Should Companies Share Criminal Blame In ID Theft?

snydeq writes "Deep End's Paul Venezia criticizes the lack of criminal charges for corporate negligence in data breaches in the wake of last week's Best Western breach, which exposed the personal data of 8 million customers. 'The responsibilities attached to retaining sensitive personal identity information should include criminal charges against the company responsible for a leak, in addition to the party that receives the information,' Venezia writes. 'Until the penalties for giving away sensitive information in this manner include heavy fines and possibly even jail time for those responsible for securing that information, we'll see this problem occur again and again.' As data security lawyer Thomas J. Smedinghoff writes, data security law is already shifting the blame for data breaches onto IT, thanks to an emerging framework of complex regulations that could result in grave legal consequences should your organization suffer a breach. To date, however, IT's duty to provide security and its duty to disclose data breaches does not include criminal prosecution. Yet, with much of the data security framework being shaped by 'IT negligence' court cases over 'reasonable' security, that could very well be put to the test some day in court." It's a slippery slope to be sure, but where should the buck stop?

Yea!

If they do not, who will?

Re:Yea!

[corsec67]

Next step:
Actually punishing companies that break laws, in such a way they can't just dissolve the front and start with a new name and the same people.

Re:Yea!

Exactly right. Nobody.

At the very least, they should be held civilly liable. We should be suing every last one of these MFing companies that hand our personal data over to criminals to the fullest extent provided by law. There should be statutes on the books allowing for statutory damages to be awarded when our personal data is negligently handled.

And where are the amulance chasers in all this? Why aren't there ads on my TV for shysters who will take on these cases?

Follow the money... who's getting paid? The politicians. Barack Obama, John McCain...doesn't matter who you vote for, because they both have their hands in the same pockets!

Re:Yea!

[Lumpy]

Actually wrong.

The first step is to financially ruin and have real "pound me in the ass" prison terms for the executive staff that cut the IT departments budget to increase security.

If the CEO has the fear of being raped by bubba while the CTO is told "you're next pretty boy" They will quit spending money on their company BMW's and office remodels and actually give the IT departments the funding they need to have the staff and hardware to do their FUCKING job.

Do I seem a bit jaded?

Re:Yea!

[Hurricane78]

You said EXACTLY what I wanted to say... I thank you and second that.
And I hope someone mods you up. *hint* *hint*

Re:Yea!

[Crazyswedishguy]

They will quit spending money on their company BMW's and office remodels

You are completely right, I also am positively certain that they won't just find somewhere else to cut costs.

Re:Yea!

[greenbird]

The first step is to financially ruin and have real "pound me in the ass" prison terms for the executive staff that cut the IT departments budget to increase security.

The only problem is that the executive staff won't be the ones going to jail. I guarantee it won't be any executives. It'll be the poor overworked IT guy doing 6 different jobs and is on call 24/7/364 (he gets Christmas off) who ends up with all the blame. And then the executive staff will give themselves a raise for doing such a good job getting to the bottom of the security breach and taking such decisive actions in making sure it'll never happen again.

Re:Yea!

[b4upoo]

The glitch is that it is the owners and investors that should be punished. They determine the number of employees, the quality of the employees as well as the allotment of time and money towards data security.
            Just how can we punish those who may not actually have the ability or be alloted the time to make data safe?

Re:Yea!

[bb5ch39t]

100% agree. I bring up areas that I am concerned with in this type of area. The usual response is that it would cost too much to secure that or that there is not enough time to implement it because the CUSTOMERS want access RIGHT NOW!!! The first on the scene for a customer is likely to get that customer's business. If you tell them that it will take a bit longer so that we can be sure that their privacy is assured, they won't much care. At least, that's my take on it.

Re:Yea!

[HiThere]

Major investors should be punished, yes. Minor stock-holders...no more than losing their investment. Directors, yes. Corporate executives, yes.

It should be handled analogously to fiscal malfeasance. ... Or rather as fiscal malfeasance should be handled.

Re:Yea!

Which is why the executives need to be PERSONALLY responsible for any security breaches. I dont care if dave in IT support is to blame, the CEO get's his ass in the grinder for it.

By doing that things get done. for an example see Sarbanes Oxley. They get off their asses and make sure it's done because with SOX the executives are personally responsible for it.

P.S. They deserve it, they get the outrageous pay for being the one in charge, then they get the risk as well.

Re:Yea!

[ps2os2]

Well the CTO's CIO's that I know couldn't be called pretty boy's, more like ugly aunt wanda:)

Re:Yea!

[Z00L00K]

The CEO/President shall be ultimately responsible for all legal trouble that a company finds itself in or are contributing to.

The board of directors may also take the punch.

Heads of IT department may or may not be responsible, but it is important for that person to get his/her back clean by requiring things in writing whenever security is relaxed by directive from above. This is also something for employees to be concerned with.

Re:Yea!

[rhyre]

Some (at least 50%) of these breachers could be the result of social engineering. Will the CEO take the "pounding" for the IT admin error?
Unlikely
But financial ruin much easier and probably more effective. A court hearing should be able to impose appropriate civil penalty - this has been done in cases of Accounting Fraud.
Sanctions could include:
- unable to work for a firm which is incorporated in the state of (select state here) for X years
- unable to work for a firm whose stock is publicly traded in the US.
These firms have NO BUSINESS retaining the credit card data, especially if its in the same database as other customer details. Perhaps they could keep the output of a one-way has of the card # with something else, but they just shouldn't keep that number on file.

Yes/No

[HappySqurriel]

I think it is entirely appropriate to investigate a company when large ammounts of personal information ends up being 'stolen' ... If it turns out that the company did not take the necessary steps to protect people's personal information they should face some consequences. At the same time, there has to be an understanding that even the best technologies available and best practices may not prevent all personal information theft so a company should not face harsh consequences if they took the necessary steps to protect people's information.

Re:Yes/No

[penix1]

I've got a better idea. Ban the collection of personal information beyond the time required for the transaction. I don't but it that companies somehow need to store all this info on people especially years after the transaction has occurred. If you are going to be light on them when they lose it, then be heavy on what they can keep.

Re:Yes/No

[kannibal_klown]

I've got a better idea. Ban the collection of personal information beyond the time required for the transaction. I don't but it that companies somehow need to store all this info on people especially years after the transaction has occurred. If you are going to be light on them when they lose it, then be heavy on what they can keep.

Well what about long-term services like Life Insurance? A service like that would need to keep your Name, Birthday, Social Security Number, address, next of kin, etc until you died and someone collected. And what about Banks and Loan offices?

A friend of mine got a notice from his life insurance firm saying that a laptop was stolen that probably had his records on it. Why it would be on a flippin LAPTOP I have no idea, something like that should be a server only accessible from the company's encrypted network (but I digress).

I could also see the benefit of some stores keeping some light data on you (name, address, phone) so they can contact you but I think they should get rid of your credit card info after X days/weeks.

In all, it's a mixed bag of blame. Personally I think the government and law enforcement should take Identify Theft a lot more seriously, with major penalties against these fraudulent jerks.

Re:Yes/No

[zappepcs]

So all is ok if the stolen laptop had everything encrypted? That would seem legally equivalent to someone hacking at a server in the company's data center but not getting in. Then what kind of paperwork etc. is required for a contractor to use laptops from the company contracting them? The point being, how far can culpability be extended through the food chain? If an employee is not a security expert and does what IT told them to do but a compromise still happens, is the company or an employee guilty? If my details are leaked and my ID stolen, can I sue the company, the CIO, and the employee?

Sarbanes-Oxley has already wreaked havoc on the business world. Extending culpability for data breaches to criminal prosecution would be even more destructive in terms of the changes and security costs involved in protecting the company from financial damages in the event of a data breach.

I'm still waiting for DHS confiscation of a laptop to cause a data breach. When (not if) that happens, can we sue the government?

(I am playing devil's advocate, or rather corporate advocate)

Re:Yes/No

[Sylver+Dragon]

I think there is a way to go about it that would work.
The first thing that would have to be done is that we would need some guidelines as to what a "reasonable" level of security is, and even that might be scaled based on the type of information stored. This should then be re-evaluated yearly by a commission of qualified IT managers from industry. There are other limitations which should be placed on the commission, but that's outside the scope of this uninformed rant.

Just as an example:
Storing customer names and addresses - Database encryption and basic perimeter security may be considered reasonable. Losing data and not being there should result in fines and maybe some jail time.

Storing Credit Card info - Same as above, but add backup encryption, laptop hard-disk encryption, internal firewall for DB servers and source code audit on all applications with DB connections. Failure to comply and losing data would be hefty fines, jail time for those responsible for the systems, and civil liability to those people affected.

Storing Social Security Numbers - All the above, but damages increase substantially, as does jail time, with c-level execs getting in on the PMITA action. And civil liability is increased to "the affected customers now own your ass" level.

The problem, of course, is that it would be the government doing it, so they would invariably screw it up.

Re:Yes/No

[jellomizer]

Great idea lest threw business back 2 decades. This data is used beyond just advertising and marketing it is used to improve the business on the whole.

Eg. When you call your credit card company you can usually get your balance and access what most usually called features right away. I bet if you call them a few times and not go that route that the phone system may change for you to get you on and off the line quicker making you happy as you are spending less time on the line and them happy not having to pay to keep you on the line for longer times.

Or if you go back to the store or an online store then it can fill out all the information for you that you entered in already making checkout a lot quicker.

How about tracking progress of a product line. They see that while a product is still selling strongly they may find that some areas stopping and spreading thus time to change the product or offer services to extend the product. Or change the shipment quanties around so one location isn't overstocked and the other has a stock out.

Data is key for a successful company as IT Guys you really should know this already. Lack of data will cause you to go by the gut and just start guessing.

Re:Yes/No

[thesolo]

A friend of mine got a notice from his life insurance firm saying that a laptop was stolen that probably had his records on it. Why it would be on a flippin LAPTOP I have no idea, something like that should be a server only accessible from the company's encrypted network (but I digress).

$10 says someone was either creating top-line reports or other such nonsense based on spreadsheets full of live data, and they brought it home/outside of the office to continue working on it past business hours.

I can't even tell you how many times I've seen people in insurance companies take live data home with them so they can whip up statistical reporting. People don't follow IT protocol when it becomes inconvenient for them to do so. (i.e. staying late at the office vs going home & working there.)

Re:Yes/No

[David+Gerard]

The Economist ran a report pointing out that companies had whined at length about how Sarbanes-Oxley was crippling their business, but they did an investigation and found that the companies in question were doing as well as before or better.

(The Economist is absolutely gung-ho to the point of stupidity about free markets, so I don't think they have some sort of corporate agenda in saying so.)

Re:Yes/No

[Zironic]

Tell me again what part of those features require my personal data? Learn to use a serial number seriously.

Re:Yes/No

If a company is going to collect and store personal data, it should have to notify annually all who in the database. Like FDIC, all data stewards need to carry insurance of say $250,000.00 per account for potential losses.

Too many companies are holding data without the ability to protect it.

Re:Yes/No

[__aagmrb7289]

The credit card industry has mandatory PCI compliance. This basically covers your concerns. Supposedly, those companies not compliant will not be allowed to process credit cards - and the requirements must be audited and proven by an outside firm. It's QUITE expensive. The problem is whether or not these rules are being enforced. They ARE getting more stringent as time goes forward.

Re:Yes/No

[nine-times]

Well what about long-term services like Life Insurance?...A friend of mine got a notice from his life insurance firm saying that a laptop was stolen that probably had his records on it.

It seems like you could have a rule to dispose of data after the transaction except in businesses/industries where it's necessary, and then regulate those businesses/industries better than we do now. How about it's illegal for a company to put that sort of data onto a laptop?

Re:Yes/No

Apparently you have not purchased life insurance recently.

I'll be brief.

When an Agent sells you a policy they bring along a laptop and enter your personal information into it.

Following along so far? Good.

The laptop is then lugged back to the Office and the data is uploaded from there. I would imagine that the original data still resides on the laptop.

No Insurance company will issue cell cards to their agents just to sell a life insurance policy, and i sure as heck wouldn't want the portal to my info accessible through the internet anyway.

So I'm sorry your friend's info was stolen. But that is the nature of the beast.

Re:Yes/No

[Foofoobar]

Nobody needs to store SSN's except the government that issues them. The fact that people made the MISTAKE of standardizing on SSN's as primary keys for users to begin with is their own fault. Mainly because SSN's are horrible primary keys since they REPEAT!!! Yes look it up... they DO get reissued after death and with longterm storage, this will only cause issues for storage of personal data.

Second, data loss is a quick route to a lawsuit as a result of storing SSN's; People and companies need to stop this bad procedure especially since laws in several states have been passed banning the practice. Good security can only do so much as human error is inevitably your final point of failure. And do you want to have a couple million social security numbers relying on the security of a backup tape in the back of your juniour sys admin's Pinto overnight?

Re:Yes/No

[whoever57]

I think it is entirely appropriate to investigate a company when large ammounts of personal information ends up being 'stolen' ... If it turns out that the company did not take the necessary steps to protect people's personal information they should face some consequences.

The problem with this is defining the "necessary steps". Definitions could be abused both ways to the advantage or detriment of the company that lost the data. Also, what if the company chooses to use software that has a history of vulnerabilities (including zero-day vulns) and performs all updates on schedule? Did the company perform the "necessary steps" when the problem was really the original choice of s/w? Does "necessary steps" allow for a delay before installing the new patches from MS on patch-Tuesday to allow testing and making sure that the patches don't screw something up, or would "necessary steps" require installing all new patches a few minutes after MS releases them?

I think that the "necessary steps" test is likely to allow companies to select insecure software and then, as long as it is kept up-to-date, avoid any responsibility for that original poor choice.

Re:Yes/No

[the_crowbar]

PCI compliance is great and all, but in many smaller industries/specialized softwares PCI compliance is not enforced. I actually wrote a batch CC processing software for my employer and nowhere did PCI compliance enter the discussions. The CC processor (one of the largest in the US) nor the bank said one word about it. Some of the software that we use is industry specific. Probably in use at fewer than 2000 companies of which we are the largest. I have been pushing for PCI compliance for a while. The developer say that they are beta testing a new version that addresses my concerns. I do not hold my breath.

Shifting to the realm of possibility. We run software that is not currently PCI compliant. If a breach occurs because of that software, who is at fault? My employer or the company that developed the software? If I understand the PCI spec correctly the software developer is on thew hook not the end-user of the software. Now what about the EULA of the software? Thay all basically say that you pay for the software, but if things break you get both pieces. Does this shift the blame back to the user of the software? What about smaller shops? Mom and pop outfits that loose several hundred to a few thousand records? CC companies charge the merchant ~$49/lost card info. Do these big outfits get charged this fee as well?

If Best Western lost 8 million records do they get charged $400M for the loss?

Cheers,
the_crowbar

Re:Yes/No

[Vancorps]

How about distributed warehousing like every major retailer does? The parent even alluded to it by mentioning inventories. It's cheaper for them to send a package from the same state as the customer.

Honestly the data helps a lot of companies also decide where to grow. You can argue that names aren't necessary for most tasks but addresses definitely are.

Then of course there are sites like ours which dynamically charge tax based on the person or company combined with location. Some customers the company picks up tax for and for some customers they don't.

There are a lot of scenarios out there where all of that information can become useful, especially in my business where you wind up with people bringing in lots of cash trying to dodge taxes. Of course it doesn't work since we track who gave us what and are obligated to keep the information for seven years for IRS purposes.

We don't however store social security numbers or credit card info beyond the time needed to complete the transaction.

I'm finding myself in an odd position these days, on the one hand I'm a tired IT Manager posting on slashdot during what should be my lunch break. On the other hand I think privacy and security are very important and breaches shouldn't be taken lightly. I'm not given the resources to cover any and all bases though so I make security the priority at deployment time, if my deadline gets brought forward significantly which happens from time to time some of my testing might go by the wayside since the application or feature works. Should I be criminally liable for these conditions?

I'll move forward, should the CEO or CIO be criminally liable for this? What if I report to him incorrectly that I've secured a certain list of vulnerabilities? The cost of independently verifying all of that is astronomical especially when you factor in lost productivity for me while I introduce the auditor to the system.

One of these days they'll hire someone to help me with the back-end stuff. In the meantime I'll just keep moving forward auditing what I can where I can.

Full disk encryption for the win on any laptop storing sensitive information. Although since we're growing VDI and a VPN connection starts to make a lot more sense. Then there is limited data on the laptop which can more importantly be controlled centrally.

Re:Yes/No

[beadfulthings]

Getting rid of the credit card data after X weeks seems like an excellent idea.

It's not easy to get a room at a decent hotel without a credit card. Certainly in some places you can pay cash in advance--but you can't use the phone, order a meal, connect to their network. If they require a credit card, or make it too difficult to procure their services without one, then they should absolutely be held accountable for the safety of the information.

Organizations of all sorts--retail, airlines, hotels, hospitals, insurance companies, banks, potential employers, not to mention government agencies--are ravenous for your personal information. They go to great lengths to get hold of as much of it as they can, whenever they can, using whatever methods they can. If they want it that badly, they should be responsible for its safety and security, and they should be held accountable when it's compromised.

We received a letter from our bank a couple of years ago saying that my husband's debit card (never used online) had been compromised, that he should stop using it, and that a new one would be issued. It arrived in due course, but they would never reveal who had screwed up or what had happened. It had to have been a local entity, but it could've been a supermarket, a restaurant, a gas station--we will never know. We don't even have the recourse of not giving them more business and further opportunities to screw up.

Re:Yes/No

[yachius]

Can you cite any database that uses the SSN as a primary key? You'd have to be a pretty dumb database designer to do that. Even if the database doesn't allow for duplicate SSN's, it would be accomplished with a constraint on the SSN field with a normal, auto-incrementing integer as the primary key.

Re:Yes/No

[CodeBuster]

The issue is one of negligence not the relative efficacy of the available security technologies. If a company is found, upon discovery, to have exhibited a complete or reckless disregard for the potential consequences of a breach then some liability is in order. The "reasonable man" test can be used by juries to decided whether or not the circumstances surrounding the breach amount to negligence and what the appropriate remedy should be. The negligence tort has already been well litigated in common law countries (like the US, UK, and Australia) so the only thing different here are the details (IT technical details) which might require expert witnesses to testify or offer their opinions, but the basic law in negligence is well settled (at least as far as I understand it, but IANAL so please do not take this as formal legal advice) once the details or facts of a particular matter have been determined.

Re:Yes/No

Social Security Number

Bzzzzt! An insurance company does not need anybody's social security number.

Never give your SSN to an insurance company.

Re:Yes/No

[Qzukk]

Data is key for a successful company

I never hear about a company having the laptop containing their inventory records getting stolen. Is that a function of nobody but the company caring, or do companies take better care of their "keys" than their customers'?

Re:Yes/No

[CodeBuster]

Compared with what passes for a periodical these days the Economist is the paragon of journalistic rigor and integrity and even when judged from an academic standpoint the articles, econometrics, and original research stand up quite well. You could do a lot worse than the Economist for your business and world events news.

Re:Yes/No

[PitaBred]

That's why we do drive-level encryption. We have enough data that's sensitive for our clients that we just encrypt the heck out of everything. Both the convenience of not needing to shuttle gigabytes of data through a VPN, and the security of knowing someone will have to work pretty hard to get into the machine, if it's at all possible for someone short of government-level access to drive decryption keys and such.

Re:Yes/No

[VEGETA_GT]

Ok first off if you are a IT person who part of your job is dealing with a server holding user records you could be held responsible for even a simple mistake, that I don't mind but criminal charges for said mistake seams a little over the top. If this actually became law, watch how many IT people will decide its not worth the risk or decide there salary needs a big jump because of the risk.

This is similar to what my father has to deal with In Ontario Canada. He is a maintenance manager at a production plant, so he has to make sure the machines are fixed and the plant is safe. Now here is the kicker, if someone gets hurt and he did not do EVERYTHING (I stress that word here) he could possibly could do to prevent the injury he could face criminal charges. Ok Now define everything, say guy gets hit by a fork lift, did my father have caution tape along the entire stretch of the building the forklift was driving, was there 10 people in front of the forklift making sure no one was there, where there 15 different noises coming for the thing, a announcement over the PA saying its on the way. Um ok the answer is no, he has to be reasonable but in a court of law people have been screwed over for less. Its to the point where he is to anyone who is above the ground I believe 5 feet neets to be tied off, um that begs the great question tied off to what, how do you tie off without getting up and tieing off to something above you da da da. It gets to the point of being just dumb. right now to go up on the roof he has to fill out a form. Takes him 30 min of paperwork to check 1 thing on the roof. I agree with safety but that's to the point even Darwin is shaking his head.

So back to IT, lets go to court, define EVERYTHING you could have done to prevent a hacker from getting data from a server, well I can un plug it, beat the living crap out of it, encase it in concrete, drop it in a lake and then its 99% safe. There is is always a new hole, but the patch came out for it yesterday and someone took the data 5 min before it got patched, why was it not patched 5 min earlier. Why where you not running the newest 2.0.3.4.66.3.11 instead of 2.0.3.4.66.3.10 that's the sport of thing someone may try in court, how do you defend yourself as in court the common scene approach don't always seem to work.

Basically how far can you go to say you did everything, and was everything enough, well it never is. LETS bring the guy who came up with safety devices for cars to court, people still died in you car, why is that, how come you did not provide a trained driver with the car, full body air bags da da da. Yes Slippery slope

Re:Yes/No

[Dr_Barnowl]

You don't need to store all those details about personal identity though. You only need to know that someone is the person with a contract with you.

Swiss banks will deal with people so long as they know the account number. Modern cryptographic techniques no doubt supplement this to the point where the attestation that given set of credentials is genuine is more reliable now than at any time in history ; the only missing variable is the assurance that those credentials belong to the person presenting them, which no doubt biometrics can solve ; you don't need to store the biometric data either, you just need to cryptographically sign a hash of it, and forgery is well-nigh impossible. The customer can retain the data with your signature (maybe placing a backup in a safety deposit box), and you can verify that yes, it was you, and yes, it was this person, and yes, you have a contract.

In the past, personal familiarity would trump this, of course, but in this era, where everyone is a few rows of data in some corporate database close to a pibibyte in size, personal anonymity is easy to achieve, with the right credentials ; photo ID is easy to forge. Crypto can at least make identifiers that are hard to forge. If you include the biometrics, they are hard to share with other people too, and you don't need to retain the biometric data at the corporate end of the transactions.

Re:Yes/No

[dfm3]

I could also see the benefit of some stores keeping some light data on you (name, address, phone) so they can contact you but I think they should get rid of your credit card info after X days/weeks.

