Slashdot Mirror
Data Theft and Corporate Irresponsibility?
cjsnell asks: "Today, I received a letter from a student loan provider notifying me that my name and social security number had been stolen along with a contractor's computer. This makes -four- agencies that have lost my personal information, in the last year. Today's letter was the most disappointing yet: the company, Texas Guaranteed, did not offer any credit report monitoring like the previous three had. Their advice? Send a letter to the credit bureaus. Gee, thanks. Clearly, mass identity theft is completely out of hand and there doesn't seem to be any government regulation for handling these situations, nor does there seem to be any punitive action against businesses that lose customers' data. Do we, as consumers, have any recourse against these businesses?"
Forward all of your bills to them.
I reserve the right to think for myself. Others' opinions are optional. Puppy on lap = typos...not illiteracy.
Tell them that if you don't get your credit card watched, you're going to burn the place down. Burn it to the ground, and then take a vacation in some far off tropical place.
Would you kindly mod me +1 insightful?
For most things, organizations don't need much if any of your information. The want it to mine... there is no down side for them. For the companies that do need data, I believe that every field in a credit report should have a complete audit history and companies should have to pay up and fix their mistakes. If legislation also made them accountable for data theft then you would see a lot less information collected. That would be a good thing.
There is a growing and growing group of things that seem completely out of hand once it happens to you. I'm not sure who "we" are, but we need to get together either as a nation or a planet or just some concerned human beings and take a serious look at where we are and where we want to go from here.
Start over with a fresh identitiy.
There are two simple prescriptions for this:
1) Create and enforce real liability for loss of personal data. After that it may make sense to introduce "safe harbor" general privacy regulation (unlike domain-specific regulation like HIPAA) where if you comply with the regs, you get relief from liability in the event of a genuine mistake or contingency.
2) Create and enforce real responsibility of credit providers and credit bureaus. Allow consumers to immediately suspend any line of credit, and require true checks before issuing credit (no more instant credit). No more endless paper battles to get credit ratings fixed, charges rescinded, etc. [These previous two were cribbed from Kevin Drum at WashingtonMonthly.com. He expouns on this subject quite regularly]. Liability for failing to properly check that credit is properly issued or used, which is supposed to be the reason why vendors and buyers pay exorbitant credit card rates in the first place.
Get the liability in order and regulation will the preferable alternative.
Yeah, go to another company and steal their computers.
Mine came from the Dept. of Veterans Affairs. You might have seen the story about the stolen laptop on the news. If the most well-funded military in the world can't keep a lid on our personal data, who can?
Lost: Sig, white with black letters. No collar. Reward if found!
Japan has a strong law and companies must follow certain procedures for storage of over 500 names, which has a major effect on business. It hasn't increased security per se, considering the thefts in the news, but if you could show they did not follow the law they would be liable I think. As for the U.S. my guess (IANAL) would be that you'd have to get info about how they stored your data and what happened, and then prove their negligence, and who knows if there is even a precedent (groklaw?)
It is a bit off tangent, but I believe Ice Cube said it best: Laugh now, cry later. It is the way both the House and Senate view the problem of ID theft. They aren't doing much to protect the consumers, and allow individuals to consume personal data through public records. They may laugh now while the votes are coming, but eventually we all are going to cry later when our personal information will be the gold nuggets of the Digital Western Frontier.
"Do we, as consumers, have any recourse against these businesses?"
There's always the solution from Fight Club.
Oops. I'm not supposed to talk about that. Forget I said anything, will ya?
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
Why don't you set up a website that collects information about those who have been actually hurt by identity theft and trace it back to its source company if possible. Then give that information to a land shark for a fee. You could make $200-300 thousand.
