Slashdot Mirror
Data Theft and Corporate Irresponsibility?
cjsnell asks: "Today, I received a letter from a student loan provider notifying me that my name and social security number had been stolen along with a contractor's computer. This makes -four- agencies that have lost my personal information, in the last year. Today's letter was the most disappointing yet: the company, Texas Guaranteed, did not offer any credit report monitoring like the previous three had. Their advice? Send a letter to the credit bureaus. Gee, thanks. Clearly, mass identity theft is completely out of hand and there doesn't seem to be any government regulation for handling these situations, nor does there seem to be any punitive action against businesses that lose customers' data. Do we, as consumers, have any recourse against these businesses?"
Forward all of your bills to them.
I reserve the right to think for myself. Others' opinions are optional. Puppy on lap = typos...not illiteracy.
Tell them that if you don't get your credit card watched, you're going to burn the place down. Burn it to the ground, and then take a vacation in some far off tropical place.
Would you kindly mod me +1 insightful?
For most things, organizations don't need much if any of your information. The want it to mine... there is no down side for them. For the companies that do need data, I believe that every field in a credit report should have a complete audit history and companies should have to pay up and fix their mistakes. If legislation also made them accountable for data theft then you would see a lot less information collected. That would be a good thing.
There is a growing and growing group of things that seem completely out of hand once it happens to you. I'm not sure who "we" are, but we need to get together either as a nation or a planet or just some concerned human beings and take a serious look at where we are and where we want to go from here.
Start over with a fresh identitiy.
There are two simple prescriptions for this:
1) Create and enforce real liability for loss of personal data. After that it may make sense to introduce "safe harbor" general privacy regulation (unlike domain-specific regulation like HIPAA) where if you comply with the regs, you get relief from liability in the event of a genuine mistake or contingency.
2) Create and enforce real responsibility of credit providers and credit bureaus. Allow consumers to immediately suspend any line of credit, and require true checks before issuing credit (no more instant credit). No more endless paper battles to get credit ratings fixed, charges rescinded, etc. [These previous two were cribbed from Kevin Drum at WashingtonMonthly.com. He expouns on this subject quite regularly]. Liability for failing to properly check that credit is properly issued or used, which is supposed to be the reason why vendors and buyers pay exorbitant credit card rates in the first place.
Get the liability in order and regulation will the preferable alternative.
Mine came from the Dept. of Veterans Affairs. You might have seen the story about the stolen laptop on the news. If the most well-funded military in the world can't keep a lid on our personal data, who can?
Lost: Sig, white with black letters. No collar. Reward if found!
"Do we, as consumers, have any recourse against these businesses?"
There's always the solution from Fight Club.
Oops. I'm not supposed to talk about that. Forget I said anything, will ya?
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
I've had my identity stolen twice. Once for UC Berkeley's "snatched laptop" that made the news a while back, and more recently a desktop from Georgia Tech. I applied to both schools (UC in 2003, GT in 1999) but attended neither. But they still held on to my personal information for their own convenience. Furthermore, I wasn't informed of the theft by either school until weeks after it had taken place (so in the mean time while I was unaware, my credit could have been destroyed). A few weeks ago, someone hacked into the UT Austin business school computers and snatched information from current and former faculty, staff, and students. A professor I am currently taking an intellectual property course with was talking about it and how he has all his info on fraud alert right now. The school negotiated with an identity protection service to offer him a major (66%) discount, but he's still paying something like $20 or $70 a year for this (I forget what amount he said exactly).
Anyway to answer your question: IMO (and IANAL), the court would not force the 3rd party who's information was stolen to compensate your ID theft protection service, should you take it to a small claims court. However, if your credit record was destroyed as a result, I think you would have a better chance at winning some financial compensation for your case. So the best short-term answer I guess would be: put ID fraud alert on ASAP and unless you have spare time and a thirst for absolute justice, don't take it to court (although you could ask them nicely to compensate you, at least partially if not fully).
The long-term solution here people, is to get a god damn law passed. This is absolutely ridiuclous how much this occurs, and its usually because of poor/inadequate/incompetent security on the fault of the 3rd party containing the info. I am actually very interested in proposing such a bill to our legislative branch, but I'm an engineer and a grad student, and I have little time to spare right now. If someone is interested in moving this forward, let me know about it because I would like to do what I can to be involved. I believe such a bill should cover:
1. The circumstances under which a company/school/whatever may contain your personal information
2. The length of time under which they may retain that information (with mandatory and permanent removal after a given period of time)
3. A definition of the minimum necessary security measures a party must take when retaining another's personal information
4. Explicitly stating to the person when they will retain their information, for how long, and what security measures they will take to protect it
5. In the case of theft, if parts 1-4 are not satisfied, the party owes full monetary compensation for providing ID theft protection, and also granting the person the right to choose what ID protection service and what level of protection they want
6. In the case of theft, if parts 1-4 are satisfied, the party owes a minimal monetary compensation for ID theft protection that meets certain stated requirements.
