Should Companies Share Criminal Blame In ID Theft?

snydeq writes "Deep End's Paul Venezia criticizes the lack of criminal charges for corporate negligence in data breaches in the wake of last week's Best Western breach, which exposed the personal data of 8 million customers. 'The responsibilities attached to retaining sensitive personal identity information should include criminal charges against the company responsible for a leak, in addition to the party that receives the information,' Venezia writes. 'Until the penalties for giving away sensitive information in this manner include heavy fines and possibly even jail time for those responsible for securing that information, we'll see this problem occur again and again.' As data security lawyer Thomas J. Smedinghoff writes, data security law is already shifting the blame for data breaches onto IT, thanks to an emerging framework of complex regulations that could result in grave legal consequences should your organization suffer a breach. To date, however, IT's duty to provide security and its duty to disclose data breaches does not include criminal prosecution. Yet, with much of the data security framework being shaped by 'IT negligence' court cases over 'reasonable' security, that could very well be put to the test some day in court." It's a slippery slope to be sure, but where should the buck stop?

Yes/No

[HappySqurriel]

I think it is entirely appropriate to investigate a company when large ammounts of personal information ends up being 'stolen' ... If it turns out that the company did not take the necessary steps to protect people's personal information they should face some consequences. At the same time, there has to be an understanding that even the best technologies available and best practices may not prevent all personal information theft so a company should not face harsh consequences if they took the necessary steps to protect people's information.

Re:Yes/No

[penix1]

I've got a better idea. Ban the collection of personal information beyond the time required for the transaction. I don't but it that companies somehow need to store all this info on people especially years after the transaction has occurred. If you are going to be light on them when they lose it, then be heavy on what they can keep.

Re:Yes/No

[Zironic]

Tell me again what part of those features require my personal data? Learn to use a serial number seriously.

Re:Yes/No

[Foofoobar]

Nobody needs to store SSN's except the government that issues them. The fact that people made the MISTAKE of standardizing on SSN's as primary keys for users to begin with is their own fault. Mainly because SSN's are horrible primary keys since they REPEAT!!! Yes look it up... they DO get reissued after death and with longterm storage, this will only cause issues for storage of personal data.

Second, data loss is a quick route to a lawsuit as a result of storing SSN's; People and companies need to stop this bad procedure especially since laws in several states have been passed banning the practice. Good security can only do so much as human error is inevitably your final point of failure. And do you want to have a couple million social security numbers relying on the security of a backup tape in the back of your juniour sys admin's Pinto overnight?

Re:Yes/No

[CodeBuster]

The issue is one of negligence not the relative efficacy of the available security technologies. If a company is found, upon discovery, to have exhibited a complete or reckless disregard for the potential consequences of a breach then some liability is in order. The "reasonable man" test can be used by juries to decided whether or not the circumstances surrounding the breach amount to negligence and what the appropriate remedy should be. The negligence tort has already been well litigated in common law countries (like the US, UK, and Australia) so the only thing different here are the details (IT technical details) which might require expert witnesses to testify or offer their opinions, but the basic law in negligence is well settled (at least as far as I understand it, but IANAL so please do not take this as formal legal advice) once the details or facts of a particular matter have been determined.

Re:Yes/No

[Qzukk]

Data is key for a successful company

I never hear about a company having the laptop containing their inventory records getting stolen. Is that a function of nobody but the company caring, or do companies take better care of their "keys" than their customers'?

Criminal charges for companies != jail time

[religious+freak]

If a COMPANY is being prosecuted criminally, you obviously cannot have jail time, because it's a non-person.

However, you can (and IMO should) have much stiffer penalties than civil courts allow. When a data security breach is so bad to as harm society itself, it should be prosecuted criminally - this is the doctrine for criminal prosecution of companies. Criminal penalties can range from massive monetary damages, to shutting the entire company down, or forcing changes in management. This is the correct route to go.

Obviously, if the implication is that the IT workers themselves should be thrown in jail, this is absurd and would cause all kinds of damage, both foreseeable and unintended.

Re:Criminal charges for companies != jail time

[sm62704]

Freezing a companies' assets and disallowing any business for two years would be the equivalent of putting a human in prison for two years. So you could, in fact, "jail" a corporation. You could shield its employees (at least the ones not responsible) by forcing the company to pay them anyway. If it goes bankrupt, well, people go bankrupt after incaration, why shouldn't businesses?

Or converseley, put its CEO and Board of Directors in a maximum security prison with the other criminals, many of whom caused far less damage to people, or none at all.

The thing is, the corporations are deemed too valuable to be punished. THIS is what should change.

Re:Criminal charges for companies != jail time

[TubeSteak]

If a COMPANY is being prosecuted criminally, you obviously cannot have jail time, because it's a non-person.

It is tiring that this line of reasoning keeps getting trotted out.
WTF do you think executive officers are for?

"The Company" doesn't do anything illegal, the corporate officers & various (vice) presidents are the ones in charge and they have always born the responsibility of the company's actions.

Self reporting of a felony would not happen

[frith01]

You have a choice, allow organizations to report the data breach, or have them cover it up to avoid the penalty.

[ Why would anyone report a data breach when that means they would face jail time ? ]

Remember, the odds of an external entity finding out about the data breach is extremely small (except for the ones taking the data of course ).