I've had my identity stolen twice. Once for UC Berkeley's "snatched laptop" that made the news a while back, and more recently a desktop from Georgia Tech. I applied to both schools (UC in 2003, GT in 1999) but attended neither. But they still held on to my personal information for their own convenience. Furthermore, I wasn't informed of the theft by either school until weeks after it had taken place (so in the mean time while I was unaware, my credit could have been destroyed). A few weeks ago, someone hacked into the UT Austin business school computers and snatched information from current and former faculty, staff, and students. A professor I am currently taking an intellectual property course with was talking about it and how he has all his info on fraud alert right now. The school negotiated with an identity protection service to offer him a major (66%) discount, but he's still paying something like $20 or $70 a year for this (I forget what amount he said exactly).
Anyway to answer your question: IMO (and IANAL), the court would not force the 3rd party who's information was stolen to compensate your ID theft protection service, should you take it to a small claims court. However, if your credit record was destroyed as a result, I think you would have a better chance at winning some financial compensation for your case. So the best short-term answer I guess would be: put ID fraud alert on ASAP and unless you have spare time and a thirst for absolute justice, don't take it to court (although you could ask them nicely to compensate you, at least partially if not fully).
The long-term solution here people, is to get a god damn law passed. This is absolutely ridiuclous how much this occurs, and its usually because of poor/inadequate/incompetent security on the fault of the 3rd party containing the info. I am actually very interested in proposing such a bill to our legislative branch, but I'm an engineer and a grad student, and I have little time to spare right now. If someone is interested in moving this forward, let me know about it because I would like to do what I can to be involved. I believe such a bill should cover:
1. The circumstances under which a company/school/whatever may contain your personal information
2. The length of time under which they may retain that information (with mandatory and permanent removal after a given period of time)
3. A definition of the minimum necessary security measures a party must take when retaining another's personal information
4. Explicitly stating to the person when they will retain their information, for how long, and what security measures they will take to protect it
5. In the case of theft, if parts 1-4 are not satisfied, the party owes full monetary compensation for providing ID theft protection, and also granting the person the right to choose what ID protection service and what level of protection they want
6. In the case of theft, if parts 1-4 are satisfied, the party owes a minimal monetary compensation for ID theft protection that meets certain stated requirements.
How's that for a start?
Hero of Allacrost, a FOSS RPG for *NIX/*BSD/OS X/Win
Generally, it has been my experience that people are completely willing to give up very private information whenver demanded by a company or similar seemingly legitimate and authoritative entity. I encourage everyone to be more wary and careful about who they give their SSN to. Identity theft has become a rampant problem for many people all over the world. We have to wise up and Just Say No.
--
http://wi-fizzle.com
Censorship is obscene. Patriotism is bigotry. Faith is a vice. Slashdot 2.0 sucks.
Look; Go after the company for negligence. If they used Windows, then show that their useage of windows was irresponsible (it is). If they allowed an employee/contractor to take data that had your information on it, then sue them for not locking down the box or allowing it out in the first place. Sadly, congress is trying to pass laws that make these suits disappear. But if we go after them now, then as suits are won, the companies will actually start caring about the information that they so carelessly allow out. It would be nice if the CIO's could be held legally accountable for choices that they make without consideration to security.
I prefer the "u" in honour as it seems to be missing these days.
Notice, they did get A's for Reporting and Notification and Information Dissemination. So they can't be doing all bad.
I would have given them an F for Loosing the F'ing Data in the First Place. But what do I know.
The problem is outsourcing. And it doesn't matter to whom or where you outsource. Now Texas Guaranteed can say, "We followed out procedures, it's not our fault." I work with a couple people who want to outsource almost every function. Why, because you have someone else to blame when there are problems.
Talk about taking no personal responsibility and stepping up and being accountable for yourself.
If you're afraid of your identity being stolen, Prepaid Legal can help.
An MLM scheme will help me with my fears? Do they offer counseling to overcome these fears?
I got modded down last time...
