part, but keep in mind, it will almost certainly affect your ability to buy a residence in the future, whether you get things corrected or not.
Good luck with that.
At the very least it's negligence.
I received this same letter and ranted and raved about it. . . I'm still pissed.
I don't see why the media isn't outraged yet, despite that they report these stories they just gloss over them like it doesn't matter. And then they obsess over the horror of identity theft and what WE can do about it. All of our efforts are mute when the a$$hole companies/agencies are just handing data out.
I do believe that, at a minimum, 10% of my loans should be forgiven as recompense.
what they're really asking for is your health insurance account number. The vast majority of insurance plans use the SSN as an identifier, although that is slowly changing. If you have a non-SSN account number, they're typically also 9 digits. When they ask for your SSN, just give them that 9 digit number. If you try to explain or argue, they get confused.
"National Security is the chief cause of national insecurity." - Celine's First Law
[shameless showoff plug] I work for an insurance company that handles large ammounts of personal data who, contrary to the current trend actually cares about data security on our laptops. I am absolutely an advocate of holding companies responsible for data theft, particularly given the options available to safeguard against it. We recently implemented hard drive encryptions software, and the implementation start to finsh took less than 2 months. It was a rediculously easy step to add a solid layer of security in the event that a laptop is stolen. The fact that this is not more widely adopted points to laziness and indifference on the part of corporate America. [/shameless showoff plug] What disturbs me as much as the frequency in which this "data loss" happens is the growing attitude that people should react to this merely by putting a hold on their credit and waiting it out. For the love of God people, when this happens to you STOP DOING BUSINESS WITH THESE INSTITUTIONS. By simply waiting it out, you are sending the message that security of personal data really isn't that important. Where's the benefit for profit-churning corporations to change their security model if loss of data does hurt them in any way? Now, if people started fleeing from companies that lost their data, then the message to rich execs would change to "Hey, if you customer data gets stolen, you will lose market share." That is guaranteed to produce a reaction. Pass the laws, avoid companies that don't secure their data, and we may actually be able to change something here.
What good is a limited-time free credit check? If I do my free credit check today and but it takes a week for my compromised SSN to be misused then I have to wait until next year to check my credit again or pony-up the money to these damn credit agencies constantly and until I die. It's extortion on a grand scale and the more our personal data is compromised the more extorted we become. Companies and government agencies that have compromised data, intentionally or not, should be paying for a lifetime of free credit alerts for those that have had compromised data. I'm quite certain that eventually we will have a system along these lines out of necessity, because the morons that are responsible for safeguarding our data are inept. We'll probably end up paying for it through taxes, though, 'cause we sure as hell won't make the companies pay for their own inpetitude.