How's that for a start?
Hero of Allacrost, a FOSS RPG for *NIX/*BSD/OS X/Win
You can place a fraud alert on your credit report. An initial alert does not require a police report, and lasts for 90 days. During this time, you may end up having to jump through additional hoops to obtain new credit.
e ssion.do?code=SECURITYALERT
The easiest way to put an alert is to use the online form at Experian; alternately, you can call any of the credit reporting agencies to also set up an alert, if you want to do it by phone, instead.
The direct link for the Experian site to do this is:
https://www.experian.com/consumer/cac/InvalidateS
More advice available here for identity theft victims:
http://www.consumer.gov/idtheft/con_steps.htm
Hopefully, you will not need it.
-- Terry
You [b]can[/b] do it, but it can also be a hassle, since you have to educate people (especially health care people, who seem to be clueless as a whole).
"National Security is the chief cause of national insecurity." - Celine's First Law
Congress will care about it when a laptop full of THEIR personal data gets stolen.
Just like the Jefferson fiasco - FBI busts down a citizen's door, it's strong justice; bust down a Congresscritter's door and it's a CONSTITUTIONAL CRISIS!!!!omgwtfbbq
"As God is my witness, I thought turkeys could fly." A. Carlson
I've stopped worrying about whether or not my information is out there. Having been involved in IT security in the financial services industry for some time now, I know how haphazardly our personal information can be treated. Many company executives don't want to spend the money to turn already functional and profitable systems into secure data stores or the money to hire enough skilled security personnel as they are cost centers, not revenue producers.
Instead I've gone on the defensive and assumed that my identity is already compromised. I coughed up $130 for 3 in 1 credit monitoring services (one of the big three credit bureaus has a two for one going if you call them. got a spouse?). I also keep close tabs on my credit and debit card activities, which doesn't require all that much effort since I cancelled all but 2 credit cards and my debit card. It means some money and time spent up front, but it's not too intrusive and it gives me a reasonable degree of confidence.
As long was we maintain some degree of privacy, identity theft is here for the forseeable future. I'm not saying don't hold companies responsible. I am saying realize that many companies in control of your information will be irresponsible regardless of what they can be held accountable for and that it's a good idea to take some personal responsibility for protecting yourself.
A sampling of "crappy organizations" that have lost sensitive peronal information of their clients in the last couple of months:
Ernst & Young
Humana
AIG
Union Pacific Railroad
The State of Colorado
The State of Oregon
The State of Minnesota
Hotels.com
University of Miami
University of Kentucky
Miami University of Ohio
The YMCA
The Red Cross
The Department of Energy
The IRS
The Veterans Administration
The IRS
Credit Freeze Under Fire
'The so-called Financial Data Protection Act of 2006 (HR3997) would also weaken state laws requiring disclosure of security breaches. In California, businesses must notify people if their personal info "was, or is reasonably believed to have been, acquired by an unauthorized person."
'Under the proposed federal legislation, such disclosure would have to be made only if a company determines that a security breach "is reasonably likely to result in harm or inconvenience" to individual consumers.
'"Basically, the company would have to know that you're a victim of identity theft before it needs to tell you that you could be a victim of identity theft," said Ed Mierzwinski, director of the U.S. Public Interest Group's consumer program in Washington.'
Make the Social Security Number public to EVERYONE.
That's right, cat's out of the bag. Can of worm has been opened. Too late.
Ban use of Social Security Number as an identifier, except for Social Security, like it was supposed to be in the first place.
Each business entities must use their OWN issued numbers.
Wide-reaching Identity Theft Containment problem limited to just the affected business.
Now, it is time to look into three-way public keys to ensure that consumer data is not misused:
1. Merchant/Business/Corporation
2. End-user/User/
3. Arbitrator/Government
With keys signed by each other in 3-ways, secured identification and security of data compartmentilization has been greatly enhanced.
Each and every transaction is signed, sealed and delivered by all 3 parties.
Now, let's get an infrastructure going on this...
Even Bruce Schneier agrees to this.
