Should Companies Share Criminal Blame In ID Theft?

snydeq writes "Deep End's Paul Venezia criticizes the lack of criminal charges for corporate negligence in data breaches in the wake of last week's Best Western breach, which exposed the personal data of 8 million customers. 'The responsibilities attached to retaining sensitive personal identity information should include criminal charges against the company responsible for a leak, in addition to the party that receives the information,' Venezia writes. 'Until the penalties for giving away sensitive information in this manner include heavy fines and possibly even jail time for those responsible for securing that information, we'll see this problem occur again and again.' As data security lawyer Thomas J. Smedinghoff writes, data security law is already shifting the blame for data breaches onto IT, thanks to an emerging framework of complex regulations that could result in grave legal consequences should your organization suffer a breach. To date, however, IT's duty to provide security and its duty to disclose data breaches does not include criminal prosecution. Yet, with much of the data security framework being shaped by 'IT negligence' court cases over 'reasonable' security, that could very well be put to the test some day in court." It's a slippery slope to be sure, but where should the buck stop?

Not IT, but business

[Ohrion]

I disagree with the prospect of placing blame directly on IT/IS. I do believe however that much of the blame needs to be placed at the company level. Many times the risks are known ahead of time by both IT and the business, but the business has decided not to spend the money to fix the problem and have signed off on the risk. Sometimes there is nothing further the IT department can do without the express permission of business. In fact, this is fairly frequent.

I also disagree with this blame being in the form of a crime, unless it is negligence or gross negligence. Fines maybe, but jail-time no. The exception to this, is if the theft is an inside job. Of course, there are already laws to deal with that.

Re:Criminal Charges?

[blindd0t]

That said...I think there should be something to "encourage" companies to actually invest the resources in protecting that data, or just to stop collecting it.

Chargebacks (card holders disputing charges with their credit card company) are good incentive. Ultimately, it is the vendor that looses money when a user claims a charge is unrecognized and the vendor is unable to provide sufficient proof that it was a legitimate purchase (though the CVV2 number helps the vendors here). To add to that, even more incentive is provided by the banks because they keep track of the unresolved chargebacks on all merchant accounts. If they find your merchant account has had too many unresolved chargebacks per month, they'll typically send you a notice informing you that you have 30 days to find another bank, and setting that up to continue your sales is generally next to impossible to achieve. It is, in some cases, possible to pay the bank extra money to keep the merchant account active for a bit longer, however.

Seems to me not collecting it is far easier and more viable in many many cases.

Indeed, it is. A vendor's ability to meet PCI DSS standards is much simpler when card data is not retained. However, there are some cases, such as automatic recurring payments, where storing card data is appropriate. At that point, additional measures are obviously necessary.

Personally, since the monetary liability ultimately comes back to the vendor, I don't feel criminal charges are necessary. That, and it seems like it may be simple to exploit such a system to make money suing vendors via charges designed to appear fraudulent. Additionally, many of the chargeback requests are often people simply not recognizing charges (i.e. they didn't remember making the purchase, and/or the card processing was done by a third party on behalf of the company selling the product). Now, fraudulent use of retained credit card data is an obvious crime. But provided a vendor has not abused their data and has taken the appropriate measures to meet the PCI DSS guidelines, I'd say they should be in the clear in terms of criminal charges. However, I may agree that reasonably increasing chargeback fees would significantly increase incentive.

Erm... we already do

[jimicus]

In the UK (and, I believe, Europe), anyway.

The Data Protection Act briefly states:

• Data may only be used for the specific purposes for which it was collected.
• Data must not be disclosed to other parties without the consent of the individual whom it is about, unless there is legislation or other overriding legitimate reason to share the information (for example, the prevention or detection of crime). It is an offence for Other Parties to obtain this personal data without authorisation.
• Individuals have a right of access to the information held about them, subject to certain exceptions (for example, information held for the prevention or detection of crime).
• Personal information may be kept for no longer than is necessary.
• Personal information may not be transmitted outside the EEA unless the individual whom it is about has consented or adequate protection is in place, for example by the use of a prescribed form of contract to govern the transmission of the data.
• Subject to some exceptions for organisations that only do very simple processing, and for domestic use, all entities that process personal information must register with the Information Commissioner.
• Entities holding personal information are required to have adequate security measures in place. Those include technical measures (such as firewalls) and organisational measures (such as staff training).

It's not clear which country the Best Western incident took place in but if the systems were hosted in the UK and they processed bookings from UK customers, it looks like a fairly cut and dried breach of that law to me.

There is, however, the minor issue that I don't think anyone's ever been successfully prosecuted for not having inadequate security systems in place...

Re:Yes/No

[__aagmrb7289]

The credit card industry has mandatory PCI compliance. This basically covers your concerns. Supposedly, those companies not compliant will not be allowed to process credit cards - and the requirements must be audited and proven by an outside firm. It's QUITE expensive. The problem is whether or not these rules are being enforced. They ARE getting more stringent as time goes forward.

