Slashdot Mirror
Should Companies Share Criminal Blame In ID Theft?
snydeq writes "Deep End's Paul Venezia criticizes the lack of criminal charges for corporate negligence in data breaches in the wake of last week's Best Western breach, which exposed the personal data of 8 million customers. 'The responsibilities attached to retaining sensitive personal identity information should include criminal charges against the company responsible for a leak, in addition to the party that receives the information,' Venezia writes. 'Until the penalties for giving away sensitive information in this manner include heavy fines and possibly even jail time for those responsible for securing that information, we'll see this problem occur again and again.' As data security lawyer Thomas J. Smedinghoff writes, data security law is already shifting the blame for data breaches onto IT, thanks to an emerging framework of complex regulations that could result in grave legal consequences should your organization suffer a breach. To date, however, IT's duty to provide security and its duty to disclose data breaches does not include criminal prosecution. Yet, with much of the data security framework being shaped by 'IT negligence' court cases over 'reasonable' security, that could very well be put to the test some day in court." It's a slippery slope to be sure, but where should the buck stop?
I think it is entirely appropriate to investigate a company when large ammounts of personal information ends up being 'stolen' ... If it turns out that the company did not take the necessary steps to protect people's personal information they should face some consequences. At the same time, there has to be an understanding that even the best technologies available and best practices may not prevent all personal information theft so a company should not face harsh consequences if they took the necessary steps to protect people's information.
This would be a great civil class action case, but criminal? The slope is quite slippery, and like previous posters have said, the cops don't do much when it comes to non-violent, non-domestic, non-street crimes.
Of course, some would argue that the banks and lenders behind the whole sub-prime mortgage crisis deserve to be criminally punished for causing a global recession and for the number of lives they've destroyed.
If a COMPANY is being prosecuted criminally, you obviously cannot have jail time, because it's a non-person.
However, you can (and IMO should) have much stiffer penalties than civil courts allow. When a data security breach is so bad to as harm society itself, it should be prosecuted criminally - this is the doctrine for criminal prosecution of companies. Criminal penalties can range from massive monetary damages, to shutting the entire company down, or forcing changes in management. This is the correct route to go.
Obviously, if the implication is that the IT workers themselves should be thrown in jail, this is absurd and would cause all kinds of damage, both foreseeable and unintended.
If you can read this... 01110101 01110010 00100000 01100001 00100000 01100111 01100101 01100101 01101011
You have a choice, allow organizations to report the data breach, or have them cover it up to avoid the penalty.
[ Why would anyone report a data breach when that means they would face jail time ? ]
Remember, the odds of an external entity finding out about the data breach is extremely small (except for the ones taking the data of course ).
Almost any system can be hacked by someone sooner or later. If a crack was found in SSH that allowed a root shell, would the person responsible for the code be held responsible? or the guy who admins the server?
Next step:
Actually punishing companies that break laws, in such a way they can't just dissolve the front and start with a new name and the same people.
If I have nothing to hide, don't search me
Not only should there be criminal damages, but attempting to keep the thieft secret should carry an even heavier penalty.
There should also be, upon conviction in criminal court, monetary redress for the poor slobs whose data was compromised, and it should be a LOT more than it cost the compromised person. Say, enough to buy a new car.
Why can't we have the death penalty for corporations? The standard answer is "all those people who get trhrown out of work", but there IS a death penalty for corporations; ENRON suffered the death penalty, but the people in charge (at least the ones that didn't go to prison) suffered no penalty at all.
How about a "death penalty" where the victims are given the company itself?
mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
If your going to store my private data without my expressed permission. In other words I didn't specifically request it (as opposed to having it thrown in as a caveat on some user agreement). Then you are responsible for all mishaps that may be incurred by your actions.
If I ask you to save my data then I accept that I am giving permission to said company as is. In other words it now is my responsibility to look over all disclosures.
The inherent problem however is there is no means of specifically identifying a person. first and last name no longer work. you can assign them a unique code but most people get tired of bringing around and ID card for every business they do business with. Thus you are forced to use a.) a phone number which is subject to change, social security ID, or credit card number.