No kidding. It's like all these free iPod sites -- you get modded down because you're just hoping people will join your MLM so that you can personally profit from their fears.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
You can place a fraud alert on your credit report. An initial alert does not require a police report, and lasts for 90 days. During this time, you may end up having to jump through additional hoops to obtain new credit.
e ssion.do?code=SECURITYALERT
The easiest way to put an alert is to use the online form at Experian; alternately, you can call any of the credit reporting agencies to also set up an alert, if you want to do it by phone, instead.
The direct link for the Experian site to do this is:
https://www.experian.com/consumer/cac/InvalidateS
More advice available here for identity theft victims:
http://www.consumer.gov/idtheft/con_steps.htm
Hopefully, you will not need it.
-- Terry
You [b]can[/b] do it, but it can also be a hassle, since you have to educate people (especially health care people, who seem to be clueless as a whole).
"National Security is the chief cause of national insecurity." - Celine's First Law
I've stopped worrying about whether or not my information is out there. Having been involved in IT security in the financial services industry for some time now, I know how haphazardly our personal information can be treated. Many company executives don't want to spend the money to turn already functional and profitable systems into secure data stores or the money to hire enough skilled security personnel as they are cost centers, not revenue producers.
Instead I've gone on the defensive and assumed that my identity is already compromised. I coughed up $130 for 3 in 1 credit monitoring services (one of the big three credit bureaus has a two for one going if you call them. got a spouse?). I also keep close tabs on my credit and debit card activities, which doesn't require all that much effort since I cancelled all but 2 credit cards and my debit card. It means some money and time spent up front, but it's not too intrusive and it gives me a reasonable degree of confidence.
As long was we maintain some degree of privacy, identity theft is here for the forseeable future. I'm not saying don't hold companies responsible. I am saying realize that many companies in control of your information will be irresponsible regardless of what they can be held accountable for and that it's a good idea to take some personal responsibility for protecting yourself.
This sort of thing is exactly why class action lawsuits exist. Find a lawyer, start one. Companies will do whatever is most cost-effective, so you simply need to make losing your private data expensive.
there is no need to sign your posts. this isn't usenet. your username is right there above your post. stop it.
I second the healthcare problem as top on my list.
My data has been lost 3 times in as many years...all by the wonderful work of healthcare related companies. Seriously...how hard is it. Just don't lose it. Better yet...don't store it in the first place.
I've had to put watches on 'my accounts' with the credit reporting agencies myself for each one too. You know how irritating it is that I have to take a couple of hours out of my day to fix some other nimrod's stupidity induced problem? Makes me want to shoot somebody. And supposedly I'm on of the people in the psych evals that proves 'more stable than most'. If I want to shoot somebody then that must mean lots of other people ARE shooting somebody over this stupidity.
Who is this that even the wind and the waves obey Him? Surely this computer must submit also!
So why exactly is it up to the schmo to do this? Why not the company?
Cheers,
-b
No, not unless the american people elect a congress that gives a damn about something other than big corporate sponsors. That's the only reason I can think of why the US doesn't have a law that makes businesses responsible for safeguarding personal information. According to "free market" forces your SSN and credit history is only another product, much less something to be protected.
I've been hit three times myself in the last 4 months. What am I supposed to do, sue three $50B corporations?
Oh, and don't believe the neanderthals that tell you the free market lets you "vote with your business" -- not when everyone seems to be involved.
Here is a link to two proposed bills on identity protection.
One is dated July 14th 2005, while the second version is dated December 8th 2005. Get off your ass and call up your senator and tell them that you feel this bill should be passed into law to protect you as either a former victim, or possible future victim. Cite some recent examples of identity theft from the news. Tell them that this is more important to you as a citizen that they are supposed to represent, compared to whatever other "important agenda" they are talking about right now in the Senate (gay marriage, starting MORE wars with countries in the name of "freedom", etc). Don't just whine and complain because no one is going to want to listen to you. Instead, push and shove so that they will be forced to do something about it!
(Cue Braveheart moment) - FFFFFRRRRREEEEEEEDDDDDDOOOOOOMMMMMM!!!!!