Yeah, you've got no privacy, but that's not cause to "get over it." The reason you've got no privacy is that you are coerced into giving up your private information -- coerced by government identity-tracking, supposedly for tax purposes but far, far expanded; coerced by effective cartels, like the credit and banking industries; and coerced by laws which support those cartels in their demand for your private information. You don't even have a choice, unless you want to live as a hermit, and at an incredible economic disadvantage.
Having no privacy isn't the problem in itself; the problem is other people exercising control over you with that information. Don't "get over it." Stand up to it.
In the name of the Libertarian Party, I would like to speak on this issue.
I'm appalled by all the anticapitalist rhetoric that is being spewed on Slashdot regarding the corporate use of your personal information and the occasional leak of your SSN into the wrong hands.
You people talk like you want absolute ownership over your personal information. Like you want a corporation - an entity that only exists for the purpose of maximizing net profit - to take responsibility for handling your personal information. Then you'll be holding them liable for mishandling your info. Do you realize what damage this will do to corporate profits?
That utterly reeks of communism. What's next? Treating your personal information as your own property to be handled on your terms and not theirs? Heck, if we follow that line of reasoning, the Government will have to intrude even further into our lives and implement a law to treat personal information brokers like Choicepoint and Unicru as potential data pirates. I can see it now: the Digital Millenium Privacy Act.
Corporations made America, and now you pink commies are about to create a kleptocracy in the name of your overzealous attack on public access to personal information. Sheesh.
[...end Right wing parody]
--- Grow a pair, liberals... stop letting the Republicans bully you!
I don't hate the stupid companies who loose SSN numbers, instead, I'm bothered on how we as a country got into this mess into the first place.
I helped my parents this last week with a garage sale. During the sale, my mom noticed that an old table for sale had her SSN engraved in the wood! Why? Because back in the late '70s early '80s, the local police department told citizens to put a SSN on your assets in case they were stolen (Ironic, Eh?). She spent 20 minutes frantically trying to rub out her ID, she was visibly shaken.
OK, I understand the need to pass SSN/Taxpayer ID information between the Social Security Administration, IRS, Banks/Credit Unions, and your Employers.
The real problem is that there are so many other business segments who need to validate your identity, that they have piggy backed usage of the SSN as the de facto form or Identity verification. This is the real segment that needs to change their behavior!
I mean, how hard is it to go into the local Car-Toys, order a bitchin' stereo on zero money down, and forge the credit application with a stolen SSN and other personal info? And the problem is not just limited to your SSN! Your credit card number(s) have the same problem. If you know the number, expiration date, and Security code on the card, that's all it takes for many purchases over the phone or internet.
The real problem in our modern society is identity verification. Anyone who has ever forgotten a password to a website (what is up with all the different password complexity rules?), everyone who has ever wondered if that waitress is taking so long is because she is ordering a new dress from Victoria's Secret on your card, and everyone who wondered why their bank insists on a utility bill to verify your place of residence due to a clause in the "Patriot Act". You know what I'm talking about.
IMHO, what we really need in this country is not a credit score, but an identity score for identity(ies) that are independent from our SSN/Taxpayer ID (not government controlled, sorry). If I purchase a candy bar with a credit card, the level of identity verification required is low, if I purchase a new car with a loan, then I suspect the level of identity verification would be much higher! The credit score should be weighted against the integrity of the identity given too. If someone fills out a credit application with just a name, address, and SSN, then the chance for fraud is high, and the integrity of the information is low. If the person supplies a trusted smart card certificate, with a complex PIN, along with some other kind of biometric data, then the integrity is much higher.
<Sigh...>
[shameless showoff plug] I work for an insurance company that handles large ammounts of personal data who, contrary to the current trend actually cares about data security on our laptops. I am absolutely an advocate of holding companies responsible for data theft, particularly given the options available to safeguard against it. We recently implemented hard drive encryptions software, and the implementation start to finsh took less than 2 months. It was a rediculously easy step to add a solid layer of security in the event that a laptop is stolen. The fact that this is not more widely adopted points to laziness and indifference on the part of corporate America. [/shameless showoff plug] What disturbs me as much as the frequency in which this "data loss" happens is the growing attitude that people should react to this merely by putting a hold on their credit and waiting it out. For the love of God people, when this happens to you STOP DOING BUSINESS WITH THESE INSTITUTIONS. By simply waiting it out, you are sending the message that security of personal data really isn't that important. Where's the benefit for profit-churning corporations to change their security model if loss of data does hurt them in any way? Now, if people started fleeing from companies that lost their data, then the message to rich execs would change to "Hey, if you customer data gets stolen, you will lose market share." That is guaranteed to produce a reaction. Pass the laws, avoid companies that don't secure their data, and we may actually be able to change something here.