So though I do believe they should be held responsible for negligence and saving information without expressed permission. I do think the credit industry as a whole is responsible. There needs to be a fixed ID system which is separate from the credit system (as in credit score) and governmental ID systems.
This one ID bullshit needs to stop. Each person should have a superficial ID which can be changed at request. A credit ID which requires in person transactions (loan etc) a government ID and a health care ID. all of which should be maintained by different independent agencies.
Exactly right. Nobody.
At the very least, they should be held civilly liable. We should be suing every last one of these MFing companies that hand our personal data over to criminals to the fullest extent provided by law. There should be statutes on the books allowing for statutory damages to be awarded when our personal data is negligently handled.
And where are the amulance chasers in all this? Why aren't there ads on my TV for shysters who will take on these cases?
Follow the money... who's getting paid? The politicians. Barack Obama, John McCain...doesn't matter who you vote for, because they both have their hands in the same pockets!
Stop giving out credit to every person who walks up to a cash register. Stop warehousing critical information that can be used to apply for credit. Stop approving credit based on only Name/SSN/Address. Stop this culture of unlimited, unchecked credit to anyone, any time, any place.
The problem is the lending system, not the fact your data is leaked. In web terms, credit applications need to be double opt-in, not single opt-in.
Camping on quad since 1996.
Sure...while we are at it lets put a cop in jail every time someone in their city gets mugged, murdered, raped, etc.
I will be exiting the field the moment some kind of stupidity like what is suggested goes in place. I have a family, and I have no intention spending time in jail being a scapegoat for something like this. It is stupid to expect an individual to be held accountable criminally for something like this. Why should I spend time in jail or face fines personally because Vendor X couldn't be bothered to employ better programmers or test their stuff. Nevermind there will ALWAYS be vulnerabilities. Or maybe I go to jail because some worker brought in an infected USB photo frame. The only way you can really secure the desktop computer completely from the user is to cut the power cable and give them a pad of paper and a pen.
That said...I think there should be something to "encourage" companies to actually invest the resources in protecting that data, or just to stop collecting it. Seems to me not collecting it is far easier and more viable in many many cases. I agree that there is a problem in the value that data provides the company and their lack of "encouragement" to protect it. The notion of holding already overtaxed administrators criminally liable will only make the problem worse. The field will shrink even further and I imagine many of the competent ones will find work elsewhere not wanting to be a whipping boy under idiotic laws like this.
The only change I can believe in is what I find in my couch cushions.
I disagree with the prospect of placing blame directly on IT/IS. I do believe however that much of the blame needs to be placed at the company level. Many times the risks are known ahead of time by both IT and the business, but the business has decided not to spend the money to fix the problem and have signed off on the risk. Sometimes there is nothing further the IT department can do without the express permission of business. In fact, this is fairly frequent.
I also disagree with this blame being in the form of a crime, unless it is negligence or gross negligence. Fines maybe, but jail-time no. The exception to this, is if the theft is an inside job. Of course, there are already laws to deal with that.
I am not sure that criminal charges are necessarily needed. Who would get the jail time? I mean does the SA have to prove that he recommended better security to the PHB? Does management automatically go directly to jail?
I might be happy enough with the company being responsible for any identity theft of the people listed in their data. Maybe only for the next 5 or 10 years, but if their credit starts getting messed up, then the company which lost the data should be responsible to take the blame and also partially (split between the bank and the company) financially responsible.
Even that suggestion has issues though. People will then fraud the company that lost their data by pretending that their identities were stolen and that someone is purchasing things in their name. All the while it was that person themselves.
Regardless, I think the whole identity/information theft thing is more complicated than most (non-technical/non-business) people take into account.
Confucius say: "Man who associates with smarter men than himself is smarter than the men he associates with."
Most forms of construction must adhere to a code. Why should software be any different?
It would be nice, IMO, if we could formulate a set of minimum requirements for any kind of personal-data-handling software (including codes for operating procedures). Things like "all passwords in the system must use strong encryption" and "backups of the data cannot be stored on personal laptops" and the like.