Indeed, this is the heart of the problem: When X = 52 weeks, or 2 years, or forever. I can understand why a hotel would want to keep my information on file for a short while, say a week or two to assure that I've been charged for my visit, or held responsible if I happened to break a lamp or a window, but I see absolutely NO REASON why a company has to keep my credit card details on file for an entire year after I have concluded a business transaction with them.

Less critical information such as my name, address, or phone number, sure. If I give this information up I understand that the company might want to use it sometime in the future to contact me. But what benefit is my credit card number to said company a year or two down the road? Is there some sort of insight that can be gained from analyzing credit card usage data? Does the information (if any) gained from such analysis really help them improve the way they do business? It sounds like too many companies have been caught up in the "if we can store the data, we will, even if it's useless" mindset.

Re:Yes/No

[baggins2001]

This happens all the time. I've had VP's admit it to me and when I tell the CEO he doesn't really care.
So therefore I don't care anymore.
Security becomes a business cost that they didn't anticipate or aren't willing to accept.
In fact during the latest briefing, we were told that we were looking to go public in a foreign exchange where the regulations weren't as strict.

Re:Yes/No

[baggins2001]

In the limited number of places I've seen Sarbanes-Oxley make them adhere to good business practices. The same with ISO standards (usually the gripes occur with lack of understanding). During a recent audit one of the customer auditors asked for proprietary information. I refused because there was not reason for him to have it and our shared IP clause did not cover that information. He got pissed and the VP of Marketing gave it to him. We never got a contract from the company and the VP and CEO can't understand my reasoning for why. Basically on paper we passed the audit, but we failed, because we conceded proprietary information during the audit.

Re:Yes/No

This will only hasten the shift to outsourcing IT as it relates to this. They can't prosecute someone in India.

Re:Yes/No

[Thrip]

I find it surprising that neither your credit card processor nor bank "said one word about it." Ours told us flatly they would not do business with us anymore if we couldn't show compliance. In fact, it was our bank that made us pay attention -- we would have blown off the credit card companies. The way PCI is supposed to work is that if any credit card fraud occurs that can be pinned on a breach in your service ("you" being anyone who stores card data), you get a fine starting in the tens of millions of dollars. That should scare people into compliance, but a lot of companies are just incapable of being scared -- the officers have limited liability, and they look at business as rolling the dice anyway.

Re:Yes/No

[kannibal_klown]

Apparently you have not purchased life insurance recently.

I'll be brief.

When an Agent sells you a policy they bring along a laptop and enter your personal information into it.

Following along so far? Good.

Sarcastic much?

I have. First 7 years ago, the same policy and time he got his, and more recently I got a 2nd policy 3 years ago. And in both cases there was no face-to-face with an insurance guy as they were through my companies.

In both of our cases (7 years ago) it was through our respective Consulting firms, and we had to certify-mail and fax some data to their head office and were done. Since we left they let us continue our policy no problem.

It's not a major policy, just enough to cover our funerals and maybe a little extra.

So if this was 7 years ago, and there was no face-to-face, then why should it be on a laptop in 2008?

It should have been entered directly into their system and that should have been the end of it.

Someone suggested that his data was being used to render some report (or some such nonsense). That makes more sense than "someone cached our data 7 years ago while entering it and never deleted it."

Re:Yes/No

[Fulcrum+of+Evil]

A service like that would need to keep your Name, Birthday, Social Security Number, address, next of kin, etc until you died and someone collected. And what about Banks and Loan offices?

So what? They don't need your ssn and other info for every little thing. SSN data should legally be treated like a credit card number - series 70 data that has no business being a PK in a database or published anywhere.

Re:Yes/No

[Nefarious+Wheel]

I think it is entirely appropriate to investigate a company when large ammounts of personal information ends up being 'stolen'

I agree, and there should be penalties for egregious misuse of data placed in one's trust.

I do hope, however, that there should be some limit on the liability of IT professionals who do their best to prevent disclosure, but who are either one step behind the black hats or overworked to the point where technical oversight and coverage of the systems in their care is compromised. This isn't just a bleeding heart beating here, I'm worried that overall IT security will suffer if good engineers and sysadmins are frightened away from the security field by the spectre of personal liability. Fewer people in IT security == epic fail.

Re:Yes/No

[kannibal_klown]

Nobody needs to store SSN's except the government that issues them. The fact that people made the MISTAKE of standardizing on SSN's as primary keys for users to begin with is their own fault.

I'm no Database expert (or DBA) but I'd never use SSN as a primary key for the same reasons you listed (not to mention privacy ones). However, considering the piss-poor Oracle developers and DBAs I've met I have no doubt that some people out there are using it that way.

Heck, colleges alone probably start the trend in the people they train as many colleges use the SSN as the student number that has to be on every-piece-of-paper a student hands in.

Considering how imporant a SSN is, I'm pretty disappointed in how many places ask for it. I reported a cable outtage to Comcast for my parents once and the idiot tech said they couldn't proceed without the subscribers SSN. I questioned him on it and aruged that it was rediculous until I finally hung up.

Re:Yes/No

[GodKingAmit]

My university does this. Ugh.

Re:Yes/No

[RyoShin]

What about voluntary storage? I'm all for banning information not authorized by a person to be kept for X time-span. But there are a lot of services/sites where storage of personal information or CC data is useful or convenient to a person, even if you think the practice is stupid. I'd find Woot.com more annoying to use if I had to type in my CC every time (especially during Woot-offs or BoCs), and many people like the idea of one-click purchases.

EULAs don't count, it has to be a conscious, specific opt-in separate from any sort of sign-up procedure (or, if it is part of said procedure, must be on a page of its own and off by default).

Re:Yes/No

[kannibal_klown]

You don't need to store all those details about personal identity though. You only need to know that someone is the person with a contract with you.

Sample scenario of face-to-face between widow and life insurance agent, using your logic.

Widow Hi, sniff, this is Mrs So-and-So. My husband was just killed in a fire last week. Specifically our house burned down. I believe he has a policy with you.
Agent: I'm sorry to hear that. What's his account number?
Widow: I don't know, most of his papers burned and I can't find them.
Agent: I'm sorry without your account number I cannot help you
Widow: But here's the police report, death certificate, his name, social security number, and birth certificate
Agent: Sorry, without that number I cannot continue. NEXT!

Now, granted said husband should have kept that info in a safe deposit box, fireproof safe, etc. But a wife, husband, daughter, mother, etc might not always have access to account info.

In those cases they would need to backtrack via personal data (name + birthday, etc). Sure the process might need a lot more red tape to weed out fraud but it still needs to be a possibility.

Re:Yes/No

[T3Tech]

Some years ago I dealt with several databases where the primary key was the student's SSN. Most used a separate field as the primary key and there were new db systems in the works when I left, but at least not too long ago there were still a handful around. I would suspect there are still other systems around that for whatever reason (expedience, incompetence) use an SSN as a primary key. It was only back in 2005 that CPSR was reiterating that SSN's are bad as db keys, so it wouldn't seem too much of a stretch to think that there are still dumb db designers out there.

I never liked the fact that SSN's were kept in the student databases I worked with at all, much less were used as an ID, but some stupid federal programs require that info to be available for eligibility (eg. free/reduced lunch).

I agree with the GP that SSN's should only be stored by the SSA. However, I'd go one step further and say that they shouldn't exist at all anymore - the SS program itself has outlived its' usefulness, but that's another issue.

IMO, the IRS using SSA's as TIN's was rather stupid, though I'm sure more than one person thought it was a good idea at the time. Add in the ubiquitous use of the SSN as a 'positive identifier' by every entity and its' sister organization and you have created an environment where ID theft is so simple that any common street thug can do it. SSN's are useless as a unique positive identifer, but it still amazes me that public and private entities accept one as a valid ID.

Make SSN's completely meaningless and ID theft becomes at least a little bit harder to accomplish, and the risk/reward ratio isn't nearly as attractive. The problem is this would require so many changes on so many levels of government and the private sector that it's almost mind boggling.

Re:Yes/No

[turbidostato]

"The first thing that would have to be done is"

Is looking to anyone of quite a lot of countries that have already passed laws about personal information management, like all those from old Europe.

No need to reinvent the wheel, sir.

Re:Yes/No

[innocent_white_lamb]

I reported a cable outtage to Comcast for my parents once and the idiot tech said they couldn't proceed without the subscribers SSN.
 
The (Canadian) cable company that I do some occasional tech work for can look up subscriber records by account number (of course), name, street address or telephone number. Telephone number lookup is generally about as fast as account number. Name or street address generally takes about one minute.

Re:Yes/No

[Nefarious+Wheel]

I'm not given the resources to cover any and all bases though so I make security the priority at deployment time, if my deadline gets brought forward significantly which happens from time to time some of my testing might go by the wayside

The problem, then, is you're an individual human, qty(1), who can't cover all the bases simply because there are too many bases.

At the board room, it's all about calculated risk (in a competent board room, anyway). I remember hearing a representative from a school bus company talking about pupil security a long time ago. He said we could build the school buses as secure as the customers like; if they wanted to stop a wire-guided missile, they could probably put enough armour on it to do so. Of course, nobody would buy it...

The point here is that there is only so much armour plate you can put into an IT infrastructure. Beyond the threshold of silly, you just need to stop, check that your security efforts have been to the level you specified, then find and prosecute the intruders or write off the loss.

The down side is that you're only human. The up side is that your intruders are, too.

Re:Yes/No

[T3Tech]

It's all good that they are at least using machines with PCI but aren't they a little behind the times, I mean come on, we're using PCIe and AGP now.

Re:Yes/No

[kannibal_klown]

The (Canadian) cable company that I do some occasional tech work for can look up subscriber records by account number (of course), name, street address or telephone number. Telephone number lookup is generally about as fast as account number. Name or street address generally takes about one minute.

And that's what I've come to expect. I had the account number written down and obviously knew the rest if they needed it. But this idiot said I could not report it with a SSN.

I asked him "do you mean account number?" and he replied "know, your social security number." I found that completely rediculous and told him as much. I even suspected it was bogus since I'd never been asked that before by a cable company tech support lackey.

So I hung up and called back later. They let me proceed with just the phone number and confirmation of the address. I should have questioned the lady on the phone during the second call but I was in a hurry to go out that night.

Re:Yes/No

[Yvanhoe]

Well what about long-term services like Life Insurance? A service like that would need to keep your Name, Birthday, Social Security Number, address, next of kin, etc until you died and someone collected.

That is indeed still a problem, but an order of magnitude lower than credit card numbers which really have no reasons to be stored once the transaction is finished.

Re:Yes/No

[Vancorps]

Yeah, it's tough finding a balance. Your users have to of course be able to use the system and they have their own requirements for the system. My particular problem is that the big wigs like to just say yes whenever a mid-level big wig asks for something even if it conflicts with corporate policy. As a result I end up creating a separate less secure network for them and rely on full-disk encryption to make sure that theft of their laptop won't result in any data theft. My database is nice and protected but spreadsheets that the CFO creates while he's at home are a lot more difficult to secure, that is of course the reason for full disk encryption.

I think I've done a great job of maintaining proper security and it's only getting better as I get more skilled and as my budget increases. My budget increased a significant digit or two recently so that has allowed me to get the right tools to automate a lot.

My strategy is to deploy one thing at a time while testing multiple other projects. One week deploy one project, if successful test deployment for next project and deploy the following week. So far it's been successful as I've not had any unplanned downtime and very little planned downtime as technologies like DFS let me change file-servers on the fly.

Re:Yes/No

[ChrisA90278]

Some companies really do need to keep data for a long time. Banks, insurance, lenders and so on. But maybe even toy companies too. How are they to notify you if they need to recal a product. Maybe that baby toy was found to contain lead based paint?

It is easy to justify keeping data but un-encrypted data on a notebook computer? That is almost the same thing as if an engineer designs a building and gets the structural calculations wrong and it falls down. He's liable.

Re:Yes/No

[5KVGhost]

Of course not. Huge corporations don't have any real problem complying with Sarbanes-Oxley. They can absorb it as the cost of doing business. Smaller businesses, on the other hand, can't afford it. So they either skate along on the edge of compliance, go out of business, or sell out to someone with the necessary fleets of lawyers and accountants.

It's a myth that large corporate interests fear regulation -- big corporations thrive on regulations. The more regulations you impose, and the more complex they become, the fewer businesses will be able (or willing) to comply. Which is great, as far as the big fish are concerned, because some of those guys may have eventually grown into competitors. Our current regulatory scheme is the a really good environment for breeding large corporations and killing off smaller corporations that threaten their interests. That's is what you want, right?

Re:Yes/No

Personally I think the government and law enforcement should take Identify Theft a lot more seriously, with major penalties against these fraudulent jerks.

They have less to worry about. I'm sure they keep a separate, and better protected(read more expensive to get a hold of), database on government and law enforcement entities. And amidst all this wiretapping, mail-reading, internet-snooping, etc., it's a safe bet that this 'stolen' information is turning up in theirs or the highest bidder's hands.

Why it would be on a flippin LAPTOP I have no idea

You can't very well hand over giant servers rigged with a secure encrypted database, can you? You have to copy it all down on a laptop for convenience.

Like the GP wrote, if you want to stop them from 'losing' your personal information then they can't be storing it. Either that or it needs some serious open regulation by the people who are supposed to be watching them, not the other way around. /tinfoil

Re:Yes/No

[Pig+Hogger]

I can't even tell you how many times I've seen people in insurance companies take live data home with them so they can whip up statistical reporting.

And what does personal information (Name, SSN) has any utility for statistical analysis???

Re:Yes/No

[Binder]

Certainly.. IF a company decides to collect personal data THEN they should be required to protect said information.

Re:Yes/No

[Sylver+Dragon]

It's a good start, but it seems that it hasn't been working. If Best Western can manage to have info on 8 million credit cards on a laptop not encrypted, the system's broke. Companies dealing with CC data, and especially Social Security data should be downright paranoid about losing it. And that won't happen until the danger of punishment for losing it is far higher than the cost of securing it.

Like most things in the business world, it comes down to a cost/benefit analysis. If a CTO looks at the cost of securing their system, and sees a large number; and conversely looks as the possible cost of a security breach and sees a small number; they will never secure the system. So, we have to change the equation. Make it such that when they look at the possible cost of a breach the number is in the ridiculous range. Jail time would just be icing on the cake.

Re:Yes/No

[mpe]

I've got a better idea. Ban the collection of personal information beyond the time required for the transaction.

Which may well mean that it dosn't need to be stored in the first place.

I don't but it that companies somehow need to store all this info on people especially years after the transaction has occurred.

In many such cases the data collected is of little value to the company concerned. It's only of great value to criminals.

Re:Yes/No

[careykohl]

I've got an even better idea. Fine them $1000 for every ID they umm... misplace. 8 million x $1000 = I bet they implement some safeguards to keep it from happening again pretty damn quick

Re:Yes/No

[mpe]

I could also see the benefit of some stores keeping some light data on you (name, address, phone) so they can contact you

Assuming that "contacting you" dosn't result in you avoiding doing business in future. The whole point of a "store" is that customers will generally come their if they want to buy something.

but I think they should get rid of your credit card info after X days/weeks.

Once the transaction is complete then they have no need to keep the credit card details at all.

Re:Yes/No

[mpe]

Nobody needs to store SSN's except the government that issues them. The fact that people made the MISTAKE of standardizing on SSN's as primary keys for users to begin with is their own fault.

It's also rather daft since it complicates matters if they need to deal with customers who don't have SSNs, e.g. corporations.

Mainly because SSN's are horrible primary keys since they REPEAT!!! Yes look it up... they DO get reissued after death and with longterm storage, this will only cause issues for storage of personal data.

The reissuing might have some interesting effects if someone's estate took a long time to be sorted out :)

Re:Yes/No

[arminw]

...Nobody needs to store SSN's except the government that issues them...

Tell that to your friendly DMV who are now mandated to collect this information by the federal government. It so happens that in any computerized database, a unique record identifier is needed. For any database that could contain information of potentially anyone in any state, the SS is more likely to be unique than any other number currently assigned to nearly everyone.

Instead of making the legitimate owner of the identity responsible for fraud committed in their name, the financial institution should bear the fraud loss. This would give them an incentive to carefully check the information given by the fraudster. This is essentially the case with credit card fraud today. The legitimate cardholder is essentially not responsible for fraud committed in their name. In spite of this, credit card companies and banks are doing quite well, thank you.

Re:Yes/No

[mpe]

I can understand why a hotel would want to keep my information on file for a short while, say a week or two to assure that I've been charged for my visit,

Only if the hotel is using some sort of offline batch system for processing credit card transactions. (Or they still use those carbon paper press things.) If the guest has managed to use a stolen card then the hotel having a record of those card details isn't going to be much help anyway.

or held responsible if I happened to break a lamp or a window

Unless someone checks the room when you leave or at least before the next guest turns up how are they going to know who to charge?

Re:Yes/No

[mpe]

How about tracking progress of a product line. They see that while a product is still selling strongly they may find that some areas stopping and spreading thus time to change the product or offer services to extend the product. Or change the shipment quanties around so one location isn't overstocked and the other has a stock out.

In which case the kind of information you are most likely to need is that related to your stock. Together with details related to your distribution system. Whilst some kind of statistical information about your customers might be useful it's hard to see how individual customer details are going to be of any possible use. Unless you have such a small number of customers than each one is likely to account for a substantial portion of your business.

Re:Yes/No

[jd]

Yes, and often far more data is held than is necessary. Also, if you subscribe to the notions of grid computing and cloud computing, why store the data at all? All you need to do is tell an authorized holder of the data what operation you wish to perform, and get the results, entirely black-box. You need never see the data at all.

In terms of liability, I would argue that the rule should be a generic one: if you assume control of data, you assume responsibility for that data - its accuracy, its security and its legitimacy. The distinction should come in the degree of reasonableness. It is reasonable for a non-mathematical corporation to trust RSA and Elliptic Curve public-key encryption, AES and the SHA-256, Tiger and Whirlpool cryptographic hashes. It is not reasonable for any corporation to trust unencrypted and unsigned sources - they wouldn't trust unsigned paperwork and physical signatures are easier to forge. Organizations which can be reasonably assumed to be aware of security bulletins, the assorted cryptographic lounges and other such sources should be held to the higher standard of being expected to discontinue additional use of vulnerable methods with a migration of legacy data in circulation within a sensible period.

It is never reasonable to hold data a corporation cannot use in future, cannot be sure is authentic or accurate, and/or cannot be sure is serving any legitimate purpose on the system. Since there is no excuse to hold such data, there is less of an excuse to lose it. You can't lose what you don't have, so any loss of such data - regardless of method - can never be passed off as unavoidable. It was easily avoidable. Don't keep such data. Likewise, if an individual within that corporation is provided access to information they didn't actually need, and that data is subsequently lost as a result, that should be an automatic crime even if every precaution was taken, simply because it was an unnecessary gamble and therefore not entitled to any protection or justification.

Data that is accurate, legitimate and in active use should be considered as highly sensitive, and companies that do not treat the data with the respect and maturity they are capable of and for which the data is deserving should find themselves less in hot water than boiling oil. Like I said earlier, this depends on what the company can be regarded as being aware of. All companies can be deemed aware of published security patches, common security software (Tripwire, RSA and PGP are hardly obscure!) and software equivalents of practices already in place for physical documents. Government (including military and veterans affairs) and computationally advanced organizations, as I said, should be aware of relatively mainstream peer-reviewed discoveries, not just pre-packaged solutions, and should also be aware of vulnerability scanners (Nessus, nCircle, SARA/TARA, and so on) and advanced access controls, where the size and type of organization is going to dictate what sort of preventative measures are cost-effective.

Where a company falls below what can reasonably be expected of it, and loses data, that's boiling oil time. Where a company meets or exceeds a rational, sane level of protection and still loses data it needed to have, it should still be responsible for contributing towards cleaning up the mess (same as you would in a truly no-fault car accident) but shouldn't be punished for what was beyond its abilities to deal with. (That "needed to have" qualifier really is important.)

If a company deliberately places data in a dangerously exposed context (eg: pushing personal data onto unsecure systems overseas to avoid any national laws on data security), then they deserve not only the boiling oil treatment but a loss of right to operate. Dodging the law or evading responsibility is not a helpful way to tackle data insecurity, even if it looks like a cheap way to solve the problem for the company.

To those who argue that this is a slippery slope, I'd say that reasonable conduct can never be a slope, nor can it be slippery. If anything, it is a great leveler and a superb provider of grip and balance.

Re:Yes/No

[penix1]

That is not something you do over the phone! What is wrong with you?!?! Ever hear about phishing? You make them come into the office, provide identification and in the scenario you suggested, a death certificate, and work it in the office.

Re:Yes/No

[hedwards]

I can sort of understand when a cracker managers to break into the network and get information that way. Crackers have the upper hand to some extent. It'll happen eventually.

But what I really don't understand is why there are all these thumbdrives, cdroms and similar with people's account details sitting on them. Often times unencrypted, but in a format which is easy to misplace or substitute while the holder is not looking.

The information should not under any circumstance be going some place where a solid VPN and full disk encryption can't protect it. And it should be very much out of the ordinary for that information to be used anywhere beyond the reach of the corporate network's internal infrastructure.

Sure there are things like insurance claims where the records have to be removed, but why for god's sake does it have to require more than a couple dozen records to do?

Re:Yes/No

What about a crime happening years later, and the trail led investigators to that particular location (i.e. hotel, restaurant, etc.), then upon a records search found the person frequented the establishment several times during the time-frame of said crime...? Especially in a murder or missing persons case, these kinds of records can come in very handy for following certain leads. I agree, that there's a limit to transactions and such, like a photo record of each transaction (including time of transaction, what customer paid with (cash, credit), a signature of the transaction (from customer) and pertinent information (what customer ordered/which room, how long patron stayed/ate)). To be honest, the only reason for this to be done is to stop credit card fraud, and to keep tabs on activities of patrons for up to 5 years, and in some states 7 years.

A few years ago, I worked for a delicatessen near me, and they were told by county officials, to keep the record of patron orders and payments for 7 years. They were in business for only about 2 years, but I was there for 18 months, and they STILL have information on me, the other employees and all of their transactions-- not only for tex purposes, but for keepin these records, any investigator could request the records of my employment, and see I was eligible for unemployment payments. It's been over 4 years ago, but they still have those records.

I guess it depends, but they did not have an IT department, nor did they have any IT personnel--they did it all themselves.

Re:Yes/No

[hedwards]

Since a state issued ID is considered to be valid identification for the federal government. And the federal government uses SSNs to identify people, it seems fine to me that they'd use that information.

If one is going to be using it to board a plane, as identification for a passport, to register to vote in federal elections, it seems fair to me for the federal government to expect that state issued IDs are going to be recorded against the SSNs.

Re:Yes/No

Security is all about risk reduction, in this case it seems a user was involved, the only thing you can do with stupid users is to get rid of them..but you may get sued for wrongfull dismissal.. you cant win.