Re:Self reporting of a felony would not happen

[sampson7]

I completely disagree with your assertion that a company would not self-report. As a compliance officer with a major international corp (albeit in a different field), we are often faced with the difficult question of whether to self-report a potential violation. We are generally faced with three options when a potential violation arises:

1. Self-report the violation, fix the problem/install appropriate controls, get the "credit" for active compliance, take the medicine and move on.

2. Document the potential violation internally, fix the problem/install the appropriate controls, establish the paper record documenting the potential violation, but explaining why it is arguably not a violation or that there is no affirmative duty to self-report.

3. Actively attempt to conceal the violation or ignore a clear legal requirement to self-report.

Pop quiz! Which of these three "options" could lead to massive fines by the appropriate governmental regulator, share-holder lawsuits, top managers being fired and even the destruction of your company?

Anybody who thinks a potential release of information could not bite you in the ass needs to imagine the type of risk/reward analysis the company goes through. I can easily envision the following scenario. Company loses critical personal information. Company actively hides the loss and/or actively ignores legal obligation to self-report. The thief attempts to use the stolen credit card numbers/whatever. Thief is caught. Thief tells police where he acquired the information. Police investigate the breach. Internal emails/IMs reveal that the company knew about the breach but did nothing. Company faces multiple class action lawsuits from: (1) the people harmed by the breach of their personal information; and (2) shareholders who should have been informed in the quarterly SEC-required disclosures that the Company faced a potential liability.

Now some fly-by-night company might reach a different cost-benefit analysis. But any large company should immediately recognize that the potential harm of trying to cover something like this up. When you're talking about a bank or large medical company? Would you as CEO or internal compliance officer risk millions or even billions on something that is so likely to become discovered? Even if the chances are 10,000-to-1 against the breach ever coming to light? Frankly, the rewards are simply not worth the risk.

Re:Nominal "crime": leaving the keys in the igniti

[Ungrounded+Lightning]

In Texas (and in other states, it seems), it is against the law to leave your keys in the ignition. I haven't yet figured out exactly what the purpose is for that law, ...

It reduces car theft, thus reducing the load on law enforcement and insurance rates. It also makes it harder to steal getaway cars and increases the likelihood of catching the perps before they do something like rob a bank, reducing that victimization.

Or at least that's the sort of theory I'd expect to be behind the rule.

(At least one rural western state has had a requirement that any gun carried in a car must be loaded - so it can be used by the driver to defend against its own theft. They'd had a lot of trouble with walkaways from prison jacking good samaritans who rescued them in the desert.)

Re:Criminal charges for companies != jail time

[RevMike]

Not only is it the death penalty, it will drive other corps out of the United States. The economic impact would be far far greater than the damage caused by the underlying crime.

Imagine, if you would, that a mid sized wall street bank was subject to this law. Say Credit Suisse is shut down because of a breach. That might be 20,000 or 30,000 jobs lost directly right there.

How long would it take before Citibank, JPMorgan Chase, Morgan Stanley, Deutsche Bank, Lehman Brothers, Merrill Lynch, and Goldman Sachs all flee to London and Tokyo? That is probably another million jobs right there.

Then consider the people who are indirectly affected. The construction workers who were about to put an addition on the home of a now unemployed worker. The people who serve lunch near the corporate headquarters of these companies. etc. All told we are now looking at 6 million jobs total.

Next consider the fact that it will be very hard for a business to get a loan or sell stock in the United States, since there is a very high risk that the company could be shut down. Tens of thousands of businesses dry up. Now we are talking a loss of thirty to forty million jobs.

No. Prosecuting a company for anything but the most egregious acts doesn't make any sense at all. That isn't to say that making executive more liable doesn't make sense, but prosecuting companies willy nilly is a bad idea.

Re:Worrisome...

[not-my-real-name]

I work with aviation software. The documentation, testing, and software is all overseen by a DER (designated engineering representative), a person authorized by the FAA to approve things.

If there's a problem with an airplane and it turned out that he approved something inappropriately, he would be facing some serious personal liability.

Just so you know, there are jobs with serious penalties for negligence. And there are people who do these jobs.

Re:SSNs do not get "recycled"

[Foofoobar]

True. I just reread the SSA standings thanks to your comment. My original basis was due to their numbering scheme; the first 3 digits of an SSN is a regional code, the second two is a grouping number and the last 4 is the serial number (this is your actual number). Based on that, the logic was that given living and dead persons, since the original creation of the SSN system, they would have had to reassign to stay within the regional assignment system. But according to the SSA, they admit to fudging on regional so as to avoid reassigning; if one regional code is full, they just start assigning you to another regional code. So if the regional code of New York is all out of SSN's, they'll just assign you to New Jersey.