Slashdot Mirror

← Back to Stories (view on slashdot.org)

Personal Data Exposed! Can Legislation Fix It?

Posted by ScuttleMonkey on from the ask-and-ye-shall-receive dept.

rabblerouzer writes "Millions have had their personal information stolen because of lax security and may not even know it because of the patchwork of state laws that fail to mandate timely notification of victims. Boston-based law firm Mintz Levin is seeking feedback on what you would like to see included in draft legislation."

8 of 154 comments (clear)

  1. More laws are the key ... to EVERYTHING by Kohath · · Score: 5, Insightful

    I know we're just one law short. With one more law, nothing will ever go wrong and everyone will live forever. Just one more law.

    I'm sure this is the one. No one will accidentally release anyone's private details when it's illegal.

    Why haven't they made getting in a car accident illegal?

    1. Re:More laws are the key ... to EVERYTHING by hey! · · Score: 5, Insightful

      True, laws cannot prevent bad things from happening to you. But they can deter unreasonable things from being done to you. And they can also compel people who willfully do such acts to make the damage good.

      These are the kinds of laws that a rational person can support. It's laws that are meant to protect us from ourselves we have to many of.

      In fact, we do not so much need new laws, but clarifications of how existing legal principles apply.

      If I park my car and do not set the brake, and it rolls down the hill into your house, the law says I have to pay for the damages to your house. Not you. You get an estimate of, say $2000, and I have to pay that plus a certain amount to compensate your for your inconvenience.

      That isn't paternalism, it's common sense.

      Now suppose I negligently release private information about you, and that results in your identity being stolen. The damage I've done to you is incalculable. And therein lies the rub. I am not responsible for the criminal misdeeds of others, but I have caused you far more than $2000 of trouble by my negligence. It is the inability to put a dollar amount on that damage that keeps me immune from being sued by you.

      If Congress set a standard $1000 damage level for negligent disclosure of private financial data, you could sue me. But you wouldn't have to. If I managed a database of a thousand people, I'd be looking at a cool million in direct liability. It would alter my calculations. I wouldn't be sending your private data home on an unsecured laptop so a temp I've done no background checks on can do a little data entry.

      That's the common theme we've seen in "shocking" cases of data mismanagement. It's not shocking at all, it's inevitable. If the cost of mishandled data is zero, then I'll risk exposing you to identity theft for a penny on an account, multiplied by enough accounts and that's real money.

      It isn't hard to secure data to the point that the risk of disclosure is negligible. But it's impossible if the cost of disclosure is zero.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  2. Current Liability Causes Indifference by SRA8 · · Score: 4, Insightful

    Currently, vendors losing data typically offer 3 months of identity detection, as if that does anything. Criminals can simply wait 3 months and begin stealing identities freely, as most people cannot afford to purchase these costly (and largely useless) services. Unless vendors are presented with liability, as are most other businesses, data will continue to be lost all the time. There is virtually no cost to losing data.

  3. What *I* Would Like to See in Legislation? by lbmouse · · Score: 5, Funny

    Televised ritualistic testicular hangings as punishment. Two strikes and you're sterile.

  4. Criminal Identity Theft by G27+Radio · · Score: 4, Interesting

    I've been writing a bit about my personal experiences with Criminal Identity Theft. It's something quite a bit different than your typical identity theft. I'm wouldn't hold my breath waiting for the states to do much about theft of personal data on their own. They didn't even bother to notify me when they found out some jerk had been using my names to commit crimes. I've come to the conclusion that the government just doesn't give a rats ass about these things.

    I'll be writing something to these guys. If you're interested in what I've been dealing with, my story starts here:

    http://g27radio.blogspot.com/2007/04/think-youre-s afe.html

  5. Accountability by AK+Marc · · Score: 4, Interesting

    There is only one thing that companies are accountable to, and that's the shareholders. If you can save $200 with crappy security and screw over 100,000 people with a breach, a company is under pressure to save the $200. If you place huge fines on exposed data, companies will be able to compare the cost of the security measures to the cost of a breach and make a financial decision that will (hopefully) work out best for both the company and the customers/clients/etc. Fine them up to $1000 per person exposed. Oh, lose the data of 100,000 people on an encrypted laptop left in an airport lounge? That'll be $100,000,000. Also, make concealing a breach (as opposed to reporting it) a jail-able offense. Yes, that may make losing a laptop and hiding that fact get someone more time in jail than a murderer, but we need to drop the "what would a rapist get" dogma. Yes, raping someone is bad. But what about a little loss multiplied by 100,000? Wouldn't screwing up thousands of people's lives (even if the inconvenience isn't really that large) really be in the same league as messing up one person's life really badly?

    Recap:

    Required disclosure
    Jail for those that purposefully avoid disclosure
    Large fines for breaches

    --
    Learn to love Alaska
  6. Don't legislate ! by cyberianpan · · Score: 5, Insightful

    Why you shouldn't force notifications to customers

    -Zero day exploits: crooks will rush to do zero day exploits as an official confirmation will prove they've got good data (so more sophisticated gangs will buy it from them, most fraud happens in the first 24 hours)
    -Honeytrap: When identity theft occurs law enforcement agencies may wish to honeytrap the thieves by letting them use the say credit card details & thus tracking them.
    -White Noise Defense: smart companies ought have "white noise" dud systems, easily hacked containing white noise data with honeytrap triggers (eg a valid credit card number but one that belongs to say FBI) in it !
    - and so on.

    But they should be forced to notifiy law enforcement agencies.

  7. New SSN by Alchemar · · Score: 4, Informative

    One of the biggest problems with identity theft is that SSN were not intened to be used for identification purposes. My Social Security card clearly states that it is for Tax and social security purposes only - not for identification. Yet every organization out there wants to use your SSN for an ID. It use to be my student number, my health care number, and I can't recall the last time I needed to access banking information that I wasn't asked for the last 4 digit to "VERIFY MY ID" The people that set up Social security numbers knew that using it for ID would be bad. Try refusing to give your SSN. Unless you are independently wealthy, that means no job, no bank account, no phone, no Drviers license, no house, no car, and no insurance. What I want is for them to enforce the laws that we have. If we must have a new law, make it a criminal offense to ask someone for their social security number unless they must file a tax in that person's name, and also make it a criminal offense to use the social security number for any purpose other than filing that tax form. The main problem is that since the Social security office doesn't recognize that a social security number is an ID, having your ID stolen is not a valid reason to get a new number. The social security office recomends that you move to a new country and start over, and other countries actually have fleeing the US for identity theft as one of the reasons to seek relocation into their country

    If they absolutly need a national means of identifying people, then it needs to be in a secure manor. My suggestion is to issue everyone an electronic ID card. With all the extra "security" that goes into an id they can afford a small dedicated computer the size of a credit card calculator that only gives a secure ID number. When someone needs to verify your ID, they must request a key from the goverment, similar to a tax ID, but it is the public key for an encryption. They give you their public key, you enter it into your computer wich has your private key, it generates a number, the company sends that number to a goverment computer, it returns the critical information for the person involved. Name and Birthday. If they require more information, they must fill out the goverment forms explaining what information they need, and why; which becomes public record. Set it up so that your computer tells you what the company is, and what information they will be given. Now they have a secure means of identifing you, and you can verify who is requesting the information, and the ID number you give them is only good for that company. They can't use the data to request a new credit card, because the credit card company would be given a different number based on their public key. Set a password on the computer so that it can't be used if stolen, and set provisions where someone can request a new card and private key if it is compromised.