Re:Yes/No

[kannibal_klown]

That is not something you do over the phone! What is wrong with you?!?! Ever hear about phishing? You make them come into the office, provide identification and in the scenario you suggested, a death certificate, and work it in the office.

My first line:
Sample scenario of face-to-face between widow and life insurance agent, using your logic.

Granted, I'll give you that my opening Widow line sounded a little like a phonecall. It was meant to be her talking to an agent face to face. With only relying on account numbers we run into problems.

Re:Yes/No

[kannibal_klown]

I'll admit my "retail" experience is limited to what few years I worked behind a register years ago...

But I'd imagine an online store (and its customer) could benefit from keeping the transaction record (with CC number) for a few weeks if only to handle Returns and Refunds.

IE, the (usual) 30-day return policy some stores have. It would make refunding everything a little easier. It would be less back-and-forth, the store could initiate the refund without having to ask you "OK, please give me the credit card number ending in wxyz."

Beyond that, maybe something to do with them handling a "stolen credit card report" if it came a few days after a fraudulent purchase.

But that should be it. They shouldn't be permanently archiving these things or keeping them for months on end.

Re:Yes/No

[ps2os2]

I used to work for a company that processed sales type data from quite a few stores. By the time we got the data there was *NO* way to associate what any one seller bought. In turn we sold the summary output to various companies so they could get an idea of how well a sales ad worked or some other thing like a cut in price in any specific market. The most *ANYONE* could get out of any reports we sold were number of items, which store, price, date.
I the above picture there (IMO) is nothing wrong in collecting that type of data. Where I do agree is where if somehow you can identify the item sold and to who. Stores are doing just this when you use the store card (for a discount) what you give up is privacy. Personally I have never worried about groceries its the "other" items that would upset me.
 

Re:Yes/No

[ps2os2]

Quite a few companies (and hospitals) do this. Today I was visiting one of my *MANY* doctors and while I was sitting there he called up and reserved a procedure time for me and gave (the hospital) my name and social security number. Also, if I am not mistaken the Army does this (all military services as well). I am pretty sure the IRS and probably the SS (chuckle). The company I used to work for did this (but was told to scrap it).
It is quite common.

Re:Yes/No

[ps2os2]

It is not so much as required as it is easy to find. Once upon a time before computers probably everything was stored alphabetically. Once it was determined that it would be easier to do a search on a set of numbers everyone had their own customer number. That sort of worked well until it was discovered that people tended to forget
50, 8 digit (or so) numbers. That plus people in the "old" days were basically honest once honesty went out then the SS# was a disaster waiting to happen.
 

Re:Yes/No

[Dan541]

And those people should NEVER be allowed to use a computer for work purposes ever again.

Next time you see someone do that give them a good smack in the head on behalf of all the customers. Unless they are competent with encryption they should not even be using laptops for work.

Re:Yes/No

[Zironic]

Why would the data needed for the distributed warehouse system ever need to leave the central server? If you want to give the data to various consultants to perform optimisations it would make alot more sense to anonymize it before you put it on a freakin' laptop.

Only the server needs the real data.

In your example of deciding where to grow, it would be patheticly easy to just export the adresses with the numbers stripped out(I seriously doubt you need higher accurasy then per street) together with generated keys.

On your questions, if you reported it was secure to the CEO when infact it wasn't, you're liable, if you reported that it's insecure to the CEO and he didn't tell you to fix it he's liable.

Re:Yes/No

[Zironic]

If you really want to use SSN, couldn't you atleast make a lossy hash out of it? Then the SSN could be used to find you but the database couldn't be used to find the SSN.

Re:Yes/No

Then this also says that these companies should staff sufficiently so that they do not have to task someone so burdened that they must stay long hours or take the data out of the office environment.

This all speaks volumes to companies deciding to outsource since they can get more labor for less buck over in India.

Then; when the job is in India, someone there is accessing the American's data remotely over a connection that very likely could be compromised, and there are the privacy practices of the foreign company itself to ponder.

Slippery slope.

Re:Yes/No

[ps2os2]

OK, here is my *GUESS* as to why (and it is a GUESS). Way back 40+ years ago creating such an animal would have been "expensive" for using CPU resources (remember back then CPU's *WERE* expensive. The other part of the issue was people time. Trying to come up with anyway to do what you are suggesting might take weeks (or months) to do. Again it is a matter of resources that today are even more expensive. I am not sure what would happen if say the SSN would increase in length to say 15 digits. *SO* many programs would have to be re-written (or at least recompiled that it would probably take 5 years to implement.
Plus you have DB issues that would involve many people. I am not trying to say it couldn't be done just that it would be expensive. Who is going to pay for this? Businesses would be screaming uncle to uncle sam. Then what do you do with all the current people? Better minds than mine could have a go at this and might come up with other issues. The SS people never envisioned the chaos that might follow if they had a clue as to what todays people and environment might be like. Heck they might have come up with a 100 digit number that no one would have been able to remember.

Re:Yes/No

[Qzukk]

such an animal would have been "expensive" for using CPU resources

If you did it now, with modern "CPU resources" coming up with the less than 999,999,999 possible hashes would be trivial.

Re:Yes/No

[jellomizer]

Should I build the store on 59th street west or 59th street east the two open spots seem equally attractive. However it seems to have a statistical correlation that people who live closer to 59th street east tend to purchase your products more. So if you make it easy for them to walk or a quicker drive you may drum up more business.

You probably have never visited states like Connecticut where going down a road you cross million dollar mansions then in about 1/4 of a mile further you are in the slums. Street information and you actual address to the inch is important.

Re:Yes/No

[Zironic]

I suspect that would be the point where you're meant to stop using your computer and start using common sense. Oh gee, do we build our luxury store in the slum or in the posh quarter.

Re:Yes/No

[ps2os2]

The new CPU's are entirely different than the old CPU's it is like comparing a Model T to a 2008 car. Yes they both go but how fast and differently the "insides" (read engine) works the only thing they have in common might be a piston. The newer engines can do actually (millions of) terraflops per sec where as the old one was lucky to do say 1000 a second and they can do it cheaper. So yes any hashing method is faster and less expensive to do on modern computers than the old ones. Oh yes don't forget disk speed and cost I do not know the direct comparison but 96(or more) percent less might be a good number. Everything has come down in price except maybe human costs. I will leave to someone to factor in that cost.

civil not criminal

[v(*_*)vvvv]

This would be a great civil class action case, but criminal? The slope is quite slippery, and like previous posters have said, the cops don't do much when it comes to non-violent, non-domestic, non-street crimes.

Of course, some would argue that the banks and lenders behind the whole sub-prime mortgage crisis deserve to be criminally punished for causing a global recession and for the number of lives they've destroyed.

Re:civil not criminal

[sm62704]

the cops don't do much when it comes to non-violent, non-domestic, non-street crimes.

I know a man who was charged with home invasion and attempted murder for breaking into a man's home and trying to kill him with a butcher knife, and plea bargained down to two weeks in the county jail.

A woman I know spent four months in Dwight Correctional Center for a non-violent drug offense (possession). It seems to me that being careless with thousands of peoples' lives, let alone attempted murder, should carry a far heavier burden than a crime with no victim.

Re:civil not criminal

i guess no one told you that drugs are funding terrorists.. and killing kids with harmless sounding names like 'cheese'.

Think of the terrorists!
  Think of the children!

Re:civil not criminal

[diodeus]

In the movie The Corporation we learn that corporations have pretty well the same legal rights as people, but they lack the personal responsibility that goes with it.

Perhaps we should round up all those Best Western hotels and put them in prison.

Re:civil not criminal

[CodeBuster]

Perhaps we should round up all those Best Western hotels and put them in prison.

Or perhaps we could just turn them into prisons (which would hardly be worse than the present level of accommodations at most locations anyway). That way, we alleviate both prison overcrowding and the horror of Best Western accommodations being inflicted upon the unsuspecting business traveler, killing two birds with one stone.

Re:civil not criminal

I don't think it is practical to have criminal liability for an IT worker. Just take for example the case of an admin who has tried to improve security but is prevented from doing so by a limited budget. Ultimately, the responsibility for these things lies with the executives of the company, for which they are duly compensated.
While criminal charges can be applied to executives (think Enron), they are for committing fraud, etc - not for incompetence.
Personally, I think all the execs at Enron should be jailed as if they had committed murder, since they did ruin hundreds of thousands (if not millions) of peoples lives. A simple murder seems tame by comparison, but I digress.
If you are going to create severe penalties that apply directly to IT, then you are going to have to compensate in some way. As is often the case, the arguments for, don't consider the dynamics of the situation.
You may have to give autonomy and money to IT, or substantially raising salaries. After all, there is a big difference between screwing up and getting fired and screwing up and going to jail. Who would want to take that risk of having bubba for a bedmate for what you are getting paid now?
There is also a practical matter of application. What about companies that outsource to India (or wherever)? You can't prosecute them, which means if we did start prosecuting staff, there would be an outsourcing wave that made the last one look like a ripple in a pond.

Re:civil not criminal

[sm62704]

Think of the terrorists' children!

Criminal charges for companies != jail time

[religious+freak]

If a COMPANY is being prosecuted criminally, you obviously cannot have jail time, because it's a non-person.

However, you can (and IMO should) have much stiffer penalties than civil courts allow. When a data security breach is so bad to as harm society itself, it should be prosecuted criminally - this is the doctrine for criminal prosecution of companies. Criminal penalties can range from massive monetary damages, to shutting the entire company down, or forcing changes in management. This is the correct route to go.

Obviously, if the implication is that the IT workers themselves should be thrown in jail, this is absurd and would cause all kinds of damage, both foreseeable and unintended.

Re:Criminal charges for companies != jail time

[sm62704]

Freezing a companies' assets and disallowing any business for two years would be the equivalent of putting a human in prison for two years. So you could, in fact, "jail" a corporation. You could shield its employees (at least the ones not responsible) by forcing the company to pay them anyway. If it goes bankrupt, well, people go bankrupt after incaration, why shouldn't businesses?

Or converseley, put its CEO and Board of Directors in a maximum security prison with the other criminals, many of whom caused far less damage to people, or none at all.

The thing is, the corporations are deemed too valuable to be punished. THIS is what should change.

Re:Criminal charges for companies != jail time

Agreed! Corporations have all the benefits of "being a person" and none of the liabilities. If they are convicted of criminal behavior, basically they just pay...and maybe some employees go to jail. The corporation, however, blindly continues on with perhaps a lower quarterly earning that month. Corps are chartered and if we had the guts, they could be un-chartered. Shut down a company for a year and other corps would (hopefully) be terrified. People would lose work, shareholders would freak, but think about it. It wouldn't be long before both those parties held the corporations feet to fire.

Re:Criminal charges for companies != jail time

[TubeSteak]

If a COMPANY is being prosecuted criminally, you obviously cannot have jail time, because it's a non-person.

It is tiring that this line of reasoning keeps getting trotted out.
WTF do you think executive officers are for?

"The Company" doesn't do anything illegal, the corporate officers & various (vice) presidents are the ones in charge and they have always born the responsibility of the company's actions.

Re:Criminal charges for companies != jail time

[Translation+Error]

Freezing a companies' assets and disallowing any business for two years would be the equivalent of putting a human in prison for two years.

I don't know... that sounds more like the death penalty for a company to me.

Re:Criminal charges for companies != jail time

[religious+freak]

Interesting in theory, completely impractical in practice.

they have always born the responsibility of the company's actions.

False. Corporations were constructed ~500 years ago specifically for the purpose of shielding people from personal liability. It unlocked capital for plenty of things that were just too risky if you had exposed everything you owned, everything you've worked for your entire life to being taken because of a mistake.

Ok, you put these executives in jail for losing data. Who is going to be an executive? What if you could be prosecuted criminally for introducing a bug in the Linux kernel that resulted in death? Would you be a programmer?

Re:Criminal charges for companies != jail time

[jabithew]

If a COMPANY is being prosecuted criminally, you obviously cannot have jail time, because it's a non-person.

Wrong, in the US and UK company directors can be jailed for corporate manslaughter and fraud. IN other words, if the company releases too much toxin into a water supply and kills someone, the CEO goes to jail.

Re:Criminal charges for companies != jail time

[Fulcrum+of+Evil]

Corporations were constructed ~500 years ago specifically for the purpose of shielding people from personal liability.

Financial liability. Officers are criminally liable for their actions, while silent investors (normal stockholders) are shielded.

Ok, you put these executives in jail for losing data. Who is going to be an executive?

Someone willing to do the necessary work to make things work right. Besides, you have to prove negligence - armed robbery of a datacenter isn't really covered, while letting some idiot load a customer DB onto a laptop is.

Re:Criminal charges for companies != jail time

In the UK I think there has only been one successful prosecution, the Lyme Bay canoeist disaster, but that was a 1-man company so it was directly the director's fault. Attempts to prosecute Railtrack directors for train crashes have not gone ahead.

It's just too hard to establish that a CEO of a multinational with 3,000 employees has done a specific act or omission that makes them personally responsible to the point of criminal liability. This is especially the case in areas like industrial chemical engineering which the CEO may have no qualifications or involvement in.

Unless you find a "smoking gun" memo saying "I'm a greedy bastard, so please cut back on vital safety equipment: it doesn't matter if people die because I want to increase my bonus" you can't really connect anything done by the board to people's death. Not in a way that is direct enough to justify equating the board with a gang of Mafia bosses who arrange to have their enemies shot.

Even lawyers think it is a bit tenuous to argue "well, this divisional profit target was a bit challenging so it was effectively inevitable that low level supervisor Joe Smith would disable a piece of safety equipment in violation of the company's written procedures manual, please send the CEO to jail for ten years".

It's no good just identifying someone and threatening them unless that person can really respond effectively to that threat. What do you want the techno-clueless CEO to do? Send a memo to the IT department saying "please please please don't lose any data or I'll go to jail"? Spend a lot on high-price consultants?

In any event discussion on this topic invariably falls into the /. trap of assuming the only goal of security is confidentiality. People also need to access the data in order to fulfil tax, audit and general business requirements. Balancing these requirements is not a solved problem and until it is, I don't see that criminal penalties will help.

Re:Criminal charges for companies != jail time

[RevMike]

Not only is it the death penalty, it will drive other corps out of the United States. The economic impact would be far far greater than the damage caused by the underlying crime.

Imagine, if you would, that a mid sized wall street bank was subject to this law. Say Credit Suisse is shut down because of a breach. That might be 20,000 or 30,000 jobs lost directly right there.

How long would it take before Citibank, JPMorgan Chase, Morgan Stanley, Deutsche Bank, Lehman Brothers, Merrill Lynch, and Goldman Sachs all flee to London and Tokyo? That is probably another million jobs right there.

Then consider the people who are indirectly affected. The construction workers who were about to put an addition on the home of a now unemployed worker. The people who serve lunch near the corporate headquarters of these companies. etc. All told we are now looking at 6 million jobs total.

Next consider the fact that it will be very hard for a business to get a loan or sell stock in the United States, since there is a very high risk that the company could be shut down. Tens of thousands of businesses dry up. Now we are talking a loss of thirty to forty million jobs.

No. Prosecuting a company for anything but the most egregious acts doesn't make any sense at all. That isn't to say that making executive more liable doesn't make sense, but prosecuting companies willy nilly is a bad idea.

Re:Criminal charges for companies != jail time

[religious+freak]

Officers are criminally liable for their actions

This is actually a relatively new phenomenon (and I happen to agree with it). The "shield" between corporation and executive has been steadily less powerful over the past few decades.

I agree that willful, wanton negligence should be punishable by targeting the executives (think: misstating financials, squandering company money, etc)... but could you really hold an executive liable for something like a data center breach?

Wouldn't that just encourage massive cover-ups of customer theft, coming down like a hammer on any screw-ups on the part of IT folks for minor mistakes (think they won't fire you on the spot if their ass is on the line?), and a competitive disadvantage for data centers operating in the US?

Yes, this argument has emotional appeal, but I still maintain that, in the end it's unworkable from a practical standpoint.

Re:Criminal charges for companies != jail time

[religious+freak]

I've never seen this... not that I'm doubting you, I very well could be unaware of this type of action, esp as it relates to the UK. Do you have a source?

Re:Criminal charges for companies != jail time

[Fulcrum+of+Evil]

could you really hold an executive liable for something like a data center breach?

Sure, if you can demonstrate that their policies made the breach inevitable. I'm not suggesting that every mistake be punished, only the ones born of negligence.

Re:Criminal charges for companies != jail time

[Tim+C]

The problem with that is that if the company fails, you inadvertently punish a number of people who had nothing to do with the crime. That happens with normal crime too, when you jail someone and their friends and relatives lose them for that time, but that doesn't generally affect their livelihoods.

Why should even criminal negligence on the part of maybe a handful of employees potentially mean that everyone else employed by the company loses their jobs too?

Re:Criminal charges for companies != jail time

Prosecuting a company for anything but the most egregious acts doesn't make any sense at all.

I think your opinion shows only that -- your opinion. For many people, ethics are not monetizable.

Re:Criminal charges for companies != jail time

[arminw]

....So you could, in fact, "jail" a corporation.....

I am reasonably sure that you would not advocate this, if the company involved where one of which you are a significant or even not such a significant stockholder. The very purpose for a legal structure such as the corporation is to limit the liability of the owners. Even if you are not a direct stockholder of such a corporation, your pension or retirement fund might be. It is always easy to advocate to gore the neighbor's ox.

Re:Criminal charges for companies != jail time

[arminw]

.....shareholders would freak....

Most likely so would you if you happen to be a shareholder.

Re:Criminal charges for companies != jail time

[Dan541]

If a COMPANY is being prosecuted criminally, you obviously cannot have jail time, because it's a non-person.
 

but, it was a person who had the laptop stolen from their car.

Re:Criminal charges for companies != jail time

HA! Very easy to say as detached as you think you are from the situation. Do you use gasoline (terrorists)? Do you watch porn (low self esteem chicks)? Do you shop at Wal-mart (child labor)?

Ethics are certainly able to be monetized, in most cases. You just don't want to admit it.

Re:Criminal charges for companies != jail time

[sm62704]

No different than a man sent to prison for fraud who is murdered by another inmate.

Well

I'm reminded of what that guy from Jurassic Park said: 'I don't blame people for their mistakes, but I do ask they pay for them.'

Self reporting of a felony would not happen

[frith01]

You have a choice, allow organizations to report the data breach, or have them cover it up to avoid the penalty.

[ Why would anyone report a data breach when that means they would face jail time ? ]

Remember, the odds of an external entity finding out about the data breach is extremely small (except for the ones taking the data of course ).

Re:Self reporting of a felony would not happen

[MozeeToby]

Easy, make the peanalty dependent upon the companies handling of the situation. If the company comes clean the penalty is X dollars per victim. If the company attempts to hide the situation the penalty is 100 * X dollars per victem.

Re:Self reporting of a felony would not happen

[sampson7]

I completely disagree with your assertion that a company would not self-report. As a compliance officer with a major international corp (albeit in a different field), we are often faced with the difficult question of whether to self-report a potential violation. We are generally faced with three options when a potential violation arises:

1. Self-report the violation, fix the problem/install appropriate controls, get the "credit" for active compliance, take the medicine and move on.

2. Document the potential violation internally, fix the problem/install the appropriate controls, establish the paper record documenting the potential violation, but explaining why it is arguably not a violation or that there is no affirmative duty to self-report.

3. Actively attempt to conceal the violation or ignore a clear legal requirement to self-report.

Pop quiz! Which of these three "options" could lead to massive fines by the appropriate governmental regulator, share-holder lawsuits, top managers being fired and even the destruction of your company?

Anybody who thinks a potential release of information could not bite you in the ass needs to imagine the type of risk/reward analysis the company goes through. I can easily envision the following scenario. Company loses critical personal information. Company actively hides the loss and/or actively ignores legal obligation to self-report. The thief attempts to use the stolen credit card numbers/whatever. Thief is caught. Thief tells police where he acquired the information. Police investigate the breach. Internal emails/IMs reveal that the company knew about the breach but did nothing. Company faces multiple class action lawsuits from: (1) the people harmed by the breach of their personal information; and (2) shareholders who should have been informed in the quarterly SEC-required disclosures that the Company faced a potential liability.

Now some fly-by-night company might reach a different cost-benefit analysis. But any large company should immediately recognize that the potential harm of trying to cover something like this up. When you're talking about a bank or large medical company? Would you as CEO or internal compliance officer risk millions or even billions on something that is so likely to become discovered? Even if the chances are 10,000-to-1 against the breach ever coming to light? Frankly, the rewards are simply not worth the risk.

Re:Self reporting of a felony would not happen

[nine-times]

That just motivates them to either cover it up really well, or else maintain some level of plausible deniability. You just can't make something illegal with a stiff penalty and then expect that people will come forward and report themselves.

Re:Self reporting of a felony would not happen

[MozeeToby]

Ok then make the fine for a coverup 1000 * X, or 1000000 * X. Eventually the risk outweighs the rewards.

Re:Self reporting of a felony would not happen

[whoever57]

You have a choice, allow organizations to report the data breach, or have them cover it up to avoid the penalty.

What value is there in the reporting these days? Is there anyone in the USA today who has not received a letter saying that their personal data has been compromised? I suspect that those reports are about as valuable as California's cancer warnings that appear everywhere.

Anyway, I think that your original question presents a false dichotomy. It's quite possible to provide anonymous means to allow employees to report the data breach and to provide much harsher penalties for unreported data breaches.

Re:Self reporting of a felony would not happen

Pop quiz! Which of these three "options" could lead to massive fines by the appropriate governmental regulator, share-holder lawsuits, top managers being fired and even the destruction of your company?

So that would be option #1 then..? Because the other two are the only options I've seen employed by any major corp for as long as memory serves.

Re:Self reporting of a felony would not happen

[turbidostato]

"Would you as CEO or internal compliance officer risk millions or even billions on something that is so likely to become discovered? Even if the chances are 10,000-to-1 against the breach ever coming to light? Frankly, the rewards are simply not worth the risk."

And then comes the reality check: just ask Enron executive officers.

Re:Self reporting of a felony would not happen

[arminw]

...Eventually the risk outweighs the rewards....

It has been established long ago that the surety of getting caught deters crime, not the severity of punishment. If you make a fine or punishment really really big, and then possible violators will go to great lengths to ensure that they do not get caught.

If the punishment exceeded the value of the data to the corporation, they could just dispose of all data and then face their accusers with "What data, we don't have no stinkin' data?". The accusers now would have the problem of tying the company to the stolen data.

Hard to say

Almost any system can be hacked by someone sooner or later. If a crack was found in SSH that allowed a root shell, would the person responsible for the code be held responsible? or the guy who admins the server?