Then legally require businesses to higher some ratio of software developers who have passed a code certification and logged sufficient hours under the apprenticeship of a certified master, and cite them if any such developers blow the whistle on them.
It is not a perfect solution. It has problems with implementation. And of course M$ will do its darndest to ensure that codes require the use of its software. But it it is still better than the situation we have now.
Forgive me for not RTFA in advance but...
I'm a developer, I've worked on many an app that has stored credit cards, social security numbers, and other pieces of juicy data. I've always acted with integrity and you'll never find a credit card or social security number posted on the Internet of my own free will. Generally I take best efforts to secure this information. Using appropriate technology such as hashing, encryption, access controls and authentication as appropriate for the information, etc. Documenting as throughly as possible to make sure that nothing happens, and what to do to further protect things.
Despite all this, if my programming is ever compromised, am I now jail potential? I'm finding a new job...
...in bed
Leaked data, by itself, isn't a crime in this regard. No harm comes to anyone until someone with criminal intent actually does something to it. Not counting, of course, the harm of feeling appropriately uneasy as you wonder if/when someone will do something with it following a leak - but I'm not sure that sort of anxiety rises to the level of crime on the part of the hotel chain... you could have the same anxiety about whether or not someone holding your data will at some point have a leak that hasn't even happened yet, and likely never will.
There's a reason that someone who sues McDonalds over the hot coffee she dumps in her own lap doesn't ask a DA to go after them criminally. Likewise with slipping on a wet restroom floor that doesn't have one of those "caution" signs put up by the maintenance crew. Being bad (or even, unlucky) at your job could well be grounds for a civil suit, but it isn't usually - and shouldn't usually - be considered an actual crime. That's pretty dangerous stuff, there.
When some wackadoo in full-on tinfoil hat mode brings a gun or a knife to work and kills the PHB he's hated for years, and is now convinced is working for Alien Overlords... is the employer who didn't see that coming an accessory to the crime that was committed, for having failed to prevent it?
If data is leaked, and no crime (based on the use of that data) is ever committed, and the laptop gets recovered with no expectation of it having been compromised... did a crime take place, not counting the person who ripped off the laptop from an employee's luggage? Is the employer actually a criminal because that happened? The opportunities for Really Bad Precedents here are vasty.
Don't disappoint your bird dog. Go to the range.
I mean, I know HIPPA takes care of issues with respect to people's medical records, but, I don't think that there are actually any laws against the release of people's data. If there were, there would be a whole lot less of companies out there that held and traded in such information.
It is a crime to break into a computer to gather this data. But, I don't think at this point, in the US it is a crime to lose it.
If I happened to have a database of people's information, and I want to freely publish it, I don't actually think there is a statute against me doing that.
If there is, can someone cite it or give links on this?
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
I'm of the opinion that the liability should depend in part on whether the data's being kept longer than needed for the transaction or purpose it was provided for or not. For instance, if I buy something from an on-line merchant they need to keep my name and address on file at least long enough to ship my item, and almost certainly for the length of time I'm allowed to return the item for a refund or replacement. They need to keep my credit-card number on file long enough to authorize it, possibly long enough to settle the charges (depending on how they're set up with their clearing house), and possibly as long as I'm allowed to ask for a refund (if for instance the clearing house requires the card number to credit the money back). When a company keeps information around longer than needed, they should be held to a higher standard since now it's their choice that the data's being kept. And "needed" should be determined by the purpose or transaction the data was provided for, not by what the company wants to do. When I provide a billing/shipping address for a purchase, I'm not providing it so the company can do better advertising later. If they insist that I create a profile and leave that information on file permanently for their convenience or benefit, they should be taking more responsibility for it's security than if they're keeping it just long enough to do what I asked of them and then discarding it.
In Texas (and in other states, it seems), it is against the law to leave your keys in the ignition. I haven't yet figured out exactly what the purpose is for that law, except to remind people that leaving your keys in the car invites theft. I certainly haven't heard of anyone being prosecuted for the "crime".