Oh yeah, and don't forget to buy LOTS of stock in identity theft protect companies! Citizens will win, and irresponsible parties will lose!
Hero of Allacrost, a FOSS RPG for *NIX/*BSD/OS X/Win
A sampling of "crappy organizations" that have lost sensitive peronal information of their clients in the last couple of months:
Ernst & Young
Humana
AIG
Union Pacific Railroad
The State of Colorado
The State of Oregon
The State of Minnesota
Hotels.com
University of Miami
University of Kentucky
Miami University of Ohio
The YMCA
The Red Cross
The Department of Energy
The IRS
The Veterans Administration
The IRS
Would this be a good time to put in a plug for a constitutional amendment that extends personal property rights to personal data?
I will create a sig when innovation restarts in the U.S.
If a credit reporting agency falsely claims that a person has gone into massive unpaid debt when actually they are the victim of criminal theft, the credit reporting agency should be liable for damages (denied loans, higher interest rates, pain and suffering) due to their libel. I think even the threat of a class action lawsuit based on these grounds would significantly clean up the big credit reporting agencies' act.
Credit Freeze Under Fire
'The so-called Financial Data Protection Act of 2006 (HR3997) would also weaken state laws requiring disclosure of security breaches. In California, businesses must notify people if their personal info "was, or is reasonably believed to have been, acquired by an unauthorized person."
'Under the proposed federal legislation, such disclosure would have to be made only if a company determines that a security breach "is reasonably likely to result in harm or inconvenience" to individual consumers.
'"Basically, the company would have to know that you're a victim of identity theft before it needs to tell you that you could be a victim of identity theft," said Ed Mierzwinski, director of the U.S. Public Interest Group's consumer program in Washington.'
The problem is the social security number. It sure made it easier for creditors to track people but it has set everyone up for identity theft. Creditors would be a lot more careful handing out credit if all they had was a name and birth date. It would also lower the cost of every THING.
You can place a fraud alert, valid for 90 days, which will cause credit institutions to check who they give their money to before doing so. Is it just me, or is there a touch of surreal in this?
Anyway, the obvious thing to do is to put yourself on fraud alert *before* your ID is stolen, not after. And keep the alert updated at all times. This is the easy way to bounce back the cost of carelessness to those that should be careful to begin with, banks and other credit institutions.
Make the Social Security Number public to EVERYONE.
That's right, cat's out of the bag. Can of worm has been opened. Too late.
Ban use of Social Security Number as an identifier, except for Social Security, like it was supposed to be in the first place.
Each business entities must use their OWN issued numbers.
Wide-reaching Identity Theft Containment problem limited to just the affected business.
Now, it is time to look into three-way public keys to ensure that consumer data is not misused:
1. Merchant/Business/Corporation
2. End-user/User/
3. Arbitrator/Government
With keys signed by each other in 3-ways, secured identification and security of data compartmentilization has been greatly enhanced.
Each and every transaction is signed, sealed and delivered by all 3 parties.
Now, let's get an infrastructure going on this...
Even Bruce Schneier agrees to this.
Yeah, you've got no privacy, but that's not cause to "get over it." The reason you've got no privacy is that you are coerced into giving up your private information -- coerced by government identity-tracking, supposedly for tax purposes but far, far expanded; coerced by effective cartels, like the credit and banking industries; and coerced by laws which support those cartels in their demand for your private information. You don't even have a choice, unless you want to live as a hermit, and at an incredible economic disadvantage.
Having no privacy isn't the problem in itself; the problem is other people exercising control over you with that information. Don't "get over it." Stand up to it.
In the name of the Libertarian Party, I would like to speak on this issue.
I'm appalled by all the anticapitalist rhetoric that is being spewed on Slashdot regarding the corporate use of your personal information and the occasional leak of your SSN into the wrong hands.
