Data Theft and Corporate Irresponsibility?

cjsnell asks: "Today, I received a letter from a student loan provider notifying me that my name and social security number had been stolen along with a contractor's computer. This makes -four- agencies that have lost my personal information, in the last year. Today's letter was the most disappointing yet: the company, Texas Guaranteed, did not offer any credit report monitoring like the previous three had. Their advice? Send a letter to the credit bureaus. Gee, thanks. Clearly, mass identity theft is completely out of hand and there doesn't seem to be any government regulation for handling these situations, nor does there seem to be any punitive action against businesses that lose customers' data. Do we, as consumers, have any recourse against these businesses?"

the less information collected the better

[carsonc]

For most things, organizations don't need much if any of your information. The want it to mine... there is no down side for them. For the companies that do need data, I believe that every field in a credit report should have a complete audit history and companies should have to pay up and fix their mistakes. If legislation also made them accountable for data theft then you would see a lot less information collected. That would be a good thing.

Liability, liability, liability

[electroniceric]

There are two simple prescriptions for this:

1) Create and enforce real liability for loss of personal data. After that it may make sense to introduce "safe harbor" general privacy regulation (unlike domain-specific regulation like HIPAA) where if you comply with the regs, you get relief from liability in the event of a genuine mistake or contingency.

2) Create and enforce real responsibility of credit providers and credit bureaus. Allow consumers to immediately suspend any line of credit, and require true checks before issuing credit (no more instant credit). No more endless paper battles to get credit ratings fixed, charges rescinded, etc. [These previous two were cribbed from Kevin Drum at WashingtonMonthly.com. He expouns on this subject quite regularly]. Liability for failing to properly check that credit is properly issued or used, which is supposed to be the reason why vendors and buyers pay exorbitant credit card rates in the first place.

Get the liability in order and regulation will the preferable alternative.

Re:Liability, liability, liability

[rcw-home]

2) Create and enforce real responsibility of credit providers and credit bureaus.

Easy. Just make libelous statements on a credit report... libel. You lost your earnest money because you couldn't get a home loan because you allegedly signed up for a credit card, maxed it out, and never repaid it? You get passed up for a job because a car purchased in your name got repossessed? You prove it, you sue the credit bureaus, you win treble damages.

Suddenly, credit bureaus would require a lot more proof before dinging your credit score, and they'd promptly correct their mistakes.

Me too (twice even)!

[RootsLINUX]

I've had my identity stolen twice. Once for UC Berkeley's "snatched laptop" that made the news a while back, and more recently a desktop from Georgia Tech. I applied to both schools (UC in 2003, GT in 1999) but attended neither. But they still held on to my personal information for their own convenience. Furthermore, I wasn't informed of the theft by either school until weeks after it had taken place (so in the mean time while I was unaware, my credit could have been destroyed). A few weeks ago, someone hacked into the UT Austin business school computers and snatched information from current and former faculty, staff, and students. A professor I am currently taking an intellectual property course with was talking about it and how he has all his info on fraud alert right now. The school negotiated with an identity protection service to offer him a major (66%) discount, but he's still paying something like $20 or $70 a year for this (I forget what amount he said exactly).

Anyway to answer your question: IMO (and IANAL), the court would not force the 3rd party who's information was stolen to compensate your ID theft protection service, should you take it to a small claims court. However, if your credit record was destroyed as a result, I think you would have a better chance at winning some financial compensation for your case. So the best short-term answer I guess would be: put ID fraud alert on ASAP and unless you have spare time and a thirst for absolute justice, don't take it to court (although you could ask them nicely to compensate you, at least partially if not fully).