Re:Hard to say

[hairyfeet]

The problem ISN'T hackers and thieves,the problem is rampant King Kong sized stupidity. How about we only bust them for gross negligence? Let's face it,it is these morons that have thousands of customer records on unencrypted laptops,or leave an unencrypted backup tape sitting in the parking lot in their car,or the idiots at my local phone company who put a bunch of machines on the curb without bothering to wipe the drives first.

I think we can all agree that there is a BIG difference between taking precautions and getting hacked and these brain trusts that don't even bother to show even the tiniest bit of common sense. We need to have penalties for the ones that don't even bother to try,otherwise why would they spend the money on security when they aren't really going to be punished when they screw everybody? And I agree with the earlier poster that there needs to be a time limit for most of this stuff. While a previous poster used the example of an insurance company the simple fact is there are way too many companies that hang onto every scrap of information that comes there way for years. We should come up with a set of criteria that has to be met before you are allowed to keep data for longer than the transaction requires. But as always this is my 02c,YMMV

Re:Hard to say

[MobileTatsu-NJG]

Almost any system can be hacked by someone sooner or later. If a crack was found in SSH that allowed a root shell, would the person responsible for the code be held responsible? or the guy who admins the server?

I personally blame the guy who set out to intentionally steal data like that. It's not like a faulty SSH could be interpreted as a welcome invitation to come in and take what you want.

Re:Hard to say

We need to have penalties for the ones that don't even bother to try

Well. So much for the marketing department . . .

Re:Hard to say

I knew there would be at least ONE person with my perspective. Its not just about the data security. Just like the TSA laptop, you know what, you want to leave that in an unsecured area with no encryption, someone needs to be legally liable, and there should be fines involved. Not this, were going to fine you and the government gets the money crap, were going to fine you X amount of dollars, so all these people who you violated can take the appropriate steps to lock that down.

Now if you have done your part, you have security in place, you don't let the janitor surf your network with his laptop, and a person or people actively went after the data through your locks, then that's one thing. but you want to throw my info in your dumpster, or be a complete tool, its time to pay up.

Re:Hard to say

[hairyfeet]

EXACTLY!!! I have no desire to punish the IT guy who put strong passwords in place,locked his network down as best he could(even if he doesn't know a lot about security at least he tried) and still got hacked. What I want to see happen is these total idiots that treat credit cards numbers and folks identities without even the slightest bit of care or diligence get hefty fines and maybe even some jail time.

Let me give an example I ran across about a year ago,just to show the kind of carelessness and blatant stupidity I'm talking about. A friend of mine was driving down the road one pretty Sunday when he notices a pile of computers and monitors left out by the trash,just waiting to be picked up. Since he knew that I worked on computers and had his die recently he picked them up in the hopes I could get one of them running for him. Well it turned out they were all running 1.3-2.0GHz with perfectly fine 19in Viewsonic monitors and WinXP Pro Operating Systems. As I'm sure you can guess by the fact that they all had running XP Pro installations nobody had even bothered to wipe the machines before they had tossed them to the curb. I'm guessing because the were all in the 5-7 year age range they simply got new ones. Of course all the data,customer records,CC NUMBERS,etc was all there for anyone to see. Lucky for them I am an honest man and I simply did a full wipe and reinstall,but any criminal would have had a field day,and all they would have had to do is simply open the trunk of their car and help themselves.

Now I have no desire to punish some IT guy for getting hit with a JavaScript or Flash Zero day exploit. But pure stupidity like throwing running machines out to the curb without bothering to even do a simple wipe on the drives? Yeah they should get a nasty fine and the idiot that did that ought to look at a couple of months in jail. If you read the news a good 75-85% of these huge losses of identities are not caused by some master hacker,it is simply some company not bothering to use even the tiniest amount of common sense. Hell a buddy of mine bought a whole bunch of used SCSI drives off EBay last year and damned if about half of them still contained customer data! Like nobody is going to notice when they plug in their new drive to see if it works that there are files and folders sitting there! But as always this is my 02c,YMMV

Yes

[sm62704]

Not only should there be criminal damages, but attempting to keep the thieft secret should carry an even heavier penalty.

There should also be, upon conviction in criminal court, monetary redress for the poor slobs whose data was compromised, and it should be a LOT more than it cost the compromised person. Say, enough to buy a new car.

Why can't we have the death penalty for corporations? The standard answer is "all those people who get trhrown out of work", but there IS a death penalty for corporations; ENRON suffered the death penalty, but the people in charge (at least the ones that didn't go to prison) suffered no penalty at all.

How about a "death penalty" where the victims are given the company itself?

Re:Yes

[nasor]

Not only should there be criminal damages, but attempting to keep the thieft secret should carry an even heavier penalty.

Although I can appreciate the sentiment behind this, I think a better solution would be for companies to stop pretending that something like a social security number can act as a magic password that magically proves people are who they claim to be on a credit card or cell phone application. Then it wouldn't particularly matter if our "personal information" gets out.

Re:Yes

[moderatorrater]

That reminds me of when Bart owned a factory downtown, which made Frank Grimes hate Homer even more.

Is this the fate you wish to subject me to?

Re:Yes

What's that smell... Ahhhhhhhh /. socialism.

Nothing quite like it in the whole world

Re:Yes

If you could get actual damages instead of vouchers and coupons it would be an absolute miracle. The problem is that the only people who get cash from class actions are the lawyers who are *supposed* to be representing the class. All the companies do is determine if they can win. If not, they determine how much money it will take to settle and make the lawyers go away. The class gets fucked every time.

Re:Yes

[ArsonSmith]

Of course pointing at the problem and solving it are completely different tasks.

What fool proof identification system do you propose?

I've always figured going with all three identifying items.

1) Something you have. (IE the credit card)
2) Something you know. (IE the PIN number)
3) Something you are. (IE fingerprint, retina scan, DNA, etc)

1 & 2 can easily enough be changed or updated if a breach happens, 3 is something you can always have verified by some kind of identification authority.

Re:Yes

[nasor]

I don't know of any fool-proof identification schemes, but "Ah, you know a social security number, so CLEARLY you are the person who that social security number belongs to!" is about as idiotic as you can get.

Re:Yes

Question one. What happens to the people who own stocks in the corporation?

Question two. How many lawmakers own lots of stock in corporations?

Re:Yes

[sm62704]

What's that smell... Ahhhhhhhh /. sociopathic anarchy.

Nothing quite like it in the whole world. If you harm me, you should make good on your damage to me. That's what government is for -- to protect me from sociopathic anarchists like you.

Re:Yes

[mstahl]

How about a "death penalty" where the victims are given the company itself?

What would they do with it?

Re:Yes

[David+Gerard]

It's such a pity they do it using people with a different personality disorder ...

Re:Yes

[Cro+Magnon]

Sell its information?

Re:Yes

[whoever57]

Why can't we have the death penalty for corporations? The standard answer is "all those people who get trhrown out of work"

The death penalty could be implemented by transferring all the corporation's assets to the non-executive employees.

Re:Yes

[lgw]

Biometrics are fail. Never use a password that you can't change. Even the second Back to the Future movie figured this one out: "Thumb bandits strike again" ran the headline.

ATM cards are a great example of doing it right. You need both the card and the PIN, and it's find that there are only a few bits in the PIN becuase retries are so limited. Of course, the system needs to allow for the fact that PINs can be stoled too, with easy repudiation.

We need a similar system for opening an account in the first place. As the opening of an account is often the first contact with a business, you need a third party that can verify a password.

The SS# is fine for a username - we need a nation-wide ID number and that's the number we have. The problem is it gets mistaken for a password. A government (or some other third party) service that allows you to create and easily change a PIN, and allows a business to validate that PIN, and requires security audits of businneses to be eligible for the system (no storing that PIN ever), would solve the problem.

tl;dr: we need to add a password to account creation.

Re:Yes

[lgw]

Wow, I really can't type today. Damn slashcode and it's lack of ability to edit comments. And its ridiculous posting speed limits.

Re:Yes

[oyenstikker]

Won't fly. The shareholders will then claim to be victims as well.

Re:Yes

[Qzukk]

Ahhhhhhhh /. socialism.

Riiiight, because companies forcing everyone else to eat the costs of the damage they do isn't socialist at all. From each, according to their credit card #!

Re:Yes

[ArsonSmith]

Actually biometrics not changing are the thing that make them very useful. Combined with a card and pin you have something that is as near to uncrackable as you are going to get. If someone steals and reproduces your biometric data they still don't know your pin or have your card. If they steal your card and beat you silly until you give up your pin then you just call and have them turned off. Then go to the identification authority get your biometric data revalidated and get new card and pin.

There will always be the 'bribe the authority' option, but there really is no way to get around that.

Re:Yes

[T3Tech]

Not completely foolproof I'm sure, but quite a while ago an idea I came up with was to use something like a signed PGP key ID. Similar to how PGP is used for email, but applied to an individuals' personal identification info.

Use a USB/RFID/whatever device that contains your info, encrypted with a public and private key (maybe multiple keys to allow for differing levels of info access). The public key is signed by whatever entity you have otherwise provided sufficient proof to match the ID. Alternately, the entity in question can choose to accept that an ID which has it's public key signed by say some 'government authority' is sufficient. Basically the whole web of trust thing.

At this point there's two options I suppose. 1.)the data held by the entity in question does not contain any identifying info at all, only a public PGP key - all ID data must be obtained from the person with the ID device at the time of interaction. The reading terminal or whatever would have to be one that did not store the data, but only showed it on a screen (some standalone embedded device or something). 2.)Only a chosen set of info held on the device is made available to the entity based on which private key is used to provide it.

This would cover the something you have and something you know, but could also implement a biometric to include the something you are. As I understand it, this is similar how the new RFID passports work. Though I'm sure they are nowhere near as secure as using something like this idea. I think the real key to a ID system that can be relied on as far as 'this person is who they say they are' is the web of trust concept.

Re:Yes

[lgw]

Biometrics have no adantage over a card, and hurt a lot more if they get stolen. Obviously, biometrics are no substitute for a PIN. A "smart" card that you can't duplicate with a card reader is far better than either biometrics or a normal card, but of course it still needs a PIN.

Re:Yes

[lgw]

Hmmm, no the inability to change your biometric "card number" is still a terrible flaw. If your information gets stolen, not being able to revoke it and get a new "card number" means you have to have a strong password, and good systems don't depend on users choosing strong passwords.

Having a somewhat-secret card number (like a credit card number) that can be changed if it becomes public, together with a PIN that is never stored by the business and can be changed on a whim create good security. Making it impossible to change either is a significant flaw (and one of the bigger problems with the widspread use of SS#s).

Re:Yes

[sm62704]

That's like the boy who mudrers his parents and begs the court's mercy on the grounds that he is an orphan. The stockholders voted the board of directors in, so the stockholders are the perpetrators. The law should reflect that salient fact.

Re:Yes

[ArsonSmith]

Credit card numbers are fail because they are used without any other identification.

Biometric + pin + car = only way to be as sure as possible.

Re:Yes

...and hurt a lot more if they get stolen...."

You got that right, "Ouch! you ripped out my retina."

Re:Yes

[lgw]

Identification is a sham though, that's the problem that makes ID theft valuable. Easily changable PIN numbers work better, and in some places credit cards need those (though that comes with loss of credit card fraud protection, so not a good deal overall).

Biometrics add nothing but a false sense of security, IMO, at least given existing technology.

as simple as due diligence ,,,

[Brigadier]

If your going to store my private data without my expressed permission. In other words I didn't specifically request it (as opposed to having it thrown in as a caveat on some user agreement). Then you are responsible for all mishaps that may be incurred by your actions.

If I ask you to save my data then I accept that I am giving permission to said company as is. In other words it now is my responsibility to look over all disclosures.

The inherent problem however is there is no means of specifically identifying a person. first and last name no longer work. you can assign them a unique code but most people get tired of bringing around and ID card for every business they do business with. Thus you are forced to use a.) a phone number which is subject to change, social security ID, or credit card number.

So though I do believe they should be held responsible for negligence and saving information without expressed permission. I do think the credit industry as a whole is responsible. There needs to be a fixed ID system which is separate from the credit system (as in credit score) and governmental ID systems.

This one ID bullshit needs to stop. Each person should have a superficial ID which can be changed at request. A credit ID which requires in person transactions (loan etc) a government ID and a health care ID. all of which should be maintained by different independent agencies.
 

Re:as simple as due diligence ,,,

[nine-times]

There needs to be a fixed ID system which is separate from the credit system (as in credit score) and governmental ID systems.

Part of the problem is just that everyone wants everything to be easy, and "easy" doesn't get along well with "secure". Like with social security numbers-- they're being treated as a piece of secure information in order to identify people (which it wasn't intended to do). But then as a result, you have to give it to people *all the time*. Because so many things require your social security number and people are encouraged to give it so freely, it's effectively out in the open, and not a piece of secure information.

But then what ID can I give someone online for an incidental purchase that won't effectively be "out in the open" after a couple of purchases? The only thing I can think of is if there were some sort of public key encryption signature that was issued to each person. That would possibly be cool, but then you'd have to come up with a trustworthy system to issue those keys/certificates, and you have to trust someone to administer to that system.

It gets complicated fast. And ultimately, most people won't put up with anything that inconveniences them or requires them to be vigilant

Re:as simple as due diligence ,,,

[Todd+Knarr]

What I don't understand is why ID is needed in the first place. It seems to be tied to the idea of the merchant making a charge against the purchaser's bank account, which means the merchant needs to identify the purchaser to make the charge. But why does the merchant need to make the charge? Instead, have the merchant provide a merchant ID and transaction number to the consumer, who then logs into their bank's site and initiates a payment to the merchant for the transaction. Nobody can initiate a payment without knowing the credentials to my bank's site, which I don't ever have to provide to anybody so I can keep them secure (modulo attacks on the bank itself or me falling for a phishing scheme). If the merchant doesn't ship until they receive the payment they don't have to verify the address, anybody trying to initiate a purchase in my name won't have my bank credentials and won't be able to initiate a payment from my account. And all the information the merchant needs to keep on file long-term is the payment number my bank gave them as part of the payment transaction, which the bank can tie to my account on it's end if the merchant needs to do a refund or anything. All this should be fairly simple, it's just standard EFT initiated by the payer instead of the payee.

Probably, yes

The legal distinction between civil law and criminal law is that civil law is intended to redress a grievance between two parties or organizations, whereas criminal law involves the punishment for an action considered to be injurious to society as a whole.

In this case, these disclosures/leaks lead to widespread identity fraud, which victimizes many many people (not just the individual whose identity is stolen, also banks, merchants, people who may be scammed by the imposter, etc.)

So I'd say, yes, this action (lax IT security) can be considered harmful to society as a whole.

Executive level.

The IT department is likely completely unable to set policy, and cannot be responsible for the incompetence of call-center type workers.

Fines against IT-level individuals will just cause the companies involved to outsource their IT, and won't solve any of the security breaches.

By holding executives directly responsible, they will be forced to make the correct decisions at the hiring, policy, and training level.

Fix the bank and lending system instead

[lena_10326]

Stop giving out credit to every person who walks up to a cash register. Stop warehousing critical information that can be used to apply for credit. Stop approving credit based on only Name/SSN/Address. Stop this culture of unlimited, unchecked credit to anyone, any time, any place.

The problem is the lending system, not the fact your data is leaked. In web terms, credit applications need to be double opt-in, not single opt-in.

Re:Fix the bank and lending system instead

[db32]

Clearly you are confused. If we take away the ability for people to spend themselves into oblivion with easy credit the terrorists win! I want the prices of everything on the market artificially inflated by peoples spending habits of imaginary money. I am simply not satisfied until I have to pay $50 for a $5 item because the supply and demand curve is completely screwed due to the massive influx of imaginary money into the consumers hands!

You must be some kind of dirty pinko commie bedwetter if you want to stop the massive debt spending credit system.

Re:Fix the bank and lending system instead

[lena_10326]

100% on-topic. Data breach => identify theft => credit and lending fraud. Fix it at the tail end by making the data useless to fraudsters. Think it through next time, mod. Just think it through.

My two cents

[Van+Cutter+Romney]

If it's negligence in case of the company then it does make sense to sue the company. No employee should be running around with a laptop full of SSNs and addresses around (even if they are encrypted). That's negligence and the full force of the law should be brought on those people.

If it's due to a physical theft, say a burglary, you can't do too much about it. You can only review your procedures and make sure it doesn't happen again.

The worst is when companies fail to report it. They're the ones who should be sued to hell and back.

Criminal Charges?

[db32]

Sure...while we are at it lets put a cop in jail every time someone in their city gets mugged, murdered, raped, etc.

I will be exiting the field the moment some kind of stupidity like what is suggested goes in place. I have a family, and I have no intention spending time in jail being a scapegoat for something like this. It is stupid to expect an individual to be held accountable criminally for something like this. Why should I spend time in jail or face fines personally because Vendor X couldn't be bothered to employ better programmers or test their stuff. Nevermind there will ALWAYS be vulnerabilities. Or maybe I go to jail because some worker brought in an infected USB photo frame. The only way you can really secure the desktop computer completely from the user is to cut the power cable and give them a pad of paper and a pen.

That said...I think there should be something to "encourage" companies to actually invest the resources in protecting that data, or just to stop collecting it. Seems to me not collecting it is far easier and more viable in many many cases. I agree that there is a problem in the value that data provides the company and their lack of "encouragement" to protect it. The notion of holding already overtaxed administrators criminally liable will only make the problem worse. The field will shrink even further and I imagine many of the competent ones will find work elsewhere not wanting to be a whipping boy under idiotic laws like this.

Re:Criminal Charges?

[blindd0t]

That said...I think there should be something to "encourage" companies to actually invest the resources in protecting that data, or just to stop collecting it.

Chargebacks (card holders disputing charges with their credit card company) are good incentive. Ultimately, it is the vendor that looses money when a user claims a charge is unrecognized and the vendor is unable to provide sufficient proof that it was a legitimate purchase (though the CVV2 number helps the vendors here). To add to that, even more incentive is provided by the banks because they keep track of the unresolved chargebacks on all merchant accounts. If they find your merchant account has had too many unresolved chargebacks per month, they'll typically send you a notice informing you that you have 30 days to find another bank, and setting that up to continue your sales is generally next to impossible to achieve. It is, in some cases, possible to pay the bank extra money to keep the merchant account active for a bit longer, however.

Seems to me not collecting it is far easier and more viable in many many cases.

Indeed, it is. A vendor's ability to meet PCI DSS standards is much simpler when card data is not retained. However, there are some cases, such as automatic recurring payments, where storing card data is appropriate. At that point, additional measures are obviously necessary.

Personally, since the monetary liability ultimately comes back to the vendor, I don't feel criminal charges are necessary. That, and it seems like it may be simple to exploit such a system to make money suing vendors via charges designed to appear fraudulent. Additionally, many of the chargeback requests are often people simply not recognizing charges (i.e. they didn't remember making the purchase, and/or the card processing was done by a third party on behalf of the company selling the product). Now, fraudulent use of retained credit card data is an obvious crime. But provided a vendor has not abused their data and has taken the appropriate measures to meet the PCI DSS guidelines, I'd say they should be in the clear in terms of criminal charges. However, I may agree that reasonably increasing chargeback fees would significantly increase incentive.

Re:Criminal Charges?

[JerryLove]

Perhaps we should indeed hold law-enfocrcement responsable when, for example, they leave a cell-door unlocked and a criminal escapes and commits crimes.

That really is the better analogy.

I wonder how many of the security breaches really come down to bad IT, and how many can be traced to individual users. In my experience, the biggest danger is from people putting data where they should not, leaving their laptops lying around, leaving their passwords on pieces of paper, etc.

Re:Criminal Charges?

Hi. This is the real world. We're talking about negligence. I don't think you have anything comparable to that in your fantasy world where no one is responsible for their actions or decisions.

Re:Criminal Charges?

[n+dot+l]

Sure...while we are at it lets put a cop in jail every time someone in their city gets mugged, murdered, raped, etc.

I don't think that's what's being suggested here. The idea is to punish companies for negligence, not for any random losses. They're not saying put a random cop in jail every time a crime occurs, they're saying that if a cop could have reasonably done something to prevent the crime (like the other poster's example of leaving the jail unlocked and a murderer getting out), then that particular cop should be punished.

Why should I spend time in jail or face fines personally because Vendor X couldn't be bothered to employ better programmers or test their stuff.

If you can't be bothered to do some research and assure yourself to within a reasonable doubt that Vendor X has secured his product, then maybe you shouldn't be storing my name, address, phone number, credit card info, and shopping habits in their system - no? I have no issue with companies storing anonymous shopping habits in insecure systems because all they want to do is some simple data mining to optimize their advertising/stocking policies a bit, but if they're going to be putting info that could hurt me if in the wrong hands in that database they should damn well be liable for it, or they should have on hand evidence that they had reasonable assurances from the vendor that the data would be safe, which passes the liability on to the vendor.

Or maybe I go to jail because some worker brought in an infected USB photo frame.

Why is that worker allowed to plug a USB photo frame (or anything IT can't vouch for, really) into a workstation which you (the company) presumably own? Why does that workstation have my name and address on it in a form that the virus can send home?

That said...I think there should be something to "encourage" companies to actually invest the resources in protecting that data, or just to stop collecting it. Seems to me not collecting it is far easier and more viable in many many cases.

Simple. Make them liable for each and every record they lose. Let them know that a lost name costs $x, a lost address $y, with a multiplier of Z if that info can be linked to other leaked damaging (though not necessarily personal) records. Let there be exceptions for companies that obviously did everything that they could to secure info (as you say, there are cases that nobody could have anticipated and that shouldn't be punished). That way the companies get a fairly simple choice: pay for proper security, or pay the (steep) fines when someone loses a laptop on a subway.

Re:Criminal Charges?

[whoever57]

Nevermind there will ALWAYS be vulnerabilities. Or maybe I go to jail because some worker brought in an infected USB photo frame. The only way you can really secure the desktop computer completely from the user is to cut the power cable and give them a pad of paper and a pen.

That, frankly is the MS mindset: you can't make it 100% secure, so let's not try to make it more secure than it is today. The disclosure requirements should have provided "encouragement" to companies to try harder to protect data. Clearly, it has not been successful.

The photo frame example is a very good case -- those frames only presented a threat to operating systems that automatically execute programs found on disks that are inserted/connected to the computer. That is a choice of the OS manufacturer and the administrator (since it can be disabled). Companies have to take responsibilities for those choices instead of just saying "it's impossible".

Re:Criminal Charges?

[StormReaver]

"Sure...while we are at it lets put a cop in jail every time someone in their city gets mugged, murdered, raped, etc."

What if the cop stood back and watched, but did nothing to stop it? Would you favor jail time for that? I certainly would.