You people talk like you want absolute ownership over your personal information. Like you want a corporation - an entity that only exists for the purpose of maximizing net profit - to take responsibility for handling your personal information. Then you'll be holding them liable for mishandling your info. Do you realize what damage this will do to corporate profits?
That utterly reeks of communism. What's next? Treating your personal information as your own property to be handled on your terms and not theirs? Heck, if we follow that line of reasoning, the Government will have to intrude even further into our lives and implement a law to treat personal information brokers like Choicepoint and Unicru as potential data pirates. I can see it now: the Digital Millenium Privacy Act.
Corporations made America, and now you pink commies are about to create a kleptocracy in the name of your overzealous attack on public access to personal information. Sheesh.
[...end Right wing parody]
--- Grow a pair, liberals... stop letting the Republicans bully you!
No excuses. The worst are the companies that advertise their Identity Theft Protection Service for $13.00 a month in their very own letter of apology to the victims (like mine, and yes, sadly it was authentic) when they should offer a free lifetime subscription due to the heinous nature of the offense. Who wants to look forward to some idiot attempting to sell all assets 5-15 years down the line? So now "Identity Theft Protection" is the most important service to have, a service that you wouldn't have needed if the original company had done its job correctly? You've got built-in customers if you simply "lose" some files - that's so sick - that stuff needs to be protected with potent cryptographic schemes or a new identity scheme needs to be created immediately!
--I gots 99 problems but a new machine ain't one!
AMD! Asus! Whoot! 6 years!
"A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt
Not about employee blunder.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
http://www.smithfam.com/news2/july02a.html ;-)
http://www.answers.com/topic/credit-card-fraud
One of the two (answers/wikipedia) plagerized the other.
http://en.wikipedia.org/wiki/Credit_card_fraud
Make the credit card companies take responsibility. Make it them that has to pay for fraud and the situation will rememdy itself overnight!
Restore America: Dr. Ron Paul for President!
The long-term solution here people, is to get a god damn law passed.
A starting point might be the EU Directive on Privacy: http://www.cdt.org/privacy/eudirective/EU_Directiv e_.html
Somehow all this trouble with identity theft seems to be a uniquely US problem.
The EU directive establishes rules for:
But that's really only half the problem. The other, and in my opinion more serious, problem is that this information should be of financial value at all. There simply should be no way to set up a line of credit or make other financial use of an SSN and your mother's maiden name. It's, frankly, preposterous that this is the case.
Logi - I can do anything, but not everything.
I don't hate the stupid companies who loose SSN numbers, instead, I'm bothered on how we as a country got into this mess into the first place.
I helped my parents this last week with a garage sale. During the sale, my mom noticed that an old table for sale had her SSN engraved in the wood! Why? Because back in the late '70s early '80s, the local police department told citizens to put a SSN on your assets in case they were stolen (Ironic, Eh?). She spent 20 minutes frantically trying to rub out her ID, she was visibly shaken.
OK, I understand the need to pass SSN/Taxpayer ID information between the Social Security Administration, IRS, Banks/Credit Unions, and your Employers.
The real problem is that there are so many other business segments who need to validate your identity, that they have piggy backed usage of the SSN as the de facto form or Identity verification. This is the real segment that needs to change their behavior!
I mean, how hard is it to go into the local Car-Toys, order a bitchin' stereo on zero money down, and forge the credit application with a stolen SSN and other personal info? And the problem is not just limited to your SSN! Your credit card number(s) have the same problem. If you know the number, expiration date, and Security code on the card, that's all it takes for many purchases over the phone or internet.
The real problem in our modern society is identity verification. Anyone who has ever forgotten a password to a website (what is up with all the different password complexity rules?), everyone who has ever wondered if that waitress is taking so long is because she is ordering a new dress from Victoria's Secret on your card, and everyone who wondered why their bank insists on a utility bill to verify your place of residence due to a clause in the "Patriot Act". You know what I'm talking about.