The long-term solution here people, is to get a god damn law passed. This is absolutely ridiuclous how much this occurs, and its usually because of poor/inadequate/incompetent security on the fault of the 3rd party containing the info. I am actually very interested in proposing such a bill to our legislative branch, but I'm an engineer and a grad student, and I have little time to spare right now. If someone is interested in moving this forward, let me know about it because I would like to do what I can to be involved. I believe such a bill should cover:

1. The circumstances under which a company/school/whatever may contain your personal information
2. The length of time under which they may retain that information (with mandatory and permanent removal after a given period of time)
3. A definition of the minimum necessary security measures a party must take when retaining another's personal information
4. Explicitly stating to the person when they will retain their information, for how long, and what security measures they will take to protect it
5. In the case of theft, if parts 1-4 are not satisfied, the party owes full monetary compensation for providing ID theft protection, and also granting the person the right to choose what ID protection service and what level of protection they want
6. In the case of theft, if parts 1-4 are satisfied, the party owes a minimal monetary compensation for ID theft protection that meets certain stated requirements.

How's that for a start?

Re:Me too (twice even)!

[Kadin2048]

In all honesty, there's something to that idea.

A while back when it first came out that you could call up certain companies and for less than $100 get basically anyone's cell phone records, I remember that somebody did it to the Canadian Privacy Minister (or someone to that effect, I forget their actual title) and mailed the results to them.

Short of actually tossing tons of money at them, that's probably one of the more effective means of influencing politicians on privacy issues: make them care by putting their privacy into question along with everyone else's.

I wouldn't ever advocate anything illegal per se, but a lot of good could potentially come from a massive data theft of every member of Congress' credit histories and banking records (besides just finding out who's really on the take).

Yep...

[msauve]

unless they're making payments to my Social Security "account," (i.e. paying me on a W2) they don't get my SSN. Unless they're [i]required[/i] by law to report tax info, they don't get my Federal Taxpayer ID (which happens to be the same as an SSN). I even went after my employer for violation of their own "Employee Privacy Policy," for giving my SSN to a third party health care provider and forced issuance of an insurance card with a non-SSN assigned number.

You [b]can[/b] do it, but it can also be a hassle, since you have to educate people (especially health care people, who seem to be clueless as a whole).

Re:I just got "the letter" too

[horatio]

What I can't figure out for the life of me, is why the hell all this information is being stored on portable (laptop) systems, and not on the servers behind locked doors and firewalls where it belongs....how do you get millions of SSNs stored locally on a damn laptop and not consider the consequences?

Then again, hiring agencies like usajobs.gov want you to email your SSN as part of your application materials, and if you complain, they fire back some bullshit from their privacy policy...this is what they told me:

Within the Federal job application process, Social Security Number is a unique identifier. Applicants must provide their Social Security Number (SSN) to identify their records because other people may have the same name and birth date and the Federal Government is legally authorized to require this information. This authority is provided under Public Law 104-134. While job applications may occasionally be accepted in a system without the Social Security Number, your applications will likely not be accepted/processed if they do not give the hiring agency the information requested. Please know that the personal and private information you provide is encrypted during transmission and encrypted in our databases. Please also know that all personnel with access to sensitive data are legally bound to use the information only for its intended purposes. Please see our Privacy Statement: http://www.usajobs.opm.gov/privacy.asp for additional information.

* emphasis mine to illustrate the absurdity

I never once argued about whether they could or should be asking for. I was only asking for alternative methods besides frickin e-mail on how to provide it.

Re:Credit freeze under fire

[Rick17JJ]

Another critic of that proposed law is Consumer advocate Clark Howard. His article is here:

Contact your reps over credit freezes

According to his article, 23 states now have credit freeze protection laws. The proposed law in congress would essentially invalidate all of these state laws. After reading both the article you mention and his, it sounds to me like congressmen LaTourette and others are more concerned about the wishes of large financial institutions than protecting average consumers. The article you mentioned says this:

For their part, financial institutions tend to dislike credit freezes because such measures serve as an impediment to easy plastic and impulse purchases (such as expensively financed new cars).

What I find particularly troubling about the issue of identity theft is the question of "Why is the burden of proof always on the average consumer?" Identity theft victims can spend months trying to convince angry creditors that they really never did open those new charge charge card accounts. Shouldn't it be the financial instition's problem for failing to properly verify the identity of the person they granted credit to? The fact that an applicant knows a few basic facts such as a social security number and a mother's maiden name does not even begin to prove that they are who the say they are. If congressmen LaTourette and others don't like credit freeze laws then they should find some other methods of protecting identity theft victims before eliminating those laws. Congress seems more concerned about the interests of big business lobbyists and their campaign contributions than about identity theft victims.