Re:Yea!

[corsec67]

Next step:
Actually punishing companies that break laws, in such a way they can't just dissolve the front and start with a new name and the same people.

Yes

[sm62704]

Not only should there be criminal damages, but attempting to keep the thieft secret should carry an even heavier penalty.

There should also be, upon conviction in criminal court, monetary redress for the poor slobs whose data was compromised, and it should be a LOT more than it cost the compromised person. Say, enough to buy a new car.

Why can't we have the death penalty for corporations? The standard answer is "all those people who get trhrown out of work", but there IS a death penalty for corporations; ENRON suffered the death penalty, but the people in charge (at least the ones that didn't go to prison) suffered no penalty at all.

How about a "death penalty" where the victims are given the company itself?

Re:Yes

[oyenstikker]

Won't fly. The shareholders will then claim to be victims as well.

Fix the bank and lending system instead

[lena_10326]

Stop giving out credit to every person who walks up to a cash register. Stop warehousing critical information that can be used to apply for credit. Stop approving credit based on only Name/SSN/Address. Stop this culture of unlimited, unchecked credit to anyone, any time, any place.

The problem is the lending system, not the fact your data is leaked. In web terms, credit applications need to be double opt-in, not single opt-in.

Re:Fix the bank and lending system instead

[lena_10326]

100% on-topic. Data breach => identify theft => credit and lending fraud. Fix it at the tail end by making the data useless to fraudsters. Think it through next time, mod. Just think it through.

Criminal Charges?

[db32]

Sure...while we are at it lets put a cop in jail every time someone in their city gets mugged, murdered, raped, etc.

I will be exiting the field the moment some kind of stupidity like what is suggested goes in place. I have a family, and I have no intention spending time in jail being a scapegoat for something like this. It is stupid to expect an individual to be held accountable criminally for something like this. Why should I spend time in jail or face fines personally because Vendor X couldn't be bothered to employ better programmers or test their stuff. Nevermind there will ALWAYS be vulnerabilities. Or maybe I go to jail because some worker brought in an infected USB photo frame. The only way you can really secure the desktop computer completely from the user is to cut the power cable and give them a pad of paper and a pen.

That said...I think there should be something to "encourage" companies to actually invest the resources in protecting that data, or just to stop collecting it. Seems to me not collecting it is far easier and more viable in many many cases. I agree that there is a problem in the value that data provides the company and their lack of "encouragement" to protect it. The notion of holding already overtaxed administrators criminally liable will only make the problem worse. The field will shrink even further and I imagine many of the competent ones will find work elsewhere not wanting to be a whipping boy under idiotic laws like this.

Re:Hard to say

[hairyfeet]

The problem ISN'T hackers and thieves,the problem is rampant King Kong sized stupidity. How about we only bust them for gross negligence? Let's face it,it is these morons that have thousands of customer records on unencrypted laptops,or leave an unencrypted backup tape sitting in the parking lot in their car,or the idiots at my local phone company who put a bunch of machines on the curb without bothering to wipe the drives first.

I think we can all agree that there is a BIG difference between taking precautions and getting hacked and these brain trusts that don't even bother to show even the tiniest bit of common sense. We need to have penalties for the ones that don't even bother to try,otherwise why would they spend the money on security when they aren't really going to be punished when they screw everybody? And I agree with the earlier poster that there needs to be a time limit for most of this stuff. While a previous poster used the example of an insurance company the simple fact is there are way too many companies that hang onto every scrap of information that comes there way for years. We should come up with a set of criteria that has to be met before you are allowed to keep data for longer than the transaction requires. But as always this is my 02c,YMMV

It's the responsibility of the people who created

[erroneus]

It's the responsibility of the people who created this system that people cannot reasonably opt out of.

With "drug laws" as they are, there are limits to the amount of cash anyone can carry without it potentially being seized by cops. You can't pay for everything in gold can you? With the majority of banks out there simply refusing to do business with you for not having a social security number, it is essentially impossible for people to exist in society without allowing your identity to be entered into various systems and databases. The credit and banking system has created this potential for abuse of our identities and it is the credit and banking system that should be held accountable for the abuse of the system that we are all but involuntarily required to be a participant in.

Furthermore, since so many businesses feel it is in in their interests to collect our information and put it at risk, they should also maintain responsibility for its abuse when it leaves their control. Once again, as a condition for doing business and ultimately for leading a "normal" mainstream life, we are essentially powerless to opt out and are otherwise defenseless and unable to protect ourselves from what may happen when mismanagement and abuse of our trust occurs.

What a great system they have where they reap all the benefits and we burden all the risk? I think it's more appropriate that they bear the risk along with the benefit. If they want to have the benefit of collecting private information, they should bear the consequences when the information is abused as a result of their own abuse or negligence.

Re:Yea!

[greenbird]

The first step is to financially ruin and have real "pound me in the ass" prison terms for the executive staff that cut the IT departments budget to increase security.

The only problem is that the executive staff won't be the ones going to jail. I guarantee it won't be any executives. It'll be the poor overworked IT guy doing 6 different jobs and is on call 24/7/364 (he gets Christmas off) who ends up with all the blame. And then the executive staff will give themselves a raise for doing such a good job getting to the bottom of the security breach and taking such decisive actions in making sure it'll never happen again.