I would also favor criminal penalties if, and only if, the company whose data was stolen disregarded all generally accepted security practices (yes, I know these aren't formalized), and that disregard is what lead to the theft. In other words, only for gross negligence.

Re:Criminal Charges?

You are exactly correct. The bigwig company officers will gladly blame the IT department for the data breach. You and I will take the fall even though you tried for years to increase security and set security policies, etc. only to have them avoided because they cost money or were too inconvenient. Even if you don't go to jail, the only IT job you could get in the future would be on a telephone Helpdesk. Your programming or management career will be over.

Re:Criminal Charges?

[mistahkurtz]

Here's my thoughts on it. I don't agree that the IT department should be held responsible, unless it proves to be through the IT department's negligence that the information was lost or stolen.

i think the focus should be on management external to the IT department. I have worked in Enterprise IT Sales for a few years now, and am still shocked on an almost daily basis by how easily funds are denied for absolutely crucial projects.

If your CIO, CFO, CEO, Compliance Officer, Security Officer, etc is aware of a risk, and chooses not to act, the fault is theirs, not the IT department that was told to play with rubber bands, old hardware, free software, and tin foil to piece a robust security infrastructure together.

IBM's ISS costs up to around $200,000 for a good-sized implementation, and may be the only *truly* full-sized security solution available on the private market (offerings from McAfee and so-on shouldn't even be mentioned). The organizations that are typically collecting, storing, and losing important and sensitive user data are typically organizations that can afford, or should find a way to afford such security infrastructure. (Are you telling me that S/L/F government, financial institutions, major telecom companies, etc etc etc etc can't afford a non-joke security system? Are you telling me that they can't enact serious security policies and punish ignorance, laziness, or apathy?)

Seems to me that spending $200,000 for a full, robust security system, up front, far outweighs the potential lawsuits, out-of-court settlements and negative publicity that can follow a serious breach or loss of data.

The power lies in the accounting office. With the people who get a bigger bonus for cutting expenses. And this might make sense when you're talking about such things as paperclips, copy paper, toilet paper, etc. But when you're talking about the very things that keeps your business in existence, and maintains your reputation with your peers as well as your customers, shouldn't there be another process?

If someone says to the IT manager, Network Security manager, etc, that "I understand your pain, and while you may feel that you need a full IPS that tests the network for flaws, dynamically, you're going to have to stick with a handful of WatchGuard appliances, because I, and nobody above me, cares", then I say blame that person and anyone else involved in the apathy or ignorance.

I'm done.

Re:Criminal Charges?

[db32]

Negligence translated is "Why did the undermanned, underpaid, and underfunded IT staff allow this to happen? If 4 guys can't manage 1,000 workstations and know every application on the network that could have potential vulnerabilities then they deserve to go to jail!"

I'm sorry...so you expect that staff of 4 people to do penetration testing to that degree on every application installed? You certainly live in an interesting reality if that is the case. Here is one...I bothered...I found that every major OS on the market has had multiple vulnerabilities that could grant administrator access both locally and remotely in the last 5 years. Clearly this means we should use pen and paper. This personal data isn't just retained shopping habits either. Medical information, hotel reservations, flight information, bus tickets, and credit card companies and banks need it for more than tracking shopping habits, employers need it for tax purposes. There are tons of places that information will reside, inside tons of programs, databases, etc home grown or professionaly developed. Again...it is completely and totally moronic to demand criminal charges against IT staff for this.

Names and Addresses are hardly "private" information. Marital status, SSN, etc are private information. As for exceptions...yeah...that has totally worked out in our legal system thus far. Wonder why healthcare costs so fucking much? The insurance companies are involved on every level from malpractice insurance on the doctors side increasing the cost of doing business to protect himself from every litigious asshole that assumes doctors cannot make mistakes, to the medical insurance provider gouging the shit out of consumers with magic numbers and writeoffs and all kinds of other fancy accounting.

End result, our healthcare system is totally fucked due to that "make exceptions for some and punish the rest" mentality that has been applied to doctors. Now, doctors cannot make honest mistakes without losing their asses because the default assumption is malpractice. The only thing that has really protected doctors jobs is the fact that people NEED doctors and they need them locally. You can bet your ass this will lead to stupid loopholes with offshoring the IT staff so they can't be held criminally liable here causing the loss of tons of jobs.

I agree something needs to be done, but the proposed solution of criminal charges is nothing more than a poorly thought out moronic kneejerk reaction to the problem. Most cases of "fine them big bucks" is just as bad paving the way for rampant fraud, further hiding of data breeches, or just increasing the cost to consumers. The problem needs to be fixed, not just punished.

Re:Criminal Charges?

[AK+Marc]

It is stupid to expect an individual to be held accountable criminally for something like this. Why should I spend time in jail or face fines personally because Vendor X couldn't be bothered to employ better programmers or test their stuff.

If you set it up the way it should be set up, then you won't go. They say it will work, and it doesn't is a different case than when you set up a server and leave the default password up and running and all the data available through it. Or when you configure a laptop to sync with the database to store the entire thing on the laptop unencrypted. If it's on a laptop, you have to assume it is compromised. BIOS passwords, hardware encrypted disks, non-trivial passwords, terminal servers with all data stored there and none on removable drives/computers. There are tons of ways to secure data, and if you choose to not use them then you are complicit in the release of personal data. If you recommend them to your boss and he chooses to not implement them, then he is complicit and you aren't. There should be simple rules and communication so that it ends up where the CEO is aware and responsible. Let him make the call as to how much he is willing to spend to comply with best practices or end up in jail. And no one said that a breach should result in jailtime. It was implied that a breach due to negligence should hold those negligent responsible. If you are getting so defensive, is that because you are negligent and don't want to be held responsible?

Re:Criminal Charges?

[n+dot+l]

I'm sorry...so you expect that staff of 4 people to do penetration testing to that degree on every application installed?

No. I expect a company with only four guys in IT to either hire some more staff or simply restrict itself to storing as little personal information as possible for as short a time as permitted.

Names and Addresses are hardly "private" information.

True, but most people would be pretty upset if the local porn shop "lost" purchase records that could easily be associated with names and addresses. Heck, how about records showing that the owner of 123 Rob Me While I'm Away Drive goes on a two day business trip on the first of every month - that's conceivably something you could glean from hotel records. That's the sort of stuff I was thinking of.

Wonder why healthcare costs so fucking much? [snip] The problem needs to be fixed, not just punished.

See, this is the thing that needs to be fixed before anything else can be fixed when it comes to big business: the executives responsible for company policy can get away with murder and people think that's normal. You're right, it's not reasonable to fire random IT peons for a random data leak. It is reasonable to audit the company and let them off the hook if the (we'd hope) independent auditors determine the company did whatever they could. But if they find that random sales people are walking around with 400,000 unencrypted customer profiles on their laptops then fine the company and bring the manager that OK'd putting those records there and the one that denied the request to buy/implement appropriate security measures before a judge.

Re:Criminal Charges?

[db32]

That isn't always a reasonable expectation. Hospitals are an excellent example of the problem with personal information and IT staff. Most industries can't afford to just hire more IT people because it would help. The groups that will get murdered by this kind of punishment aren't the big megacorps with lawyer hordes. It will be the smaller places that can't afford the extra staff and horde of lawyers. The megacorps will release the lawyer horde or burn their own IT staff and noone that matters will really feel any pain for the fuckup.

That said, a great deal of the personal information stuff is also on the onus of the individual as well. The notion that we should hold everyone else but ourselves responsible is a growing trend in all aspects of modern American life. Don't want people to know you have buying porno every payday...pay cash. My real irritation comes from the "we require credit cards". But, again, as irritating of a policy as that is if people actually gave a shit that policy would have died out when it resulted in lost business, instead, people whip out the plastic. We dug our own grave by giving up our personal information to anyone who asked, and now we are crying because the people we gave our information to lost it.

Re:Criminal Charges?

[n+dot+l]

That isn't always a reasonable expectation. Hospitals are an excellent example of the problem with personal information and IT staff. Most industries can't afford to just hire more IT people because it would help. The groups that will get murdered by this kind of punishment aren't the big megacorps with lawyer hordes. It will be the smaller places that can't afford the extra staff and horde of lawyers.

I had a whole two paragraphs written out on how this could be avoided but after three drafts it's pretty clear that there isn't any way to make criminal charges scale well from small business to megacorp. I'd say leave it at a fine that scales with the data loss. If a company can't figure out how much data it can afford to keep reasonably secured, given the liability of not securing it, and gather that much and no more then, well, tough. Reserve criminal charges for the most extreme cases of outright negligence. There have to be some consequences for mishandling data, otherwise you're just begging for more stupidity.

The megacorps will release the lawyer horde or burn their own IT staff and noone that matters will really feel any pain for the fuckup.

That's a general problem with all sorts of law. The fact that we've set up a system that tends to sell justice to whoever paid more for his lawyers is something that has to be dealt with everywhere. I still don't like the of not punishing damaging behavior. I've been to countries where corporations aren't prosecuted for anything and that was bad enough that I just hate seeing our society move in that direction...

That said, a great deal of the personal information stuff is also on the onus of the individual as well.

Largely true. And in most cases I agree with you that yes, the individual should take more responsibility. However I despise the fact that we live in a world where abstract legal entities can get away with things that I as a person would be jailed for. If I have to be responsible, so should businesses - of all sizes.

The notion that we should hold everyone else but ourselves responsible is a growing trend in all aspects of modern American life.

Not even that. The notion that we should hold nobody responsible is the growing trend, and that's pretty scary. It's one thing for everyone to accuse everyone else of making them fuck up. It's quite another when there isn't any follow-through on the accusations and years go by with nothing being done. That seems to be how all levels of government and, from what I've seen, most of big business seems to operate these days.

My real irritation comes from the "we require credit cards". But, again, as irritating of a policy as that is if people actually gave a shit that policy would have died out when it resulted in lost business, instead, people whip out the plastic. We dug our own grave by giving up our personal information to anyone who asked, and now we are crying because the people we gave our information to lost it.

Except that if people boycotted hotels (which require credit card info to make a reservation) you'd see massive losses in everything from airlines to the local restaurants until A) the hotels notice they've lost a lot of business, B) they change their policies and get the word out and C) people hear about it and start trusting them again. The problem with trusting the market to fix itself is that the fixing is often a very painful process that involves large segments crashing and having to be rebuilt. And if you meant people not whipping out the plastic in the first place way back when it was first introduced, before every business started demanding all sorts of information, well, did identity theft even exist as something the average person had to worry about back then? How would people have known that things would get this bad. Anyone saying so would have sounded like a total crackpot, at the time.

Re:Criminal Charges?

[db32]

Personally, my solution revolves largely around the death of that whole corporate "non-person" crap. I would have to sit and think and research on the subject a long while before deciding if it is a good angle (unintended consequences and all), but if you hold C*O types PERSONALLY liable (hell, they make the big bucks right, let's make them take some risk) I think many of our problems would go away overnight. Darl, Carly, the folks from Union Carbide, and all the leaders involved in almost every corporate atrocity still keep their golden parachute and walk away unscathed. You can bet your ass that if the CEOs of Union Carbide knew they would face multiple life sentences for the negligence that lead to thousands of deaths that they would have chosen safety over profit. Instead they wound up paying something like $2-3k to each family killed in the Bhopal disaster.

As far as holding noone responsible, that is EXACTLY what blaming the corporate 'non-persons' does. You don't hold anyone accountable for their actions. That is our faults as individuals in society. As more individuals subscribe to the "blame someone else" idea it grows until our society does that in general and it becomes the accepted norm. Then we find "those evil corporations" to blame. There are good leaders, and bad leaders. We have allowed ourselves to blame the nonperson because it is easy, which gives rise to lots of bad leaders that never are held accountable for their poor decisions.

I see tons of protestors crying about the war, I haven't seen very many actually DO anything other than get their 15 minutes of fame being unmitigated morons and assholes for the local news. If I were an emergency services driver when those moron students laid down in the highway to protest the war I would not have thought twice about allowing them to commit suicide while I went to help someone in need. Its the all about me and no personal accountability that is fucking it up. I want to see protestors go campaign for local government spots, to actually go out and do something productive other than make a bunch of noise. How many lives would be saved if those idiot asshole anti-abortionists weren't busy trying to get their 15 minutes of fame and set up adoption centers next door to every abortion clinic from coast to coast. They sure as hell can rally enough resources to put billboards up every 10 miles, get TV ads, and mail plastic fetuses out.

There would never have been a problem in the first place with hotels demanding information if there was more personal accountability in place. People demand the government fix all their problems, that the government should know everyone checking into hotels so they can track criminals or terrorists or whatever. People expect anything to go wrong to be someone elses problem, so they make no effort to protect themselves. Hell, it is a lucrative business being involved in someone elses fuckup these days, big settlement checks all around. You would have people giving out their personal information to anyone who even pretend to be legit just for the shot of a big payout if they screwed up.

Yes, Yes they should.

[ag3ntugly]

It would appear to me that big companies don't consider personal info to be as valuable as something like thier trade secrets. I work for a large manufacturing company, and If I were to lose any data storage device with a large number of confidential details about our manufacturing processes or data/drawings of our parts and products, I would expect to be thrown under the bus.

If a laptop or hard drive or thumb drive with some personal info gets "lost" or stolen, anyone in the company who knew that said data was stored on such a portable and and easy to steal/misplace sort of device should be sent to prison simply for being an idiot.

Now, if the data is lost through a an attack on secured servers, and the company did thier due diligence to protect that data (multiple layers of security, multiple auths, firewalls, IDSs, etc..) then they shouldn't be punished, but if data is lost simply due to someone being stupid, then they should pay dearly.

Corps will see the inside of a court room only if

[denis-The-menace]

Corps will see the inside of a court room only if your name is the title of a song and the personal info gets posted! (MediaSentry will "Find it")

Currently in the US, Corps have more rights than you or I even though they are considered "A Person".
Corps that inadvertently/intentionally kill people at most must pay a fine.
If you or I do this, we don't even get the option to pay our way out.

Until this changes corps can do what they want.

Socialist Europe does it better

In socialist England the gov't gives it all away free!

Who gets the shaft?

So let me get this straight. We're going to give IT the shackles, when 9 out of 10 times, they are doing what they are told?

In my experience, IT has very little control, but all of the responsibility. Management of the company set the rules, even if the law is in favor of securing the data, that doesn't mean the managers allocate the budget to ensure that happens.

IT workers rarely stand up and say "I refuse", because when it comes down to it, it is their mortgage on the line.

Now it'll be their mortgage, or their freedom? Awesome, where do I sign up?

Not IT, but business

[Ohrion]

I disagree with the prospect of placing blame directly on IT/IS. I do believe however that much of the blame needs to be placed at the company level. Many times the risks are known ahead of time by both IT and the business, but the business has decided not to spend the money to fix the problem and have signed off on the risk. Sometimes there is nothing further the IT department can do without the express permission of business. In fact, this is fairly frequent.

I also disagree with this blame being in the form of a crime, unless it is negligence or gross negligence. Fines maybe, but jail-time no. The exception to this, is if the theft is an inside job. Of course, there are already laws to deal with that.

Re:Not IT, but business

[Inoen]

Similar to the way hazardous and valuable materials are handled, companies and individuals should be licenced to be allowed to handle personal data.

No CEO in his right mind would let a junior employee take care of transporting/storing explosives/toxins/diamonds. Why should he let him handle "dangerous" data?

Yes, data handling would become more expensive, but a lot safer, if fewer and more specialized companies are the only ones who get access to the data.

There are already plenty of companies that offer this kind of service for credit card transactions. The only reason they exist is that it is expensive to get a license for it. If the entry barrier is high enough for other areas, more services will appear.

Doctors, lawyers, engineers, IT?

I'm a professional engineer (PE). My wife is a physician. I we screw up, ruining somebody's life, we get sued.

IT is not more complicated than medicine, yet seems to fail at security all the time. Perhaps it's time for malpractice/negligence to whip companies into shape.

Possibly too far

[avatar4d]

I am not sure that criminal charges are necessarily needed. Who would get the jail time? I mean does the SA have to prove that he recommended better security to the PHB? Does management automatically go directly to jail?

I might be happy enough with the company being responsible for any identity theft of the people listed in their data. Maybe only for the next 5 or 10 years, but if their credit starts getting messed up, then the company which lost the data should be responsible to take the blame and also partially (split between the bank and the company) financially responsible.

Even that suggestion has issues though. People will then fraud the company that lost their data by pretending that their identities were stolen and that someone is purchasing things in their name. All the while it was that person themselves.

Regardless, I think the whole identity/information theft thing is more complicated than most (non-technical/non-business) people take into account.

What about the little guy?

That would suck for the small web developers who can't pay for insurance for this sort of thing.

Re:What about the little guy?

[GodKingAmit]

Maybe you shouldn't be storing other people's credit card / social security numbers if you don't have the infrastructure to protect it?

Chain of responsibilty

Directors and High level execs should be first on the jail cell lines unless they can prove that they;

1) Listened to reasonable IT security concerns (it's not their job to do the research),

2) Properly funded and supported efforts to insure data protection.

And yes I have been involved as low level IT support, a Director and an high level exec.

 

Code violations

[Brain-Fu]

Most forms of construction must adhere to a code. Why should software be any different?

It would be nice, IMO, if we could formulate a set of minimum requirements for any kind of personal-data-handling software (including codes for operating procedures). Things like "all passwords in the system must use strong encryption" and "backups of the data cannot be stored on personal laptops" and the like.

Then legally require businesses to higher some ratio of software developers who have passed a code certification and logged sufficient hours under the apprenticeship of a certified master, and cite them if any such developers blow the whistle on them.

It is not a perfect solution. It has problems with implementation. And of course M$ will do its darndest to ensure that codes require the use of its software. But it it is still better than the situation we have now.

Re:Code violations

[morgan_greywolf]

Then legally require businesses to higher some ratio of software developers who have passed a code certification and logged sufficient hours under the apprenticeship of a certified master, and cite them if any such developers blow the whistle on them.

Hmmm...smells like a union...

Re:Code violations

I formulated them already on my laptop, but it got stolen and the only backup was still in the CD drive.

I will now invest in a RAID array so I have 3 distinct places of storage.

Re:Code violations

[blueg3]

Things like "all passwords in the system must use strong encryption" and "backups of the data cannot be stored on personal laptops" and the like.

Sadly, that sounds about accurate for the results if such a code was written.

Passwords don't use encryption of any sort, and data backups shouldn't be stored on any laptop, personal or not (nor on an individual user's work desktop, nor on any personal machine...).

Worrisome...

[tekiegreg]

Forgive me for not RTFA in advance but...

I'm a developer, I've worked on many an app that has stored credit cards, social security numbers, and other pieces of juicy data. I've always acted with integrity and you'll never find a credit card or social security number posted on the Internet of my own free will. Generally I take best efforts to secure this information. Using appropriate technology such as hashing, encryption, access controls and authentication as appropriate for the information, etc. Documenting as throughly as possible to make sure that nothing happens, and what to do to further protect things.

Despite all this, if my programming is ever compromised, am I now jail potential? I'm finding a new job...

Re:Worrisome...

[not-my-real-name]

I work with aviation software. The documentation, testing, and software is all overseen by a DER (designated engineering representative), a person authorized by the FAA to approve things.

If there's a problem with an airplane and it turned out that he approved something inappropriately, he would be facing some serious personal liability.

Just so you know, there are jobs with serious penalties for negligence. And there are people who do these jobs.

Careful with that word 'crime'

[ScentCone]

Leaked data, by itself, isn't a crime in this regard. No harm comes to anyone until someone with criminal intent actually does something to it. Not counting, of course, the harm of feeling appropriately uneasy as you wonder if/when someone will do something with it following a leak - but I'm not sure that sort of anxiety rises to the level of crime on the part of the hotel chain... you could have the same anxiety about whether or not someone holding your data will at some point have a leak that hasn't even happened yet, and likely never will.

There's a reason that someone who sues McDonalds over the hot coffee she dumps in her own lap doesn't ask a DA to go after them criminally. Likewise with slipping on a wet restroom floor that doesn't have one of those "caution" signs put up by the maintenance crew. Being bad (or even, unlucky) at your job could well be grounds for a civil suit, but it isn't usually - and shouldn't usually - be considered an actual crime. That's pretty dangerous stuff, there.

When some wackadoo in full-on tinfoil hat mode brings a gun or a knife to work and kills the PHB he's hated for years, and is now convinced is working for Alien Overlords... is the employer who didn't see that coming an accessory to the crime that was committed, for having failed to prevent it?

If data is leaked, and no crime (based on the use of that data) is ever committed, and the laptop gets recovered with no expectation of it having been compromised... did a crime take place, not counting the person who ripped off the laptop from an employee's luggage? Is the employer actually a criminal because that happened? The opportunities for Really Bad Precedents here are vasty.

Re:Careful with that word 'crime'

http://en.wikipedia.org/wiki/If_a_tree_falls_in_a_forest

Re:Careful with that word 'crime'

Leaked data, by itself, isn't a crime in this regard. No harm comes to anyone until someone with criminal intent actually does something to it.

Sure. Leaving my car unlocked with some expensive stuff in full view isn't a crime. After all, no harm is being done until it gets nicked, right ?

Wrong. If nothing else I could get a nice fine for being negligent and effectivily inviting a thief to grab it.

The fact that that data is possibly be getting into the hands of someone who could abuse it is enough, in many circumstances, to immediatily act upon it.

Like someone loosing your keys with your house-address attached to them. Do you wait forever, allways cautious for someone entering your house using the lost keys, or do you rather spend some cash on exchanging the locks as a precaution ?

And believe me, I would not like it if the cash I have to spend because of their loss of my keys would come outof my pocket.

One of the nice little problems of nowerdays information-age is that a lot of companies have made copies of your house-keys and labeled them with your full name, adress, etc. Yes, even without you knowing and/or having approoved it. (and yes, I mean "housekeys" as in "your personal data, ready to be abused for identity-theft)

Re:Careful with that word 'crime'

[Descalzo]

Sure. Leaving my car unlocked with some expensive stuff in full view isn't a crime. After all, no harm is being done until it gets nicked, right ? Wrong. If nothing else I could get a nice fine for being negligent and effectivily inviting a thief to grab it.

Are you serious? I'm gonna need chapter and verse on that one. It sounds like the dumbest law ever.

Is it even illegal?

[cayenne8]

Thing is...is it even illegal at all, to divulge customer data?

I mean, I know HIPPA takes care of issues with respect to people's medical records, but, I don't think that there are actually any laws against the release of people's data. If there were, there would be a whole lot less of companies out there that held and traded in such information.

It is a crime to break into a computer to gather this data. But, I don't think at this point, in the US it is a crime to lose it.

If I happened to have a database of people's information, and I want to freely publish it, I don't actually think there is a statute against me doing that.