IMHO, what we really need in this country is not a credit score, but an identity score for identity(ies) that are independent from our SSN/Taxpayer ID (not government controlled, sorry). If I purchase a candy bar with a credit card, the level of identity verification required is low, if I purchase a new car with a loan, then I suspect the level of identity verification would be much higher! The credit score should be weighted against the integrity of the identity given too. If someone fills out a credit application with just a name, address, and SSN, then the chance for fraud is high, and the integrity of the information is low. If the person supplies a trusted smart card certificate, with a complex PIN, along with some other kind of biometric data, then the integrity is much higher.
<Sigh...>
Either the cat is all the way out of the bag, or it is close to being so already. I just operate under the assumption that someone with the desire to can find such information about me and use it to his or her advantage.
People need to quit worrying about stuffing genies back into bottles and learn to adapt. Government, businesses, and credit agencies need to learn to adapt, as well.
Yes, you lazy schumcks, this means you actually have to read your bills and check your credit report occasionally.
WTF are people thinking?? I have a corporate laptop myself and there is NOTHING on it. No files with hundreds of names and SSN's on it. NOTHING. I could totally SCREW my hard drive and would loose nothing of value to the company. I could have my laptop stolen and there would be NO data of value to anyone on it(go ahead....take my pictures, I don't care). Anytime I need to work, I remote desktop to my desktop which, other then non secure departmental info, has NO COMPANY RECORDS ON IT! Granted, we have no policy that specifies what is ok and what is not ok. The problem is usually NOT the computer guys in this situation....it's clueless users trying to do a little work at home and WHUPS.....the laptop gets ganked....
Few things....
1. Treat the laptop like it's your own. Make sure it's always in a safe place. If you have to park in a shady area, take it with you.
2. If you absolutely MUST have data on the laptop, it should be corporate policy that the file is encrypted and passworded. The compny needs ot invest in security software. Maybe something that trashes the file once the password has been entered incorrectly more then 3 times.
Gorkman
In many cases the organization doesn't need the information, so don't give it.
0 2_e.asp
Make it illegal for them to ask.
FYI it isn't clearly illegal to ask for a SIN in Canada. But organizations can't collect information unless they have a legitimate reason to use it.
http://www.privcom.gc.ca/cf-dc/2001/cf-dc_011105_
http://laws.justice.gc.ca/en/p-8.6/258076.html see 4.4.1
That same law has a series on data protection, and your right to see the information they hold. A little vague, but I think the intent is clear. It would be interesting to see how many cases have proceeded.
I would like to see them add a notification requirement.
So
Encryption will do the job without requiring the thief to be phenomenally stupid.
It seems the root of this problem is identity thieves and the credit companies that will hand out credit to people with no waiting period and minimal identity checks. Do people REALLY need to go into Best Buy, apply for a credit card, and have a $5,000 line of credit to use immediately? Wouldn't it be worth the inconvenience of waiting a day or two for credit approval in order to nip the massive identity theft problem in the ass? It basically comes down to the greed of the credit houses, the greed of the stores and banks giving out the credit cards, and the greed of the assholes actually stealing other peoples identities. If congress would start holding the credit companies and stores giving credit to task in cases of identity theft (instead of just letting them harass the hell out of innocent people) I think we'd see a sharp decline in the number of identity theft cases. Then, just for icing on the cake, why not make create some police task forces that deal strictly with identity theft cases and make the crime itself have some incredibly severe punishment (after all, you are stealing someone else's LIFE!).
Anway, that's my rant for the day.
I find laziness to be an excellent motivator.
Seriously, you say they informed you this contractor had your name and SSN on their computer (obviously an insecure computer)? The question I would ask of the loan provider is WHY did this contractor need your SSN?
And I would most certainly not settle for the canned response of "they required your information to carry out value added services available with your account". That's bull, they only need an account number, which should NOT be the same as your SSN. Even the Fed finally figured this one out - it is now prohibited by federal law for new driver licenses and renewals to be issued with the licensees' SSN on the license, as my wife just found out when she renewed.