Perhaps a similar nominal criminal sanction should be in place for the company that leaves the keys to my identity in their corporate "ignition"? The penalty would be a slap on the wrist, or less -- because a stiff penalty would lead to coverups. But the law would still be on the books.
That would allow the bean counters to add an item on the balance sheet for "secure client data -- compliance required by law". That would carry more weight than "secure client data -- compliance with 'best practices' guidelines".
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
In the UK (and, I believe, Europe), anyway.
The Data Protection Act briefly states:
It's not clear which country the Best Western incident took place in but if the systems were hosted in the UK and they processed bookings from UK customers, it looks like a fairly cut and dried breach of that law to me.
There is, however, the minor issue that I don't think anyone's ever been successfully prosecuted for not having inadequate security systems in place...
The USA needs something like the Data Protection Act which the UK has... It gives individuals rights to access and correct data held about them and it mandates that organizations must take adequate steps to protect and secure the data. Failure to do so is a criminal offense.
IANAL... If any of Best Western's compromised data details reservations at any of Best Western's hotels in the United Kingdom, they may have opened themselves up for prosecution under this law. All organizations and businesses in the UK which may store details on more than around 500 individuals must register and adhere to the DPA. I am sure that Best Western has had more than 500 customers in their UK operations!
No sig. Move along - nothing to see here.
Not only should there be criminal damages, but attempting to keep the thieft secret should carry an even heavier penalty.
And the famous part of the Fifth Amendment hits that head on:
"... nor shall [any person] be compelled in any criminal case to be a witness against himself, ..."
So it's not going to happen in the US. Give it up.
= = = =
The people harmed are easily identified. It makes more sense for this to be a civil matter, with heavy financial penalties being paid by the company to the victims of the identity theft, rather than into government coffers.
If the government were to legislate or rule-make the penalties and/or automate the process in corporate regulations, rather than waiting for class action suits to lay the ground rules (and line the pockets of the litigating class while the victims get pennies), so much the better. (Assuming the legislators don't just write a slap-on-the-wrist preemption law for their corporate sponsors. B-( )
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Actually wrong.
The first step is to financially ruin and have real "pound me in the ass" prison terms for the executive staff that cut the IT departments budget to increase security.
If the CEO has the fear of being raped by bubba while the CTO is told "you're next pretty boy" They will quit spending money on their company BMW's and office remodels and actually give the IT departments the funding they need to have the staff and hardware to do their FUCKING job.
Do I seem a bit jaded?
Do not look at laser with remaining good eye.
Attempting to legally define responsibility for "reasonable" security is a tricky one. You don't want a situation where corporate can, say, consistently shirk on security implementation, then hang the poor bastard who had to make the best of a bad job out to dry when the time comes(not that that would ever happen, no, definitely not, never). On the other hand, having a checklist of "OMG Industry Best Practice!!!1!~) ass-covering steps is pretty much writing the script for security theatre.
I suspect that going after the type, quantity, and duration of data storage is a much more productive avenue. For any given commercial relationship, certain data storage will be necessary, for a certain amount of time. Not much we can do about that. Anything beyond that level, though, should be open to stiff liability in the event of a breach. You want the advantage of storing extra data? You take the risks, like it or shove off. The trouble(particularly bad in the US, though hardly good elsewhere) is that there is essentially nothing, other than the low and falling costs of storage, counterbalancing the desire to hoard as much customer(no, I'm not going to say "consumer") data as possible. Make anybody who stores more than the necessary minimum of data liable for damage caused by breach or inaccuracy and the problem should be considerably reduced.
Even if the above seems, shall we say, unrealistic, there are some basic steps we should have taken ages ago. FFS, companies that have data stolen aren't even obligated to warn people in some jurisdictions!(See the ChoicePoint debacle a while back, they warned California customers, because the evil commie nanny state had the crazy idea that people ought to be warned when somebody fucks up and gives their data to criminals; but everybody else just had to puzzle it out) That is absolutely insane.
It's the responsibility of the people who created this system that people cannot reasonably opt out of.