If there is, can someone cite it or give links on this?

Re:Is it even illegal?

[AvitarX]

When someone costs you money through negligence (i.e giving away or sloppily handling your data) you can sue them.

This would apply at the very least to Credit Cards (if used) and social security numbers (if they are used).

If the cost to you is nothing it is definitely a different issue.

Re:Is it even illegal?

[g0bshiTe]

You have never heard of the Sarbanes-Oxley Act

Re:Is it even illegal?

[cayenne8]

"When someone costs you money through negligence (i.e giving away or sloppily handling your data) you can sue them."

Sure...they may be civilly lisble for damages that might result later, but, I was referring to there not really being any laws against divulging private data of others. I mean, I could put up a website listing people and their SSN"s or other numbers, and as far as I know, there is no criminal statute they could charge me with.....

Re:Is it even illegal?

[cayenne8]

"You have never heard of the Sarbanes-Oxley Act [wikipedia.org]"

It only seems to apply to publicly traded companies first of all...none private.

It only seems to have to do with financial reporting, etc...stuff that would affect stock prices, etc. It doesn't seem germane to the discussion pertaining to the legality of having people's private data go out to the public.

Re:Is it even illegal?

[Stellian]

If I happened to have a database of people's information, and I want to freely publish it, I don't actually think there is a statute against me doing that.

No there's not - this the "problem" the original submitter want's to solve. I personally have huge issues about criminalizing any form of free-speech.
The identity of a person is not a secret, or a thing that can be stolen. The very way that identity works is by making it public:
"Hello, I'm John / Oh Hi John, I'm Susan"
Now if John is coy about revealing his identity for fear that Susan might open up a bank account in his name, the whole use of identity crumbles. I have nothing against anonymity, John can remain anonymous if he so desires. But the notion that you must somehow "protect" identity by keeping it a secret is a stupid trick that harms the usefulness of identity and our society as whole. The artificial distinction of allowing trusted people (banks, the phone company) access to it, while keeping it a secret for the general public (that includes identity thieves) is childish. As it is the proposal above, of criminalizing the act of compiling a list of people's identity using public data - as explained above, all identity data is public to some extent, by definition; if it's not public, it does not identify you.
Far for me to claim that it's safe to post your personal data on Slashdot. In this warped world we are living in, there is the danger of so called "identity theft".
The term of "identity theft" is a copious misnomer perpetrated on the public by the banking industry. The identity of a person cannot be stolen, only duplicated or impersonated. The real crime here is identity fraud. The distinction might not seem much, but it's of key importance: it shifts the victimization from the impersonated person to the banker/stock agent/realtor/whatever that accepts the fake identity.
After all, why should *I* pay for the fact that some bank lends money to someone who says it's me ? The bank has little incentive to properly authenticate the guy: they want as much customers as possible; the problem of "ID theft" is an externality. Meanwhile, I can do nothing to protect myself: my identity is in hundreds of public and private databases, out of my control: it's how I register to vote, how I get medical care, and how I install an Internet connection. I cannot function in this society without making my identity public, so It's unreasonable to require me to protect my identity from "theft".
You can find an excellent written article about the distinction between identity theft and fraud here, by noted security expert Bruce Schneier:
http://www.schneier.com/blog/archives/2005/04/mitigating_iden.html
The solution against identity fraud is making the enablers pay for it, breaking the externality. For example, a maximal 15-day clearing period of any wrong information on your credit report, after which the bank can be charged with libel.
Devising more intricate ways to keep our identity data "secret" is just band-aid.

(I have only approached the problem from the identity fraud perspective; I fully agree there are other reasons to wanting to have your data private, such as, well... privacy)

Re:Is it even illegal?

[skelly33]

I think the digital world should be treated quite like the physical world.

There should be a clear distinction between the liability of a company who has made reasonable efforts according to typical industry practices (a bank with a brick & mortar facility, armed guard, surveillance, and timed locking vault) and one who makes no effort at all (keeps customer assets in a cardboard box marked "keep out" in a Public Storage facility). Despite all efforts, no system is completely secure - this is slashdot: you KNOW that.

What if the system administrator who allowed the system to be compromised were the one on the hook? The fact is that the bad guys are ALWAYS determined to find something that the good guys haven't thought of and eventually will get in and make off with the materials. At some point you have to stop looking for someone else's ass to burn and just chase the crooks themselves.

Re:Is it even illegal?

[xclr8r]

It's a given that companies need to do their due diligence regarding security of data. I can have slightly more forgiveness towards a security breach than a company/data policy that allows my data being on stand alone systems. The black hats will always be at least a half step ahead in the game. But losing data to stupidity and lack of policy on how data is utilized and stored really pisses me off.

My wife just received a letter from Anheuser Busch / Busch Entertainment Corporation last Month. Apparently an office was broken into and some desktops/laptops were stolen. A.Busch did the right thing by notifying us that some of my wifes information was on the stolen equipment. However, here is the kicker, my wife has not worked for A.Busch for 7-8 years. What the hell is wrong with them that they are keeping copied personal data on stand alone systems and why is the data being on their 7 years after she discontinued her working relationship with the company.

Re:Corporations are EVIL

HAHA... you obviously don't know about Karma. You'll be modded to oblivion, until you give up your posts in frustration. No dissenting opinions allowed.

Long live /. groupthink!

The buck should stop with the CEO

Agree that IT is the one that owns access to the data in question. But security is a organizational matter and should include data security - just like protecting other intellectual property. This should be mandated by the top management and verified.
SOX legislation is around for a reason and it is not the journal accountant who is held responsible. It is the CEO.

How long data is needed

[Todd+Knarr]

I'm of the opinion that the liability should depend in part on whether the data's being kept longer than needed for the transaction or purpose it was provided for or not. For instance, if I buy something from an on-line merchant they need to keep my name and address on file at least long enough to ship my item, and almost certainly for the length of time I'm allowed to return the item for a refund or replacement. They need to keep my credit-card number on file long enough to authorize it, possibly long enough to settle the charges (depending on how they're set up with their clearing house), and possibly as long as I'm allowed to ask for a refund (if for instance the clearing house requires the card number to credit the money back). When a company keeps information around longer than needed, they should be held to a higher standard since now it's their choice that the data's being kept. And "needed" should be determined by the purpose or transaction the data was provided for, not by what the company wants to do. When I provide a billing/shipping address for a purchase, I'm not providing it so the company can do better advertising later. If they insist that I create a profile and leave that information on file permanently for their convenience or benefit, they should be taking more responsibility for it's security than if they're keeping it just long enough to do what I asked of them and then discarding it.

Where does the blame fall?

[DaveV1.0]

Does it fall on the IT department for possibly having lax security procedures or using problematic software?
Does it fall on management who approves or dictates the security levels and procedures, and/or may exempt themselves from the procedures?
Does it fall on the software vendor who provided the software with a security hole?

Where does the blame fall?

Best Western .. might not be 8 mil customers

[oneiros27]

Best Western claims that it was a single hotel, and that they purge older data when it's not needed.

Of course, as it's been so widely reported, the chances of people believing anything other than the worst case scenario is unlikely, as how many blogs are going to post a 'oh, nevermind, I was wrong' article? (and the newspapers would hide it somewhere on page 24)

Commie Scum

[gentimjs]

Syndeq, You suggested any form of accountability/responsibility for a corporate entity. What are you, some kind of commie scum? The ability to perform any level/kind/etc of illegal, amoral, corrupt, or otherwise-unacceptable conduct while under the 'name' of a corporate entity, then when you get caught to say "Hey man, it was the company!" to avoid blame, is the cornerstone - nay - the single most essential principle of the US economy. After all, harder to bring "Acme, INC" to jail then "John Doe" isnt it? In all seriousness, as long as the illusion of "corporate personhood" exists, we'll never escape this reaganic ideal of responsiblity-free wrongdoings.

Re:Commie Scum

Syndeq, You suggested any form of accountability/responsibility for a corporate entity. What are you, some kind of commie scum?

The ability to perform any level/kind/etc of illegal, amoral, corrupt, or otherwise-unacceptable conduct while under the 'name' of a corporate entity, then when you get caught to say "Hey man, it was the company!" to avoid blame, is the cornerstone - nay - the single most essential principle of the US economy. After all, harder to bring "Acme, INC" to jail then "John Doe" isnt it?

In all seriousness, as long as the illusion of "corporate personhood" exists, we'll never escape this reaganic ideal of responsiblity-free wrongdoings.

What a freaking moron. No, check that. You may be intelligent, but you are criminally ignorant. Corporations are one of the building blocks of our economy. No, you don't jail a company, but you can jail the executive members of that company. The only reason why it gets difficult has nothing to do with the fact it's a company, but because it has so much money. Case in point: OJ nearly bankrupted himself the first time he was in a criminal trial, but his money got him off. This time ..... no more Chewbacca defense.
Corporations are not good or evil, they are simply tools. They allow continuity, as well as a method for collecting and distributing capital (sometimes known as savings and retirement).
Ben and Jerry's is not evil, but they are smart enough to recognize the benefits of a corporation.
Geez, I am amazed how ingrained the reaction is by so many people to a word that has brought so many benefits to us all. Remember this when you are driving home tonight on your corporate produced vehicle (I don't care if it is a bike, a car, or a train), and when you go out to get your corporate produced food (grocery store or chain restaurant), and while you are reading this on your corporate produced computer.

Depends on the case

[thetoadwarrior]

You can't just say the IT department is at fault in all cases. It would have to be looked at on a case by case basis and it certainly wouldn't just be IT. The company as a whole can determine how well an IT department runs.

If a company flat out does something stupid then of course there should be some sort of compensation or punishment for the company.

Why companies and not government employees?

Why should this only apply to companies? Why not government employees, heads of departments, or for those countries that have them, ministers of various departments?

It can't be so that a set of actions that should not happen give criminal liability and is morally condemnable if you do them as a private person or a company, but invokes the +5 Invisible Adamantite Brick Wall of No Traceable Responsibility if the government does them. That would be unfair and discriminatory for no good reason.

Blame Data Retention

[pdq332]

Company data practices share some of the blame. But why are they gathering and retaining the data to begin with? Like a clean desk policy at a bank, companies should be required to purge credit card details, most contact info, Driver's license numbers, SSNs, etc after a transaction is concluded. As soon as you decide to retain data, it will be broken into someday, and there ain't no Great Wall of China that's going to keep 'em out. Charging IT professionals criminally in this scenario is like charging overworked housecleaning staff with entropy violations.

Re:Corporations are EVIL

[all5n]

You can always tell when you hit upon someone's real motives. To these people it is not a question of the law, but how the law may be manipulated to further a socialist agenda.

There's a simple princple that covers this

[Solandri]

No taxation without representation.

And its converse: No profit without responsibility.

The latter also covers cases like Monsanto, which wants to profit from the wind blowing their GM seeds to other fields (sue the farmer for using the seeds without paying), but denies responsibility when those same seeds cause problems (contaminating the crops of organic farmers). If you want to be the beneficiary of a product or mechanism, they you must also be liable for any negative consequences of that product or mechanism.

Re:There's a simple princple that covers this

[David+Gerard]

The whole point of exporting Intellectual Property through trade agreements and so on is to own the brains of the poorer countries - recolonise them without having to actually maintain force of arms there.

I'm sure Rudyard Kipling would have called it "the corporate man's burden." It's for their own good, I'm sure.

Yes!

This should raise to the same level as accounting fraud. Without regard to the details of the security breach, the various CxO's and the board of directors should be held to be ultimately responsible. In other business entity configurations, it should be the ownership group. Leaving this up to self-policing and even trade group policing just is not working. I don't believe the majority of organizations take infosec, and customer privacy in particular, nearly as serious as they should and they won't until they are looking at spending some time in jail. I also feel that this responsibility should not be 'firewalled' by contractual agreements between firms, i.e. Company A contract with Company 2 that looses the data. Company A's mangement/ownership should be on the hook just as Company 2's is.

Where the buck should stop.

[misterjava66]

RE: It's a slippery slope to be sure, but where should the buck stop?

If someone steals something from me, whether held in trust for another or my property, and does something bad with said property, it is the STEALER who should be criminally punished.

However, depending upon the arangments with the owner, if I'm holding something in trust for another, I could see that other person should have a right to persue me if I failed to protect the property in a reasonable manner.

Nominal "crime": leaving the keys in the ignition

[RobertB-DC]

In Texas (and in other states, it seems), it is against the law to leave your keys in the ignition. I haven't yet figured out exactly what the purpose is for that law, except to remind people that leaving your keys in the car invites theft. I certainly haven't heard of anyone being prosecuted for the "crime".

Perhaps a similar nominal criminal sanction should be in place for the company that leaves the keys to my identity in their corporate "ignition"? The penalty would be a slap on the wrist, or less -- because a stiff penalty would lead to coverups. But the law would still be on the books.

That would allow the bean counters to add an item on the balance sheet for "secure client data -- compliance required by law". That would carry more weight than "secure client data -- compliance with 'best practices' guidelines".

Criminal Charges? Yes... potentially.

[forrie]

I agree with a previous poster, new technologies are difficult to follow, etc. However, that's ultimately not a good excuse.

If we begin to set standards, laws and consequences (that are enforced) then we'll see some change take place.

Companies are less likely to go the extra mile, if they don't feel they are legally compelled to.

Personally, if I were one of the unfortunate people who's identity was stolen, I'd be pretty angry at the negligence, talking to a lawyer and pursuing these companies.

What the UK needs

[David+Gerard]

What the UK needs is for the government to get the bill for breaches ;-)

Seriously, the Information Commissioner has actually served enforcement notices on the most incompetent departments and the Conservative opposition has called for prosecutions.

Re:What the UK needs

[David+Gerard]

Sorry, that first link is to a dupe in the firehose queue - the actual Slashdot story that ran on Friday is here.

Yes, without a doubt

[PingXao]

The vast majority of computer security "incidents" we hear about, and most of the ones we don't hear about, would never have taken place if this was the stance adopted 10 or 15 years ago. Not IT liability... corporate liability. Ultimately it's the corporate level where goals and policies are set and approved, and budget decisions reign supreme.

If the first large-scale data security breach that happened to a retailer or a bank had been made into an example, we wouldn't be seeing what we see today.

Most companies

[SoulRider]

have some sort of confidentiality agreement. If they do not live up to that agreement then they should be held liable. If they promise to keep my data confidential then it is their responsibility to implement the necessary security to actually keep that data confidential. I especially think hotels, car rental agencies, airlines or anyone else that requires that I transmit a cc number in some form or another, need to be audited and approved for security on a regular basis.

Kill them all

[blueZ3]

God will know His own

How about self regulation?

Lawyers do it, Doctors do it, Engineers do it, We should do it too.

We need a set of rules that the head of data security must live by for his job or else FIRED.

Legal decisions are up to lawyers and judges who don't understand what we do and why we do it. That's just dumb. If we create our own rules that we must abide by first we get to decide on the rules, second we can rule/pass judgement on it, third we can enforce it as we see fit.

No need for "laws" just rules we control and execute.

No

[holophrastic]

There seems to be something being forgotten here. In any pure game of cat and mouse, the cat always wins. The game ends when the cat catches the mouse. There is no end-game scenario for the mouse "gets away". When it comes to securing something, physical or electronic, the game of cat and mouse becomes the game of cops and robbers.

In any pure game of cops and robbers, the better funded group always wins. When it comes to physical property, robbers need to break locks, sneak in, sneak out, and escape capture. Furthermore, physical property can often be recaptured, and destroyed property can typically be repaid. But when it comes to electronic data like credit card numbers, there's no returning it once it's been exposed. There's no escaping or sneaking, or transport.

Obviously, exposing people to criminal charges when a robber breaks into your home is incredibly stupid. But it's even worse if you go down the road of charging corporations when they are exposed to electronic theft.

I think it's pretty fair to say that Ethan Hunt can steal anything from anyone. There's always some way to break in, or coerce someone on the inside. Right now, the only thieves willing to do so are those with experience, ability, and something to gain.

Hmmm, break into my competitor's database, and my competitor goes down. Hmm, break into that other company's database, and their stock drops. It very quickly becomes worthwhile to do so. All you've done is add one more way for the criminal to benefit from the crime.

So how about stiffer penalties for the criminal? The cause of theft is not opportunity, it's motive.

The law of negligence is well developed.

[dbc]

And the concept of IT security negligence is little different from bank physical security or workplace safety negligence.

If a bank is robbed, of course you go after the robbers. But if the robbers cleaned out your safety deposit box, and it is shown that the bank was failing to use best practices with respect to security, you have an action against the bank as well.

If you suffer a workplace injury, and it can be shown that the company was not following safety regulations and requirements, then you can go after the company.

Why is IT negligence different? If you aren't following known best practices, then that is quite simply the standard definition of negligence. "Did know, or as a professional should have known. Didn't do it anyway. BZZZT! Thank you for playing."

Really, this is one place where the law developed over the past several hundred years applies perfectly to today's technology without much adjustment at all. It would be great if all technology law were such.

Erm... we already do

[jimicus]

In the UK (and, I believe, Europe), anyway.

The Data Protection Act briefly states:

• Data may only be used for the specific purposes for which it was collected.
• Data must not be disclosed to other parties without the consent of the individual whom it is about, unless there is legislation or other overriding legitimate reason to share the information (for example, the prevention or detection of crime). It is an offence for Other Parties to obtain this personal data without authorisation.
• Individuals have a right of access to the information held about them, subject to certain exceptions (for example, information held for the prevention or detection of crime).
• Personal information may be kept for no longer than is necessary.
• Personal information may not be transmitted outside the EEA unless the individual whom it is about has consented or adequate protection is in place, for example by the use of a prescribed form of contract to govern the transmission of the data.
• Subject to some exceptions for organisations that only do very simple processing, and for domestic use, all entities that process personal information must register with the Information Commissioner.
• Entities holding personal information are required to have adequate security measures in place. Those include technical measures (such as firewalls) and organisational measures (such as staff training).

It's not clear which country the Best Western incident took place in but if the systems were hosted in the UK and they processed bookings from UK customers, it looks like a fairly cut and dried breach of that law to me.

There is, however, the minor issue that I don't think anyone's ever been successfully prosecuted for not having inadequate security systems in place...

Re:Erm... we already do

[icyandunapproachable]

If anyone is ever "successfully prosecuted for not having inadequate security systems in place", I just...give up.

Re:Erm... we already do

[AliasMarlowe]

...

There is, however, the minor issue that I don't think anyone's ever been successfully prosecuted for not having inadequate security systems in place

Well, I should hope not! They all seem to manage that part.

Criminal? No, but disclosure / liability needed

[QuasiEvil]

I don't think criminal prosecution is the way to go. It's bad, but typically I'm not a fan of making incompetence in private matters criminal.

What I do believe should happen is twofold:

1) Any breach should come with mandatory disclosure and civil liability. Basically, we should be able to get a class action suit going for the time and effort necessary to change all of our card numbers, etc. in the event of a breach, plus costs for checking credit reports, etc. I'm sorry, but my credit card company changed my card number four times in a year on account of "breaches", and I could never find out who the hell it was. It's a sometimes expensive inconvenience when you're on a trip, don't get the notice, and suddenly your credit card stops working. Or the hours spent changing over all of your automatic bill payments. Considering I make around $70/hour when it's all said and done, my time cleaning up their mess is not cheap, and I expect to be able to bill them for it.

2) If the credit card companies were smart, they'd levy serious increases in the fees they change to process cards from any processor or retailer that causes a breach. Or, better yet, cut them off entirely from processing until they passed a rigorous security screening. The idea of losing potentially weeks of business due to your payment processing being cut off would definitely motivate better security.

Basically, I don't see the need to bring in the slow, grinding wheels of the criminal justice system. A few adjustments to laws governing civil liability and disclosure requirements would very quickly make the industry adapt to much greater security.

maybe the blame is a different corp

[fred+fleenblat]

What's a crime is that companies which issue credit cards, auto loans, mortgages, etc will accept your name, ssn, and mother's maiden name, as proof of identity.

These items just aren't secrets anymore so there's no reason for banks (etc) to go on thinking that only the "real" john smith would know them.

Banks that lend out money in my name should be forced to absorb resultant losses themselves. Equifax and trans union should be targets for libel lawsuits when they ding your credit rating because of ID theft.

Blame the companies

[dave562]

The blame should be shifted to the companies who lose the data. Hopefully doing that will get them to question their procedures of collecting the data in the first place. What really needs to happen is a serious reform in the way credit is issued. It's one thing to have a data breach. The real problem comes in when that data is then used to open accounts. The financial institutions need to do a better job of identifying the people who are asking for credit. If a company wants to give me $10,000 worth of credit, they should pay the expense of having someone come to my address on file and have me sign something saying that I really want the credit.

End Result

[MozeeToby]

Better than fining companies for security breaches, why not require a certain amount of security based on the type of data the business is collecting. Allow for periodic and random inspections and issue fines if the company isn't up to the required level. If theft occurs, a more detailed inspection is conducted until the cause of the theft is identified and fines can be issued if the theft should have been avoided by following the required security measures.

This is essetially what would happen if you allowed fines and class action lawsuits with the current system. The difference is, the 'fines' would be replaced by insurance premiums. It workers or departments would have insurance the same way doctors and investment advisors have malpractice insurance. The end result is the same, premuims would go down if you improved security or held less data. They would go up if your security was found lacking or you begin tracking unnecissary information.

Re:Nominal "crime": leaving the keys in the igniti

[QuasiEvil]

Wonder how that works if my car is started with a toggle switch because the real ignition switch went bad... Is it illegal to leave my toggle switch on the harness?

Actually, the blame is on the Directors, not IT...

[GuyverDH]

As all decisions end up being their responsibility in the long run.

Crap may run downhill, but legal responsibility runs uphill.

At least in a world set in reality, that's how it should be...
Of course, they'd claim "we didn't know" and try to weasel their way out of it....

Negligence is not a criminal standard

Negligence does not imply criminal culpability, gross negligence in some circumstances can involve criminal penalties, but to make negligence conduct a basis for penalizing computer security professionals criminally would discourage companies from making rational decisions regarding information security and discourage qualified individuals from entering the profession.

Let's also remember something:

[liquiddark]

It is easy in the extreme to get sucked into an offer for work in an IT department that is, as it turns out, totally dysfunctional. Discovering the extent of dysfunction and extricating oneself from the situation can easily take a year. Do the browsers here seriously want to put themselves at risk of becoming criminally negligent every time they accept a job offer?

You must be in management

[loteck]

What a complete non-answer. Your reliance on flimsy "necessary steps" is exactly why the industry is dealing with these problems right now. What is necessary? If I'm transporting disks with your data on it, does it have to be a secured armored vehicle, or is a lock box enough? Can the guy carrying it be a convicted felon, or a minimum wage security guard? If I have your data on my laptop, does it have to be encrypted. Is an 56 bit DES algo enough or does it have to be the most modern encryption scheme available? Who sets these rules and are they enforced only after data loss ( or are there periodic audits?