How did we get here? SSN as private information?

[stuartg]

I don't hate the stupid companies who loose SSN numbers, instead, I'm bothered on how we as a country got into this mess into the first place.

I helped my parents this last week with a garage sale. During the sale, my mom noticed that an old table for sale had her SSN engraved in the wood! Why? Because back in the late '70s early '80s, the local police department told citizens to put a SSN on your assets in case they were stolen (Ironic, Eh?). She spent 20 minutes frantically trying to rub out her ID, she was visibly shaken.

OK, I understand the need to pass SSN/Taxpayer ID information between the Social Security Administration, IRS, Banks/Credit Unions, and your Employers.

The real problem is that there are so many other business segments who need to validate your identity, that they have piggy backed usage of the SSN as the de facto form or Identity verification. This is the real segment that needs to change their behavior!

• Companies like Comcast who insist on the last four digits of my SSN to call the help desk?!?!
• Universities who use the SSN as a student ID number.
• and most importantly, Credit reporting agencies who base consumer credit scores on unverified data.

I mean, how hard is it to go into the local Car-Toys, order a bitchin' stereo on zero money down, and forge the credit application with a stolen SSN and other personal info? And the problem is not just limited to your SSN! Your credit card number(s) have the same problem. If you know the number, expiration date, and Security code on the card, that's all it takes for many purchases over the phone or internet.

The real problem in our modern society is identity verification. Anyone who has ever forgotten a password to a website (what is up with all the different password complexity rules?), everyone who has ever wondered if that waitress is taking so long is because she is ordering a new dress from Victoria's Secret on your card, and everyone who wondered why their bank insists on a utility bill to verify your place of residence due to a clause in the "Patriot Act". You know what I'm talking about.

IMHO, what we really need in this country is not a credit score, but an identity score for identity(ies) that are independent from our SSN/Taxpayer ID (not government controlled, sorry). If I purchase a candy bar with a credit card, the level of identity verification required is low, if I purchase a new car with a loan, then I suspect the level of identity verification would be much higher! The credit score should be weighted against the integrity of the identity given too. If someone fills out a credit application with just a name, address, and SSN, then the chance for fraud is high, and the integrity of the information is low. If the person supplies a trusted smart card certificate, with a complex PIN, along with some other kind of biometric data, then the integrity is much higher.

<Sigh...>

When a hospital asks for your SSN...

[msauve]

what they're really asking for is your health insurance account number. The vast majority of insurance plans use the SSN as an identifier, although that is slowly changing. If you have a non-SSN account number, they're typically also 9 digits. When they ask for your SSN, just give them that 9 digit number. If you try to explain or argue, they get confused.

DO something when this happens to you.

[Feebleminded_Genius]

[shameless showoff plug] I work for an insurance company that handles large ammounts of personal data who, contrary to the current trend actually cares about data security on our laptops. I am absolutely an advocate of holding companies responsible for data theft, particularly given the options available to safeguard against it. We recently implemented hard drive encryptions software, and the implementation start to finsh took less than 2 months. It was a rediculously easy step to add a solid layer of security in the event that a laptop is stolen. The fact that this is not more widely adopted points to laziness and indifference on the part of corporate America. [/shameless showoff plug] What disturbs me as much as the frequency in which this "data loss" happens is the growing attitude that people should react to this merely by putting a hold on their credit and waiting it out. For the love of God people, when this happens to you STOP DOING BUSINESS WITH THESE INSTITUTIONS. By simply waiting it out, you are sending the message that security of personal data really isn't that important. Where's the benefit for profit-churning corporations to change their security model if loss of data does hurt them in any way? Now, if people started fleeing from companies that lost their data, then the message to rich execs would change to "Hey, if you customer data gets stolen, you will lose market share." That is guaranteed to produce a reaction. Pass the laws, avoid companies that don't secure their data, and we may actually be able to change something here.