With "drug laws" as they are, there are limits to the amount of cash anyone can carry without it potentially being seized by cops. You can't pay for everything in gold can you? With the majority of banks out there simply refusing to do business with you for not having a social security number, it is essentially impossible for people to exist in society without allowing your identity to be entered into various systems and databases. The credit and banking system has created this potential for abuse of our identities and it is the credit and banking system that should be held accountable for the abuse of the system that we are all but involuntarily required to be a participant in.
Furthermore, since so many businesses feel it is in in their interests to collect our information and put it at risk, they should also maintain responsibility for its abuse when it leaves their control. Once again, as a condition for doing business and ultimately for leading a "normal" mainstream life, we are essentially powerless to opt out and are otherwise defenseless and unable to protect ourselves from what may happen when mismanagement and abuse of our trust occurs.
What a great system they have where they reap all the benefits and we burden all the risk? I think it's more appropriate that they bear the risk along with the benefit. If they want to have the benefit of collecting private information, they should bear the consequences when the information is abused as a result of their own abuse or negligence.
Part of the issue is storing identifying information, the other issue is storing credit card info. There should be no excuse for storing credit card info.
I was at Home Depot (Canada), returning something I bought earlier, and I reached for my wallet to give the guy the credit card to refund the item. He said, "Oh, we don't need that Sir, it is all stored in our system". I said: "You store credit card data on your computer"? He says: "Oh, we don't have access to it".
The point is, not the employees having access to it, but the data getting copied or stolen by criminals, such as the Best Western case.
Some credit card gateways provide a token based approach to recurring charges, such as monthly subscriptions, but it is not a standard that can be used everywhere with any card, and any merchant.
2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.
In Texas (and in other states, it seems), it is against the law to leave your keys in the ignition. I haven't yet figured out exactly what the purpose is for that law, ...
It reduces car theft, thus reducing the load on law enforcement and insurance rates. It also makes it harder to steal getaway cars and increases the likelihood of catching the perps before they do something like rob a bank, reducing that victimization.
Or at least that's the sort of theory I'd expect to be behind the rule.
(At least one rural western state has had a requirement that any gun carried in a car must be loaded - so it can be used by the driver to defend against its own theft. They'd had a lot of trouble with walkaways from prison jacking good samaritans who rescued them in the desert.)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
The thing is, the corporations are deemed too valuable to be punished. THIS is what should change.
Seriously, what the hell? Consider the HSWA (1974), the Environmental Protection Act (1990) and the Data Protection Act (1998), all of which carry the possibility of fines and a jail term if breached?
All intents and purposes. Not intensive purposes.
Companies will only stop allowing mass identity theft if there are definite consequences for their failures.
When I was doing standards work, I was introduced to the notion that only "must" and "shall" (i.e., imperative words) mean something you have to do. Words like "should" are really synonymous with "don't really have to at all" in standards lingo. They just mean you have to answer for something in words when someone calls you on it, but ultimately that no one can force you.
So too the real difference between civil and criminal is that civil means you can buy your way out pf doing the wrong thing and criminal means you really have to do the right thing. So people can choose.
Asking whether civil or criminal law applies isn't the thing to do. The thing to do is to ask whether this is really something that has to be done or whether it's ok to just let people do the wrong thing and then occasionally pay a fine. If you don't mind having your identity stolen and you think maybe courts will operate efficiently in your favor to reimburse you with extra dollars to spare for your trouble whenever it happens, you definitely want the civil penalty approach. Or if you have a magic way to have the problem not happen to you and you just don't care that it happens to someone else who is in the unfortunate set that you have excluded you from. But otherwise, I see no option other than to say criminal.
That doesn't mean I think criminal law should be retroactively applied. It just means I think business people take very seriously the criminal law, and that if this is on that level of magnitude, then that'st he approach. But I'd decide first just the question of whether this is a "should" or a "must". The rest will just follow from that. Present attitudes in business tells you businesses think it's a "should" (meaning "don't really have to at all"). The question is, does the public agree? For the public to establish "civil penalties only" is, I suspect, the same as saying the public agrees it's a "should"--a mere cost to be managed, often after-the-fact.