The credit card industry has identified similar problems of responsibility in its business process and implemented a standard that companies have to comply with if they want to avoid being responsible for major losses (PCI). A good example of private industry trying to solve a problem without government regulation (albeit setup mostly so the few credit card companies can push financial losses back down to the merchants and vendors).

Rape: It's the woman's fault

[mschuyler]

Sure it is. She wore 'provocative' clothes that enticed the rapist to commit a crime he otherwise would not have committed had she worn more conservative attire. If she were wearing conservative attire and was raped anyway, she should not have been out in the street alone, or after dark, or in that neighborhood. If this were 'date rape,' then she shouldn't have dated this schmuck in the first place. Didn't she do 'due diligence' and check him out? If not, why not? If she didn't know all these things, then she SHOULD have known them. It is not as if she were never told. The tools to make her more secure have always been available. Did she have a whistle? No. Did she have mace? No. Did she have a gun? No. Doesn't she know judo? No. She ignored all the well known tools that have been available for years to make her secure and went out without a single one of them. Whose fault is that? It is her responsibility. And she certainly should not have made the ridiculous mistake of being a woman in the first place.

Obviously she aided and abetted that crime and she should be charged for it to the fullest extent of the law. If there is no appropriate law on the books, we should make one. It's time to make these women accountable for the crimes they cause. These crimes WILL NOT go down until we stop looking at the symptoms and start addressing the root cause of rape in the first place: Women.

Re:Rape: It's the woman's fault

[Fulcrum+of+Evil]

The company isn't the victim, the consumer is, so your analogy, while inflammatory, isn't accurate.

Re:Rape: It's the woman's fault

[freedom_india]

Typical pseudo-emotional response to change the tone of the discussion and to bury the original question.
Much like the same tactic republicans take when questioned uncomfortably about Big Oil or Iraq failure.
The question here is whether corporates should be criminally responsible for breach of privacy.
There are two parts to it:
1. A contract that a person has signed with another.
2. The breach of contract which makes it a breach of trust.
Result: Penalties payable determined based on past judgements, case involved, etc.
Corporations always claim they have same rights as an individual. Agreed.
If i sign a contract with a corporate and provide my private information to it under trust (which is what all contractsw are), the corporate is bound to protect that trust. Failure to do so, entails breaking the contract, which is illegal in some states outright, but debatable in others.
If i provided my credit card details to a hotel waiter for swiping my card and she is careless in handling the same thus allowing the information to be stolen, she is responsible criminally for deliberately doing so, even if that was not her intent.
She is bound to be convicted, and sentenced either to jail or community service (paris-hilton-rich), and ordered to pay restitution.
Since a corporate claims to be a person, its operating license can be suspended, its CEO jailed and convicted.
And in your above example: if the woman happens to be a 26-yr old teacher taking "advantage" of a 16-yr old boy, she should be sentenced to 290-years in jail. (Same time a man serves).

Breach of Contract?

[Ambiguous+Coward]

Don't most of these companies usually have you sign an agreement of some sort (I don't know if it constitutes a "contract," per se) which states something to the effect of, "(Company) will not share your data with other entities, barring partners of (Company)?" So, wouldn't providing your data to a non-partner, whether intentional or otherwise, constitute a breach of contract? (or agreement, or whatever.) I doubt any of these companies are going to claim the thief was acting in good faith. If they were to claim such a thing, they wouldn't have to disclose the theft, I imagine, and thusly we'd never hear of it...

Just a thought. Of course, I would never expect such an argument to stand up in court, especially against a big corporation. Still, can anyone who doesn't have to use the IANAL disclaimer comment on this notion? :)

-G

Not criminal...

[eth1]

But I do think that if companies A, B, C, D, and E have all lost your information, and then some ID theft that costs you $100k is perpetrated with that information, that all of them should have to pitch in $20k to fix the problem (since you probably can't tell which company's breach is directly responsible).

If they don't like it, they don't need to hold onto the information.

over-reaction is easy

[Benjamin_Wright]

Best Western now says only a handful of records were compromised, not millions. Data security investigations are complex, and they require patience. As we learned from the TJX experience, it is easy for the press and for authorities to over-react. --Ben http://legal-beagle.typepad.com/wrights_legal_beagle/2008/08/credit-card-iss.html

Criminal Blame has a positive effect

[Sunshinerat]

I am hopeful that criminal blame in serious situations will make corporations thing twice.
As soon as keeping data on people will become a liability, companies start to reduce their 'people information' to a bare minimum.
What we will see is that corporations will think twice about what information they keep and how they keep it.
As soon as criminal blame comes in play, closing holes in the access to customer information will get a closer look by SOX auditors.

It happens way too often that companies gather information they do not really need.
I have no problem telling stores my zipcode for them to figure out where to build the next store (hopefully closer by my home), however, phone numbers, email addresses etc. are beyond me.
Also, the reason why personal customer information needs to be in a non-secured location (i.e. laptop) remains questionable, maybe this is the only remedy to get some sense into the corporate world.

I am hopeful that this will have a positive effect on mailing lists and other marketing related activities.

Re:Criminal Blame has a positive effect

[arminw]

....phone numbers, email addresses etc. are beyond me....

Give these people a long ago used phone number and make up a special e-mail address just for this purpose. Giving out the phone number, even your real one these days it is not so much of a problem anymore if you have caller ID. If you don't recognize the number of the caller, or the caller is obviously a telemarketer, just let the answering machine picks up call. Most of the time they don't leave a message and if they do the message is easily deleted. E-mails are also easily screen this way.

Re:Criminal Blame has a positive effect

[anotherslashfan]

I'm rather surprised that companies haven't taken the view that, with storage/maintenance of data, there are costs involved. Therefore, get rid of the data you don't need to help reduce your operational costs. Granted, they may feel that there is benefit to keeping/storing the data. But the cost vs. benefit may justify getting rid of it. With the liability and costs involved with maintaining and storage, we already have made the determination to treat data as a "hot potato". Get rid of it when it's no longer needed or get burned with the liabilities/costs associated with storing it.

Re:Why companies and not individuals?

[seanonymous]

Why are people shielded from the law when they start a company? Find out who broke the law and punish that person. Penalizing a company just makes its customers have to pay more.

Re:Nominal "crime": leaving the keys in the igniti

[RobertB-DC]

Maybe, maybe not, but I bet you'll have an "interesting" conversation with the friendly officer if you get pulled over for speeding!

Data Protection

[Antony+T+Curtis]

The USA needs something like the Data Protection Act which the UK has... It gives individuals rights to access and correct data held about them and it mandates that organizations must take adequate steps to protect and secure the data. Failure to do so is a criminal offense.

IANAL... If any of Best Western's compromised data details reservations at any of Best Western's hotels in the United Kingdom, they may have opened themselves up for prosecution under this law. All organizations and businesses in the UK which may store details on more than around 500 individuals must register and adhere to the DPA. I am sure that Best Western has had more than 500 customers in their UK operations!

Place the blame on the PHB's they are the ones who

[Joe+The+Dragon]

Place the blame on the PHB's they are the ones who control funding and put on jobs add that cut out people who don't 5 years with one small piece of software but are real good with the rest of the stuff that they need.

There should be a security equivalent of SOX

[DominicP]

Sarbanes Oxley mandates tracking, understanding and responsibility for financials. It should not be too difficult to define a standard set of practices that include yearly security reviews, updates and reports including recommendations by IT that must be signed off by corporate officers. If companies were forced to take this seriously, by the threat of fines, and this information were visible to shareholders they would be more likely to take it seriously.

Memory Banks

[Doc+Ruby]

We should keep our personal data in "memory banks", which are the fewest possible storage places, to which anyone else accessing the data must go to get it. Let the memory bank store an Access Control List, too, of who can access whose personal data, and the credentials for each access transaction. Then, those who access it just have a reference to the master data, and their own login info.

The memory bank spends its time and money protecting its data from getting cracked. It should be someplace with enough expertise and insurance that it can both protect from cracks, and pay to clean up the damage when it is inevitably cracked sometime, for some amount.

In fact, a regular bank's network, or even an insurance corp, sound like a good place for the master copy. Because people already trust them with their life's savings. If people want to take over their own data records, so the pointers all point at their personal storage, that should be an option. But their own insurance and liability will probably be higher cost than if they let experts do it for them, like every other info transaction we depend on.

this is outrageously silly

[david_bonn]

If you've got a laptop, what have you got on it? Probably you've got some kind of address book with phone numbers and physical addresses. You might have a pile of old e-mail stashed away somewhere -- that old email probably has a whole lot of personal information in it that isn't yours. You probably aren't maximally paranoid about securing that stuff either, since you are the only person using that laptop.

Question is, are you a criminal if someone steals that laptop? Hell no.

I'd also ask you to consider how diligent you'd be about informing everyone in your address book that your laptop is stolen.

Real professionals get sued

[plopez]

If you are a real professional, you are personally liable for your work. Real Engineers, unlike "Software Engineers", administrators or programmers can be sued for defective work. Once people can be sued this makes the professionals who have to carry E&O insurance.

Basically I don't think anything will change until this happens. At which time we will see many incompetents leave the field of IT.

Criminal liability is only for people who break the law, not incompetents.

Best Western Disputes the Extent of the Breach

I don't know if there are any additional updates, but as of yesterday, Best Western is disputing the extent of the breach, saying it only affected some guests at one hotel, not millions. FWIW, link only for reference, got no dog in this fight, beyond this: stop giving out your important info, then it can't be stored or "lost" for whatever reason. Just say no to store clerks or utility clerks "demanding" your SSN. If you freely give away your data without putting up a squawk, don't be surprised if it isn't "your" data any more, because you just gave it away. As to computer security, there isn't any, people should just recognize that. At *best* there are some attempts at computer security. In the US, the only legal entities that can demand your SSN are state and federal authorities for various reasons, tax, getting a drivers license or professional license, etc., and they must state a reason, banks and brokerages, and employers AFTER you have been hired. Anyone else can ask for it, but you aren't required to give it out. They can possibly refuse you the service then, but that's a crapshoot. Usually when I get asked outside of the legal requirements I retort and demand to see their customer indemnification policy in writing if they suffer a data breach and my data gets compromised. That shuts them up, because they don't have one, at least I have never run into one with any utility or service or store. Just keep going upstream over the clerks or first manager's head, keep asking to see the same written guarantee that you will get paid something if they suffer a loss. They've always caved for me at that point, I get the service.

Why treat the web differently?

[perlchild]

Right now, the law is pretty unclear what happens if a company you give your information to, loses it.
But what about other crimes? If a company is caught in some scheme by say an employee, it has insurance. Those with good security practices have lower premiums.
Let's just clarify the law, and let the cost of those security measures be borne by those who require keeping the information.

Fifth Amendment kills that.

[Ungrounded+Lightning]

Not only should there be criminal damages, but attempting to keep the thieft secret should carry an even heavier penalty.

And the famous part of the Fifth Amendment hits that head on:

"... nor shall [any person] be compelled in any criminal case to be a witness against himself, ..."

So it's not going to happen in the US. Give it up.

= = = =

The people harmed are easily identified. It makes more sense for this to be a civil matter, with heavy financial penalties being paid by the company to the victims of the identity theft, rather than into government coffers.

If the government were to legislate or rule-make the penalties and/or automate the process in corporate regulations, rather than waiting for class action suits to lay the ground rules (and line the pockets of the litigating class while the victims get pennies), so much the better. (Assuming the legislators don't just write a slap-on-the-wrist preemption law for their corporate sponsors. B-( )

Re:Fifth Amendment kills that.

[sm62704]

A corporation is not a person; well, it is, but it is a legal fiction that could be easily rectified if our legislators cared more about human beings. The fifth amendment should not apply to corporations, only to the people employed by the corporation.

Re:Fifth Amendment kills that.

[Ungrounded+Lightning]

The fifth amendment should not apply to corporations, only to the people employed by the corporation.

Criminal acts by corporations are also criminal acts of the decision makers who caused the criminal act to occur. In such cases the execs are also criminally liable. So the 5th applies to them.

Also, when there are losses or damages as a result of criminal acts the "corporate veil" can be "pierced", putting the actors on the hook for the financial losses as well.

Limiting liability to the corporate assets, thus is the entire reason for corporations and their status as pseudo-persons. But that limit is not a license to commit crimes with immunity to retribution. So corporate officials have to stay squeaky-clean on criminal law or go to jail and/or have their assets seized. Note both Martha Stewart (a minor stock trading info and memory issue) and the officials of Enron (major embezzlement via "energy laundering".)

yes, at the "C" level

[swschrad]

CEO, CFO, CTO, doesn't matter to me... but if a company officer is not responsible, the underlings can whine about not being able to implement best practices due to (budget, boogeyman, idiot cousin got the job, whatever you need, pick one) then it's not going to be taken seriously.

Which is better: Windows or Linux?

[MrNonchalant]

Tune in next week for more foregone conclusions brought to you by Slashdot. Slashdot: If the answer isn't obvious, we don't post it! Airs Mondays 9et/7ct/6pc. Check local listings.

hmmm....

Such corporate "responsibility" will only open up another sector in this insurance industry (for indemnification against such law suits) and destroy cottage industry.... the issue of data security goes much deeper than simpler suing people (such a typical americanised solution).

This other point is that there is mention to "giving the data away" which is not the point of the cited news article involving best western in which the data was _stolen_ through negligence.

I guess a good analogy is that if I leave my car with a garage and it gets repaired should I sue them for the loss. The difference here is that so many more people can be affected by the same situation when the internet is involved.

Criminal no, big-bucks civil yes.

[Ungrounded+Lightning]

I do believe however that much of the blame needs to be placed at the company level. Many times the risks are known ahead of time by both IT and the business, but the business has decided not to spend the money to fix the problem and have signed off on the risk. Sometimes there is nothing further the IT department can do without the express permission of business. In fact, this is fairly frequent.

And the remedy for that is to make collecting the data and leaking it through substandard care in its handling a very costly thing for the company. Then the risk/reward ratio for protecting it will tend to sway upper management - and give the IT department a strong argument for the necessary budget to accomplish the work.

Criminal penalties are the wrong way to create this incentive structure. Big-bucks civil penalties (payable to the people whose information is leaked), however, look like something that could do the job - and make a start on compensating the actual victims for the harm done to them.

Re:Criminal no, big-bucks civil yes.

[Ohrion]

I wholeheartedly agree!

Too Late

[The+Monster]

The BW response confirms what I have seen whenever something of which I have personal knowledge shows up in the news. They always get things wrong.

There's an old saying: "A lie can make it halfway 'round the world before the truth can get its shoes tied." The 8 million (one year) figure will become carved in stone, and anyone who says otherwise will be "an apologist" for Best Western.

FWIW, I stayed at a Best Western a month ago. The Bride of Monster booked our room with her credit card, so this is not a purely academic matter for me. We've already contacted our bank and suggested they find out exactly what the exposure is.

Better to go after data storage itself.

[fuzzyfuzzyfungus]

Attempting to legally define responsibility for "reasonable" security is a tricky one. You don't want a situation where corporate can, say, consistently shirk on security implementation, then hang the poor bastard who had to make the best of a bad job out to dry when the time comes(not that that would ever happen, no, definitely not, never). On the other hand, having a checklist of "OMG Industry Best Practice!!!1!~) ass-covering steps is pretty much writing the script for security theatre.

I suspect that going after the type, quantity, and duration of data storage is a much more productive avenue. For any given commercial relationship, certain data storage will be necessary, for a certain amount of time. Not much we can do about that. Anything beyond that level, though, should be open to stiff liability in the event of a breach. You want the advantage of storing extra data? You take the risks, like it or shove off. The trouble(particularly bad in the US, though hardly good elsewhere) is that there is essentially nothing, other than the low and falling costs of storage, counterbalancing the desire to hoard as much customer(no, I'm not going to say "consumer") data as possible. Make anybody who stores more than the necessary minimum of data liable for damage caused by breach or inaccuracy and the problem should be considerably reduced.


Even if the above seems, shall we say, unrealistic, there are some basic steps we should have taken ages ago. FFS, companies that have data stolen aren't even obligated to warn people in some jurisdictions!(See the ChoicePoint debacle a while back, they warned California customers, because the evil commie nanny state had the crazy idea that people ought to be warned when somebody fucks up and gives their data to criminals; but everybody else just had to puzzle it out) That is absolutely insane.

Sorry, wrong:

[Ungrounded+Lightning]

Leaked data, by itself, isn't a crime in this regard. No harm comes to anyone until someone with criminal intent actually does something to it.

Harm comes even before the data is misused (or if this never occurs) because the people whose data was leaked now must take extra effort to protect and monitor their financial and other records. This has costs in both money and time that could be spent on more enjoyable pursuits. The added stress is also damaging, both to enjoyment of life and to physical health.

Re:Sorry, wrong:

[ScentCone]

Harm comes even before the data is misused (or if this never occurs) because the people whose data was leaked now must take extra effort to protect and monitor their financial and other records. This has costs in both money and time that could be spent on more enjoyable pursuits. The added stress is also damaging, both to enjoyment of life and to physical health.

But again... is it a crime, or just bad business? If no criminal picks up the data and does crime with it ... or even if that does happen, which crime has been committed, and how will you differentiate that from a million other mistakes that any employee might make, and which could then be said to be a crime?

It's the responsibility of the people who created

[erroneus]

It's the responsibility of the people who created this system that people cannot reasonably opt out of.

With "drug laws" as they are, there are limits to the amount of cash anyone can carry without it potentially being seized by cops. You can't pay for everything in gold can you? With the majority of banks out there simply refusing to do business with you for not having a social security number, it is essentially impossible for people to exist in society without allowing your identity to be entered into various systems and databases. The credit and banking system has created this potential for abuse of our identities and it is the credit and banking system that should be held accountable for the abuse of the system that we are all but involuntarily required to be a participant in.

Furthermore, since so many businesses feel it is in in their interests to collect our information and put it at risk, they should also maintain responsibility for its abuse when it leaves their control. Once again, as a condition for doing business and ultimately for leading a "normal" mainstream life, we are essentially powerless to opt out and are otherwise defenseless and unable to protect ourselves from what may happen when mismanagement and abuse of our trust occurs.

What a great system they have where they reap all the benefits and we burden all the risk? I think it's more appropriate that they bear the risk along with the benefit. If they want to have the benefit of collecting private information, they should bear the consequences when the information is abused as a result of their own abuse or negligence.

Storing credit cards ...

[kbahey]

Part of the issue is storing identifying information, the other issue is storing credit card info. There should be no excuse for storing credit card info.

I was at Home Depot (Canada), returning something I bought earlier, and I reached for my wallet to give the guy the credit card to refund the item. He said, "Oh, we don't need that Sir, it is all stored in our system". I said: "You store credit card data on your computer"? He says: "Oh, we don't have access to it".

The point is, not the employees having access to it, but the data getting copied or stolen by criminals, such as the Best Western case.

Some credit card gateways provide a token based approach to recurring charges, such as monthly subscriptions, but it is not a standard that can be used everywhere with any card, and any merchant.

Re:Nominal "crime": leaving the keys in the igniti

[Ungrounded+Lightning]

In Texas (and in other states, it seems), it is against the law to leave your keys in the ignition. I haven't yet figured out exactly what the purpose is for that law, ...

It reduces car theft, thus reducing the load on law enforcement and insurance rates. It also makes it harder to steal getaway cars and increases the likelihood of catching the perps before they do something like rob a bank, reducing that victimization.

Or at least that's the sort of theory I'd expect to be behind the rule.

(At least one rural western state has had a requirement that any gun carried in a car must be loaded - so it can be used by the driver to defend against its own theft. They'd had a lot of trouble with walkaways from prison jacking good samaritans who rescued them in the desert.)

[Citation needed]

[jabithew]

The thing is, the corporations are deemed too valuable to be punished. THIS is what should change.

Seriously, what the hell? Consider the HSWA (1974), the Environmental Protection Act (1990) and the Data Protection Act (1998), all of which carry the possibility of fines and a jail term if breached?

What about software vendors?

[Ungrounded+Lightning]

While we're at it, why let the manufacturers of buggy commercial software off the hook?

Re:Nominal "crime": leaving the keys in the igniti

[baggins2001]

It's mainly so that insurance companies don't have to pay, if someone steals your car when you leave the keys in them.

Yes, they should.

Next question please?

Consequences a must

[wshwe]

Companies will only stop allowing mass identity theft if there are definite consequences for their failures.

The real question

The real question is, who in the company do you punish? Responsibility could lie with management, IT personnel, the end user, or any combination thereof, and once the cat is out of the bag, they will all point the finger at each other (and management will happily fire IT personnel or the end user to deflect blame). How do you determine who to drop the hammer on?

Hold the police responsible first

I'll tell you what... Before you make a decision on whether companies should be responsible for theft of their information, make the police responsible for murders that occur on their watch.

No really, I'm not kidding. What surprises many people is that the motto, "To Protect and Serve" is just that, a motto. Police have NO duty to stop a crime in progress, only to execute the law by arresting those who have committed the crime whenever its convenient. A good example is someone who is either in witness protection or perhaps has a patrol car stationed at their house if they are a testifying witness. Despite the assurance that you are "protected" they can't be sue or held liable for failing to do so.

It seems silly to hold a corporate entity to a higher standard than our own police forces. Sure, hold them liable for pure negligence, like creating a webpage that lists their customers' name, ssn and cc numbers, but for pure theft no way.

Civil vs Criminal? The semantics of should/must...

[NetSettler]

This would be a great civil class action case, but criminal? ...

When I was doing standards work, I was introduced to the notion that only "must" and "shall" (i.e., imperative words) mean something you have to do. Words like "should" are really synonymous with "don't really have to at all" in standards lingo. They just mean you have to answer for something in words when someone calls you on it, but ultimately that no one can force you.

So too the real difference between civil and criminal is that civil means you can buy your way out pf doing the wrong thing and criminal means you really have to do the right thing. So people can choose.

Asking whether civil or criminal law applies isn't the thing to do. The thing to do is to ask whether this is really something that has to be done or whether it's ok to just let people do the wrong thing and then occasionally pay a fine. If you don't mind having your identity stolen and you think maybe courts will operate efficiently in your favor to reimburse you with extra dollars to spare for your trouble whenever it happens, you definitely want the civil penalty approach. Or if you have a magic way to have the problem not happen to you and you just don't care that it happens to someone else who is in the unfortunate set that you have excluded you from. But otherwise, I see no option other than to say criminal.