This loan provider should have a very good reason for handing out your SSN to anyone. I suspect that if you checked, every phone support person at your loan provider - in fact, everyone with access to any records with SSNs - is bonded. If it turns out they unnecessarily handed out your personal info, I'm sure it would be of great interest to the agency that bonded their employees. If this contractor is not bonded, you're looking at an opportunity to make sure the midden hits the windmill. Look up this contractor at the Better Business Bureau, and see what else you can find out. Call them if you can and find out about their bonding status; ask what measures they take to secure personal data, etc.
This would also be of great interest to your states Attourney General.
Following up on this to that extent is probably a great deal of hassle on your part, but keep in mind, it will almost certainly affect your ability to buy a residence in the future, whether you get things corrected or not.
Good luck with that.
...maybe we should go ahead and just post all our personal info on the web ourselves, and save these idiots the trouble? "Haha, nothing to steal now, b17ch3z!"
I saw it on Slashdot, it must be true!
Insurance isn't so much about punishing you for bad behavior as it is about trying to price itself based on what you're likely to do during the policy term. There's a lot of research that has shown this to be overwhelmingly a sound practice. From Insurance Information Institute:
At the very least it's negligence.
I received this same letter and ranted and raved about it. . . I'm still pissed.
I don't see why the media isn't outraged yet, despite that they report these stories they just gloss over them like it doesn't matter. And then they obsess over the horror of identity theft and what WE can do about it. All of our efforts are mute when the a$$hole companies/agencies are just handing data out.
I do believe that, at a minimum, 10% of my loans should be forgiven as recompense.
The Privacy Rights Clearinghouse keeps a list called "A Chronology of Data Breaches Reported Since the ChoicePoint Incident." That list shows over 200 incidents reported in the last 17 months, totalling over 88,000,000 breaches.
what they're really asking for is your health insurance account number. The vast majority of insurance plans use the SSN as an identifier, although that is slowly changing. If you have a non-SSN account number, they're typically also 9 digits. When they ask for your SSN, just give them that 9 digit number. If you try to explain or argue, they get confused.
"National Security is the chief cause of national insecurity." - Celine's First Law
[shameless showoff plug] I work for an insurance company that handles large ammounts of personal data who, contrary to the current trend actually cares about data security on our laptops. I am absolutely an advocate of holding companies responsible for data theft, particularly given the options available to safeguard against it. We recently implemented hard drive encryptions software, and the implementation start to finsh took less than 2 months. It was a rediculously easy step to add a solid layer of security in the event that a laptop is stolen. The fact that this is not more widely adopted points to laziness and indifference on the part of corporate America. [/shameless showoff plug] What disturbs me as much as the frequency in which this "data loss" happens is the growing attitude that people should react to this merely by putting a hold on their credit and waiting it out. For the love of God people, when this happens to you STOP DOING BUSINESS WITH THESE INSTITUTIONS. By simply waiting it out, you are sending the message that security of personal data really isn't that important. Where's the benefit for profit-churning corporations to change their security model if loss of data does hurt them in any way? Now, if people started fleeing from companies that lost their data, then the message to rich execs would change to "Hey, if you customer data gets stolen, you will lose market share." That is guaranteed to produce a reaction. Pass the laws, avoid companies that don't secure their data, and we may actually be able to change something here.
keep your credit rating low. like i do.
The UK (and, I believe, most of the EU), has a Data Protection Act.
Briefly, this states that data must be:
* fairly and lawfully processed;
* processed for limited purposes;
* adequate, relevant and not excessive;
* accurate and up to date;
* not kept longer than necessary;
* processed in accordance with the individual's rights;
* secure;
* not transferred to countries outside the European Economic area, unless there is adequate protection.
Does such a thing really not exist in the US, an economy where information is king?