Slashdot Mirror

← Back to Stories (view on slashdot.org)

Should Companies Share Criminal Blame In ID Theft?

Posted by ScuttleMonkey on from the whole-system-stinks dept.

snydeq writes "Deep End's Paul Venezia criticizes the lack of criminal charges for corporate negligence in data breaches in the wake of last week's Best Western breach, which exposed the personal data of 8 million customers. 'The responsibilities attached to retaining sensitive personal identity information should include criminal charges against the company responsible for a leak, in addition to the party that receives the information,' Venezia writes. 'Until the penalties for giving away sensitive information in this manner include heavy fines and possibly even jail time for those responsible for securing that information, we'll see this problem occur again and again.' As data security lawyer Thomas J. Smedinghoff writes, data security law is already shifting the blame for data breaches onto IT, thanks to an emerging framework of complex regulations that could result in grave legal consequences should your organization suffer a breach. To date, however, IT's duty to provide security and its duty to disclose data breaches does not include criminal prosecution. Yet, with much of the data security framework being shaped by 'IT negligence' court cases over 'reasonable' security, that could very well be put to the test some day in court." It's a slippery slope to be sure, but where should the buck stop?

1 of 328 comments (clear)

  1. Not IT, but business by Ohrion · · Score: 5, Informative

    I disagree with the prospect of placing blame directly on IT/IS. I do believe however that much of the blame needs to be placed at the company level. Many times the risks are known ahead of time by both IT and the business, but the business has decided not to spend the money to fix the problem and have signed off on the risk. Sometimes there is nothing further the IT department can do without the express permission of business. In fact, this is fairly frequent.

    I also disagree with this blame being in the form of a crime, unless it is negligence or gross negligence. Fines maybe, but jail-time no. The exception to this, is if the theft is an inside job. Of course, there are already laws to deal with that.