That doesn't mean I think criminal law should be retroactively applied. It just means I think business people take very seriously the criminal law, and that if this is on that level of magnitude, then that'st he approach. But I'd decide first just the question of whether this is a "should" or a "must". The rest will just follow from that. Present attitudes in business tells you businesses think it's a "should" (meaning "don't really have to at all"). The question is, does the public agree? For the public to establish "civil penalties only" is, I suspect, the same as saying the public agrees it's a "should"--a mere cost to be managed, often after-the-fact.

Well, did they?

[Moraelin]

At the same time, there has to be an understanding that even the best technologies available and best practices may not prevent all personal information theft so a company should not face harsh consequences if they took the necessary steps to protect people's information.

Agreed, but... well, did they? Invariably every single of these cases I hear about, involves some variant of

- idiot marketer or salesman is given a copy of the whole fucking customer database on a laptop, he loses the laptop

- idiot boss gives some contractor a copy of the customer database (or recently in the UK, the prison population database) on an USB stick, he loses it

- idiot puts a copy of the whole customer database on an unsecured web server so he can download it from home, thinks that it being in a "secret" directory is actually security (especially in the dot-com days this was the #1 failure mode, but it's not entirely dead yet)

- the infamous AOL failure mode, "OMG, Google is eating our lunch, someone plz code a Google killer. Here's our customers' search strings as RL data to work with."

Etc.

I'm sorry, but that does _not_ qualify as taking the necessary steps. Not even as trying.

What I see is some idiots trying to circumvent security for the sake of a few extra bucks ('cause that salesman might impress a customer with a sharply drawn chart) or to save a few bucks in costs (e.g., so they don't have to get an extra desk for that contractor.) It's plain old greed.

And I still think that we see a variant of the old, "bad money pushes good money off the market". Only this time with companies. The pricks which save a few bucks or earn an extra few bucks by being cavalier with your data, get to undercut and push those off the market who do the right thing. Until we slap some penalties on them that actually reverse that situation, it _will_ keep happening.

Which IT person would you blame?

[LtTickles]

Seriously, having worked in IT Security for some time and done numerous "compliance" projects. Compliance takes time and costs money. Too many times I have been told "we just don't have the money for that this year." Corporations commonly engage in the 'risk' game where they risk it for as long as they can. Until the bank stops taking their credit cards (in the case of PCI Compliance) or there is an actual public breach - the risk is quite low. I'm not against criminal charges but they should be levied on a corporate officer and not the rank and file IT person. This person has zero responsibility for the financial decisions required to keep data safe. I make recommendations until I am blue in the face but until management realizes the risk to them - they won't touch it with someone else's ten foot pole.

Data Loss Insurance

[CopaceticOpus]

Wouldn't this lead to all companies needing to purchase a data loss insurance policy, much like doctors need malpractice insurance? The end result would be richer lawyers and insurance companies, more wasted time in court, and companies not needing to change because they have insurance.

I do think these companies need to be held responsible, but I think that they are already afraid of the PR hit from losing data, and their IT managers should already be afraid for their jobs if a data breach occurs. I really doubt that this sort of law is going to help.

again... ffs

i`ve had my personal data lost for me by my ISP twice! and nothing happened to the companies. my partner had her info collected by Best Western, and was on the discs lost by HMRC.

no one should get away with anything like this - and companies should be fined heavily. there is no need for a lot of these details to be moved around or even stored - my partners details merely used to sign in incase we damaged anything, the room being paid for by a local authority.

it would be a tough thing to try and punish a company for, but if you remember the little people getting shafted who may not have had much to begin with - it's a crime plain and simple.

Risk management

[ppanon]

Criminal blame won't make a difference unless it automatically applies at the top corporate level. Otherwise, lower-level grunts will be served up as sacrificial lambs. The only method that can be used to justify to management having appropriate security expenditure is to attach a solid price tag to bad security practices to offset the price tag of good practices. That means large and immediate monetary penalties for loss of information (indexed for inflation of course). That way management won't decide to risk fighting any class-action lawsuits for 10 years until they can retire, leaving their successors to deal with the mess. If you can lay out to management "You have 100,000 accounts, and a security breach is going to cost you $X and your current practices have a high chance of a security breach in the next few years", it's a lot more concrete than if I talk about the historic average cost of security breaches in unrelated industries (based on contacting stakeholders, PR, etc., after a breach). Put a solid price tag on it and companies will either adjust, or go under faster and prevent further loss of client information due to continued poor practices.

IT negligence?

"IT negligence" as suggested by the summary is caused by Management's "head in the sand" tactics.

There've been a number of times over the years where I've raised security issues about an existing system, or even a proposed system, and been beat down by Management because it would cost too much or take too long to fix it. They prefer to not "spend money frivolously" and instead gamble that the problem will never be exploited.

I'm sure this is a common issue throughout the industry... fine Management or send them to jail if IT can show an e-mail or other evidence where Management have refused to act on something.

What is Identity Theft?

[cdrguru]

Well, according to the FBI, this includes all forms of credit card fraud. This is mostly why "identity theft" is getting so much attention and seems to be growing by leaps and bounds.

I have been subjected to credit card fraud many times, as have many people I have known. I have yet to meet anyone that has experenced any loss, even the supposed $50 that you might be liable for. Zero loss, get a new card and move on. Sometimes a minor hassle.

The sort of "identity theft" that most people associate with the term is where someone obtains credit under false pretenses. I don't know what the actual incidence of this is and because of the FBI combining it with credit card fraud, we will probably never know the true impact of this. What I want to know is how often this is really happening and has anyone, ever, been a victim of something beyond credit card fraud because of one of these disclosures.

I don't see any point to trying to make a bigger deal out of it if there have in fact been zero occurrences where this information has been used to someone's detriment.

why even use laptops? use Citrix terminals

How about it's illegal for a company to put that sort of data onto a laptop?

Why do many of these people even need laptops? They work in a cubicle/office sitting down. They then go home and work at a desk sitting down. Set up two RDesktop terminals: one on the corporate LAN, and one that VPNs in.

You get exact same work environment and your data is safe on the server, with everything being encrypted with AES.

Data is compromised only when the person's account information is stolen (stealing the dumb terminal doesn't even help you).

For some people this won't work because of the ego trip involved in getting a laptop (and some people do actually need laptops), but others will appreciate the fact that they don't have to lug this thing around.

And if you can standardize on a particular model of unit you can perhaps throw in smart card logins.

Re:why even use laptops? use Citrix terminals

[nine-times]

For some people this won't work because of the ego trip involved in getting a laptop (and some people do actually need laptops), but others will appreciate the fact that they don't have to lug this thing around.

Well also there's arguably the problem of trying to work on these records in an environment that doesn't include Internet access. On the other hand, I would really wonder whether people really need external access to this sort of information at all. I find it difficult to think of any valid use of my social security number that would make sense for a worker to be accessing it from home.

Re:why even use laptops? use Citrix terminals

[nine-times]

Well, yeah, that was part of my point. It seems like it should be rare that that sort of information needs to be pulled out at all. But even when you did need an identifier, it should usually be good enough to have an different id for that application alone which can be referenced back to a name and SSN later. (I don't think they should usually need to pull names or any other personally-identifiable information.)

You can't say for sure without knowing the actual situation, but it seems like most often this sort of thing comes about because of pure carelessness.

Of course they should.

[Annoid]

If a company permits a breach of a customer's personal info, each individual customer should be entitled to sue the living snot out of the lax company.

Negligence

[BountyX]

Should be brought up on negligence charges if they fail to implement proper security systems, ecnrypted backups, or basic info "storage" standards.

Example: the Netherlands

In the Netherlands there are about 90E6 unique social security numbers, which contain no information whatsoever (no birthdate, etc.). Its population is 16E6 people. Therefore in theory, based on a life expectancy of 80 years, you would expect a reissuing cycle of 450 years. Although in practice, I figure they will add a digit when the numbers get in short supply. I base this on that there used to be numbers of 8 digits (but that was before a change of system) and I've seen mention of 10 digit numbers in some documents. Of course, that would violate the principle that the number shouldn't contain information, because the number of digits would be a (very bad) estimator for your age, but a lot of records tied to your social security number are kept after your death, so I don't think they'll have a choice. Anyway, the Netherlands are only doing this for 20 years now, so they shouldn't be in a hurry.

I think it's clear who is to blame.

Oh for fuck's sake. If you're going to blame anyone, how about blaming the people resposible?

Some jackass shows up at a bank, gives my name and social security number, gets a loan, and then the bank harasses me for their money. Sounds like the bank is the one to blame. They're the dumbasses who didn't adequately determine who they were dealing with, and they're the ones who sought to ruin me financially by trying to collect money I didn't owe them.

The problem isn't that companies are leaking my social security number, the problem is that I can't tell everyone my social security number because a lot of dumbass companies assume it to be a PIN number and will make my life hell if anyone else happens to know it.

SSNs do not get "recycled"

SSN's are horrible primary keys since they REPEAT!!!

Citation needed. Badly. I've occasionally read about SSNs, and every document says that they are never reused. Occasionally, it will happen that two people with similar birthdays will be assigned the same SSN, but that is an uncommon mistake that SS attempts to fix, by assigning one or each of those people a new SSN.

Re:SSNs do not get "recycled"

[Foofoobar]

True. I just reread the SSA standings thanks to your comment. My original basis was due to their numbering scheme; the first 3 digits of an SSN is a regional code, the second two is a grouping number and the last 4 is the serial number (this is your actual number). Based on that, the logic was that given living and dead persons, since the original creation of the SSN system, they would have had to reassign to stay within the regional assignment system. But according to the SSA, they admit to fudging on regional so as to avoid reassigning; if one regional code is full, they just start assigning you to another regional code. So if the regional code of New York is all out of SSN's, they'll just assign you to New Jersey.

It would have financial impact, no question

[weston]

Sarbanes-Oxley has already wreaked havoc on the business world.

Have the costs of having to do better accounting and do better data warehousing really been crippling and/or provided no other return beyond compliance?

Extending culpability for data breaches to criminal prosecution would be even more destructive in terms of the changes and security costs involved in protecting the company from financial damages in the event of a data breach.

Exactly. This is 100% intentional, but it's not because the people who've conceived it are anti-business communists, it's because they realize that markets aren't magical elves. In this case, markets aren't really seeing the cost of data security -- or rather, the costs of poor data security practices are externalized from businesses who don't engage in it across their customer bases. Legally recognizing an obligation to protect customer data and connecting it with a cost structure means the market can start to value it.

I really don't see anything wrong with this.... except one big honkin' problem: most business entities are going to have as hard a time as your average consumer determining whether or not they've got good security. It takes a data security expert to know a data security expert. Businesses with no genuine security seed talent will be pretty much flying blind with regard to their liability until something bad happens to show them they've got a problem.

Re:It would have financial impact, no question

[zappepcs]

I have to tell you I'm insulted, as are my magical elven friends. Your last paragraph nails the problem in one simple effort. Even those black hat guys are not good at this kind of security. Most data breaches are due to human error. The cost of training your entire workforce, and changing security policies, rewriting code where needed is NOT insignificant. Most of the SarBox compliance efforts I've seen are bandaids, not tourniquets.

The world IS flying blind, there is no guessing to that and criminal prosecution will not make it better, only education will... and of course the ubiquitous financial incentive. In the end, we'll end up with some way for corporate entities to end up looking righteous while they fire employees in the background and apologize through lying teeth about the data breach.

Only when the CxO is held liable for prison time will things change. That is the kind of motivation that changes budgets. Nonetheless, mark my words, it will be costly for any of several reasons:

1 - No one is exactly sure how to prevent a data breach, only how to prevent those that are known.
2 - Fighting data loss is like fighting terrorists that are not actively attacking you.
3 - Nobody really listens to blackhats
4 - What a blackhat tells you is a breach vulnerability is something that will "never happen here"
5 - Once there is prison time for the CxO, no employee will be able to own a USB thumb drive without a background check. The reaction will be like the 9/11 crap that the US government pulled on all citizens, but with the added value of being able to fire you for owning a thumb drive.
6 - real security is not cheap or convenient. To mitigate this, employees will be blamed.

I could go on, but we all know this song, or should. Good luck with that is all I have to say.

Re:Civil vs Criminal? The semantics of should/must

[arminw]

..I see no option other than to say criminal.I see no option other than to say criminal...

So now you want to increase the prison population by another quantum jump? The US already has one of the highest prison populations per capita of any nation on earth. Why is this? Is it that Americans are basically more evil than others? Is it that our society has criminalized many actions that others do not? How many people are sitting behind bars today, because they were merely in possession of a substance or an object? People should be held accountable for what bad things they DO, not what they have.

In order to commit identity fraud, it takes two actors. One of them is the fraudster who impersonate someone else. The other actor is a financial institution or merchant who does not diligently check whether the information given is truly connected to the person giving that information. This second actor should be held responsible to bear the entire cost of the fraud. If that were the case, these people would make sure that the person they are giving money to or rendering a service for is really, for sure 100%, legitimate. With such a system, these institutions would have a strong incentive to carefully balance the costs of such security checking with the costs of possible fraud.

As it is now, the person legitimately connected to the information that the fraudster supplied is usually left holding the bag and taking the loss. Careful check of the information at the point where fraud might occur, would be much more effective, then a Herculean effort to protect every bit of information.

Just as in the physical world, we make the receiver of stolen goods a partner in crime, so also we could in the informational world. At the very least, even if not accused of a crime, someone who obtains stolen property may have to give it up to the rightful owner.

In the same way, a financial institution or anyone else who gives away money or services on the basis of stolen information should at least bear the loss.

A good place to start is data breach reporting

[jonwil]

A new law is needed that forces companies to disclose (to the affected customers at a minimum) any time that data breaches have occurred. This then allows people to e.g. check their credit card statements more carefully in case their CC# has been used by whoever hacked the database or whatever.

Civil vs Criminal, and prison populations

[NetSettler]

So now you want to increase the prison population by another quantum jump? The US already has one of the highest prison populations per capita of any nation on earth. Why is this?

Heh. You ask the question and then you lead the answer a certain direction that seems to suit you. Let me suggest another that perhaps either didn't occur to you or doesn't suit you as well:

The reason we have a high prison population is that we have two classes: the imprisonable and the rich. And the criminal laws are made by the rich, not the imprisonable, to apply to what I'm sure they view as the lesser classes ... If the people making the laws are confident they won't be affected by the laws (not because they don't plan to violate them, but because they plan to buy their way out if they do), then they don't mind making stupid laws that overfill the prisons.

I don't do drugs. Never even tried 'em. Never would advise anyone to. But I'm still no fan of the war on drugs. It seems a foolish way to drive up the price of drugs, feeding money to the underworld, making addicts need to rob more money than they'd have to otherwise just to feed a habit, robbing the government of legitimate tax revenue, and, yes, overfilling prisons. So if you're looking for space in the prisons, I'd swap some of the marijuana users right out of there and happily fill the prisons with someone from the elite class who was warned to safeguard someone's data but didn't. (Note: Not retroactively applying new laws. Post the new rules. Give people time to convert over. But then hold them to doing the right thing going forward.)

This second actor should be held responsible to bear the entire cost of the fraud.

The crime of failing to safeguard someone else's identity can have dire consequences that go beyond those affected...

What if I were on my way to visit a sick relative when I fell victim to identity theft? What if by the time my credit cards got unlocked, the relative was dead? How am I reimbursed for losing that time together? What if the relative died because I didn't reach them?

What if I were trying to make it big in business and needed the money then. What if by the time I got the money, my business opportunity was lost?

How does one really reimburse these things? What kind of attitude is it to say that as long as it gets paid back later, it's ok?

All making a company pay can do is ultimately recover money, and usually not all of it. Lawyers fees get lost along the way. And lots of time is lost that is not billable, going to visit lawyers and courts, fretting generally, etc. Some people can't be bothered to pursue things. Some don't know how. Some are intimidated out of their share. It is simply not the same.

The problem with the world today is that certain people don't fear things any more. They've studied the system and figured out how they can work it. And so they are without shame in how they exploit it. Restoring a bit of healthy fear for actions that really should never happen is not a bad thing. That doesn't mean that the government doesn't menace people for the wrong reasons. It means that you have to make sure the rules are the right ones. I feel more comfortable saying that businesses should safeguard data on pain of criminal penalty than I feel telling someone they can't smoke marijuana on pain of criminal penalty though.

Re:Civil vs Criminal, and prison populations

[arminw]

...I feel more comfortable saying that businesses should safeguard data ...

I would feel more comfortable in saying that financial institutions such as banks and merchants should be more diligent in checking whether the identifying information supplied really belongs to the person desiring money or goods. In a transaction over a certain value, biometric information could be used. In a credit card transaction for example, if that credit card number has in the past only been associated with small transactions, say up to a few hundred dollars, a merchant or bank might verify the person with biometric information, if there is a request for an unusual high value transaction. This verifying biometric data should be kept well away and separate from the normal everyday user data.

Whatever added security is implemented in the system, should be done at the transaction level, not the information level. The question really is whether the person requesting a particular transaction is truly entitled to do so.

In a sense, identity theft is a misnomer. Your name, your address, your phone number and other information about you is public in the sense that you have to give it to anybody who you do business with. It cannot really be stolen. What can be done however, is that if someone impersonates you and uses your information, is to make the receiver of that information much more diligent in determining whether the person giving that information and the information itself truly go together.

We do this in many areas at the physical level already. When someone brings in a valuable item to a reputable pawn shop, they make some effort to ascertain that this item has not been reported stolen, or that the person bringing it in is the true owner.

I agree with you on your expressed sentiments on drugs.

Not on IT

There should be a stiff fine for the company. An incentive to think hard about security. Blaming IT is not good. Its actually wrong. Is IT responsible for decision making in IT? RARELY! Management usually insists on decision making, and very often make really really poor decisions. They then make IT suffer from their bad decisions: "We picked it, you fix it!" Management at TJ Maxx picked the security method. A management lacky was in charge of security. He didn't know any better, wasn't qualified, but was the boss anyway. Blaming an IT staffer for his bungling and incompetence doesn't prevent problems (stupidity will continue, because the stupid will go unpunished). The company must be fined. Heavily. It will at least make the incompetent think twice before failing to listen to advice.

Criminal charges on the VICTIM?!?!

[suck_burners_rice]

That makes NO sense! I know that theoretically it's the company's responsibility to secure the data, but if some 1337z h4x04z figure out some crazy way into the system, then why should the company's top people face criminal charges? If you don't want to risk your information getting stolen, then don't give it to anyone. The company is also a victim in this case. Charging the victim is like this: You have bars on your windows and locks on your door. One night, a burglar busts in someone and jacks your PS3. You get charged with a crime. Does that make sense? No. And neither does this.

Jailtime is difficult.

[rew]

If you try to jail the CEO, he will say it's the CTO's job to secure the systems. He in turn blames the head-of-IT-ops, who in turn blames the lonely sysop. So who's going to jail? All of them? The top? The bottom?

If YOU do something bad, YOU have to pay the price. We've got several gradations here: pay a fine, go to jail, both in different amounts.

If a company does something bad, what can we do to make it pay? Well, exactly that: Make it pay.

Now, if YOU know that a fine for XYZ is $1, and it's easier for you to do XYZ than something else, then you'll easily do XYZ. Besides that the chances of getting caught are usually small, the fine is such that you can easily pay up. If you have to pay $10000 as the fine most of us will think twice, and be really careful.

In the case of a big company, $10000 is nothing. So fines you put on companies should be proportional to their size. Faking profits or losses is easy. So it should be proportional to their turnover.

Here in Europe, MicroSoft got fined EUR 1 billion for ignoring antitrust laws. This is an amount that even a company like MicroSoft feels.

With several situations, legally someone is responsible. But after they have "paid" in whatever way that is, they might then be able to hold someone else responsible. For example, if I buy a stereo here in The Netherlands, I've got warranty service from the shop. They can claim: "factory warranty: 1 year" all they want, but the law gives me the right to ask the shop to fix problems in the product during a "reasonable time" no matter what they claim. (i.e. warranty: 1 week will not work either!).

So, if a company pays a fine, and finds that this evidently the fault of a certain employee, they can sue that employee afterwards.

The problem of scale then kicks in. If the company pays a $1M fine, but this is evidently the fault of precisely one employee. (Say he was told not to do X, but he did so anyway, finding clever ways to escape the regular checks of the company to see if he was complying with the order) Then how can that single employee pay the $1M "damages" to the company?

Sue!

This strikes me as one of the few times when it makes sense for the customer to sue the crap out of the company that lost the data. Sue for every penny you can get so that companies start to take notice of this and do their due diligence to protect that data. I'm surprised no lawyer has gone class action with one of these lost data incidents.
For years now I have largely refused to sign on digital signature pads because they tell me *absolutely* *NOTHING* about what happens to my signature. I suspect in most cases it's sitting on an unsecured, unencrypted server with my CC# and other transation info. My CC# and signature are enough for an enterprising hacker to create a card and have a LOT of fun at my expense (partially my expense, anyway). A physical signature (as opposed to digital) has physical security around it (safe, locked store, etc.). I can't assume any security with a digitally captured signature, UNLESS THEY TELL ME WHAT THAT SECURITY IS.

Software Licenses

If you begin to hold these companies accountable then do you also have to hold the people that made the software with the holes in it accountable? Slippery slope indeed. I think the best thing is to hold the criminals accountable.

It is fun to think about

[Larryish]

It is fun to think about corporate types getting reamed over stuff like this, but as many have already pointed out, the little guy is always the one who gets the shaft.

How about stiff fines for companies that do not disclose breaches within a short period of time? Possibly 48 or 72 hours, to give the I.T. staff time to properly evaluate the situation?

You know that if some sort of criminal charges came from a security breach, it wouldn't be CEOs and CIOs going down. It would be us.

I'm surpised by lack of class-action lawsuits

[peter303]

This seems like a pot-of-gold waiting to happen for lawyers. Its blantant, harmful negligence by some well-off companies. And customers are suffering for identity theft or fear of it.

YES !

How on EARTH do these corporate jackasses get away with this stuff, is beyond me.

They send crap mail to my mail box and my neighbors and their thug kids rifle through it and take my mail, sell it to whomever will give them a few bucks so they can buy more dope and you see the problem.

The ONLY people, these days, that are paying for the crime are the innocent victims. The mere fact that I have a credit card with some bank and do business with it does not give anyone the right to sell, loan, borrow, use - whatever - MY INFORMATION. This data should be destroyed immediately after the transaction ages to a certain point.

At no time should I have to purchase "LifeLock" bullshit. I shouldnt have to pay for that crap. Best Western, in this case, should have to pay damages to each person on the list.

When the corporate CEO do-nothings begin to realize that they'll have to open their precious wallets and pay money for their mistakes, then and only then will you begin to see a reduction in ID theft.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Existing law already covers this, and well.

[Chris+G+in+D.C.]

Nothing to see here, move along.