Personal Data Exposed! Can Legislation Fix It?

rabblerouzer writes "Millions have had their personal information stolen because of lax security and may not even know it because of the patchwork of state laws that fail to mandate timely notification of victims. Boston-based law firm Mintz Levin is seeking feedback on what you would like to see included in draft legislation."

More laws are the key ... to EVERYTHING

[Kohath]

I know we're just one law short. With one more law, nothing will ever go wrong and everyone will live forever. Just one more law.

I'm sure this is the one. No one will accidentally release anyone's private details when it's illegal.

Why haven't they made getting in a car accident illegal?

Re:More laws are the key ... to EVERYTHING

[KiahZero]

Laws are just codified rules. The question is, what rules would you want people to follow, and what penalties should exist for breaking those rules?

Re:More laws are the key ... to EVERYTHING

[Qzukk]

because we can't be trusted to make the right choices on our own, but legislators can

None of the credit agencies seem to be willing to lift a finger to do "the right thing". I guess we're going to have to start suing the credit agencies for defamation or something whenever they associate our identity and credit with a criminal in order for them to take notice, if we're not going to be allowed to make laws to tell the credit agencies to get their act together.

Re:More laws are the key ... to EVERYTHING

[hey!]

True, laws cannot prevent bad things from happening to you. But they can deter unreasonable things from being done to you. And they can also compel people who willfully do such acts to make the damage good.

These are the kinds of laws that a rational person can support. It's laws that are meant to protect us from ourselves we have to many of.

In fact, we do not so much need new laws, but clarifications of how existing legal principles apply.

If I park my car and do not set the brake, and it rolls down the hill into your house, the law says I have to pay for the damages to your house. Not you. You get an estimate of, say $2000, and I have to pay that plus a certain amount to compensate your for your inconvenience.

That isn't paternalism, it's common sense.

Now suppose I negligently release private information about you, and that results in your identity being stolen. The damage I've done to you is incalculable. And therein lies the rub. I am not responsible for the criminal misdeeds of others, but I have caused you far more than $2000 of trouble by my negligence. It is the inability to put a dollar amount on that damage that keeps me immune from being sued by you.

If Congress set a standard $1000 damage level for negligent disclosure of private financial data, you could sue me. But you wouldn't have to. If I managed a database of a thousand people, I'd be looking at a cool million in direct liability. It would alter my calculations. I wouldn't be sending your private data home on an unsecured laptop so a temp I've done no background checks on can do a little data entry.

That's the common theme we've seen in "shocking" cases of data mismanagement. It's not shocking at all, it's inevitable. If the cost of mishandled data is zero, then I'll risk exposing you to identity theft for a penny on an account, multiplied by enough accounts and that's real money.

It isn't hard to secure data to the point that the risk of disclosure is negligible. But it's impossible if the cost of disclosure is zero.

Current Liability Causes Indifference

[SRA8]

Currently, vendors losing data typically offer 3 months of identity detection, as if that does anything. Criminals can simply wait 3 months and begin stealing identities freely, as most people cannot afford to purchase these costly (and largely useless) services. Unless vendors are presented with liability, as are most other businesses, data will continue to be lost all the time. There is virtually no cost to losing data.

Don't legislate !

[cyberianpan]

Why you shouldn't force notifications to customers

-Zero day exploits: crooks will rush to do zero day exploits as an official confirmation will prove they've got good data (so more sophisticated gangs will buy it from them, most fraud happens in the first 24 hours)
-Honeytrap: When identity theft occurs law enforcement agencies may wish to honeytrap the thieves by letting them use the say credit card details & thus tracking them.
-White Noise Defense: smart companies ought have "white noise" dud systems, easily hacked containing white noise data with honeytrap triggers (eg a valid credit card number but one that belongs to say FBI) in it !
- and so on.

But they should be forced to notifiy law enforcement agencies.

Re:What *I* Would Like to See in Legislation?

[symes]

Televised ritualistic testicular hangings as punishment. Two strikes and you're sterile.

News just in:- Female IT workers around the world have breathed a collective sigh of relief.

Seriously though, accountability seems to be the key. It feels like (hands up, I'm no expert in this area) that people can get away with some of the shoddiest practices when it comes to safeguarding other peoples' personal data. I don't think it is enough to expect the market (in that serious breach of security and loss of data will cost that organisation customers) to regulate itself. It's like shutting the gate after the horse has bolted. There needs to be something up front - focusing organisations' minds on making sure this does not happen in the first place. I would say that an organisation that handles, for example, credit card data should be made accountable for any losses directly attributable to mishandling that data plus some compensation in lieu of the time required to close the account, order new cards, etc..

Can legislation fix it?

[hackstraw]

The summary and the FA were short on information, but here is my stab at this.

How about we just keep our private information private? The increase in the amount of personal data that is attempted to be acquired by private companies is increasing, and remind me how my giving of my personal data to Pets-R-Us is going to benefit me?

I paid cash for a car, and the people wanted my social security number. Why?

A health club near me wants my social security number to lift weights and stuff. Why?

Oh, and don't get me started with those so-called "Privacy Agreements" that some of these comanies give out to you. All of those end with the clause "we can change our mind at any time w/o notifying you", so how is this any kind of agreement? By signing one of those I am agreeing to nothing.

So, I think that the laws should say that there are 2 kinds of personal information. One kind is something that can clearly identify me. My address, phone number, ssn, name, etc. And none of that should be shared with anyone. Abstract data for marketing reasons is OK. My age, sex, or whatever they can get from me that does not directly tie the information to me is OK.

Target the credit bureaus

[Daffy+Duck]

I doubt the solution is to make sure that all of the dozens of companies that hold your SSN must have perfect security inside and out for all eternity.

I'd rather outlaw the use of your SSN as both username and password. Why are the credit bureaus allowed to let anyone who knows those nine irrevocable digits mess with your credit report?

"patchwork of state laws"???

[Russ+Nelson]

"patchwork of state laws"??? You morons, that's exactly HOW the United States is *supposed* to work. Look at the name: United States. We're not a single country, we're a union of independent states, each of which has its own government, and its own set of laws. The "patchwork of state laws" is our guarantee against a tyrranical central government. The different state laws allows people to pick and choose between the laws that protect them most and oppress them least. It's a feature, not a bug!.