Kent M Pitman
Philosopher, Technologist, Writer
Seriously, having worked in IT Security for some time and done numerous "compliance" projects. Compliance takes time and costs money. Too many times I have been told "we just don't have the money for that this year." Corporations commonly engage in the 'risk' game where they risk it for as long as they can. Until the bank stops taking their credit cards (in the case of PCI Compliance) or there is an actual public breach - the risk is quite low. I'm not against criminal charges but they should be levied on a corporate officer and not the rank and file IT person. This person has zero responsibility for the financial decisions required to keep data safe. I make recommendations until I am blue in the face but until management realizes the risk to them - they won't touch it with someone else's ten foot pole.
Wouldn't this lead to all companies needing to purchase a data loss insurance policy, much like doctors need malpractice insurance? The end result would be richer lawyers and insurance companies, more wasted time in court, and companies not needing to change because they have insurance.
I do think these companies need to be held responsible, but I think that they are already afraid of the PR hit from losing data, and their IT managers should already be afraid for their jobs if a data breach occurs. I really doubt that this sort of law is going to help.
Criminal blame won't make a difference unless it automatically applies at the top corporate level. Otherwise, lower-level grunts will be served up as sacrificial lambs. The only method that can be used to justify to management having appropriate security expenditure is to attach a solid price tag to bad security practices to offset the price tag of good practices. That means large and immediate monetary penalties for loss of information (indexed for inflation of course). That way management won't decide to risk fighting any class-action lawsuits for 10 years until they can retire, leaving their successors to deal with the mess. If you can lay out to management "You have 100,000 accounts, and a security breach is going to cost you $X and your current practices have a high chance of a security breach in the next few years", it's a lot more concrete than if I talk about the historic average cost of security breaches in unrelated industries (based on contacting stakeholders, PR, etc., after a breach). Put a solid price tag on it and companies will either adjust, or go under faster and prevent further loss of client information due to continued poor practices.
Laissez lire, et laissez danser; ces deux amusements ne feront jamais de mal au monde. - Voltaire
Well, according to the FBI, this includes all forms of credit card fraud. This is mostly why "identity theft" is getting so much attention and seems to be growing by leaps and bounds.
I have been subjected to credit card fraud many times, as have many people I have known. I have yet to meet anyone that has experenced any loss, even the supposed $50 that you might be liable for. Zero loss, get a new card and move on. Sometimes a minor hassle.
The sort of "identity theft" that most people associate with the term is where someone obtains credit under false pretenses. I don't know what the actual incidence of this is and because of the FBI combining it with credit card fraud, we will probably never know the true impact of this. What I want to know is how often this is really happening and has anyone, ever, been a victim of something beyond credit card fraud because of one of these disclosures.
I don't see any point to trying to make a bigger deal out of it if there have in fact been zero occurrences where this information has been used to someone's detriment.
How about it's illegal for a company to put that sort of data onto a laptop?
Why do many of these people even need laptops? They work in a cubicle/office sitting down. They then go home and work at a desk sitting down. Set up two RDesktop terminals: one on the corporate LAN, and one that VPNs in.
You get exact same work environment and your data is safe on the server, with everything being encrypted with AES.
Data is compromised only when the person's account information is stolen (stealing the dumb terminal doesn't even help you).
For some people this won't work because of the ego trip involved in getting a laptop (and some people do actually need laptops), but others will appreciate the fact that they don't have to lug this thing around.
And if you can standardize on a particular model of unit you can perhaps throw in smart card logins.
The first step is to financially ruin and have real "pound me in the ass" prison terms for the executive staff that cut the IT departments budget to increase security.
The only problem is that the executive staff won't be the ones going to jail. I guarantee it won't be any executives. It'll be the poor overworked IT guy doing 6 different jobs and is on call 24/7/364 (he gets Christmas off) who ends up with all the blame. And then the executive staff will give themselves a raise for doing such a good job getting to the bottom of the security breach and taking such decisive actions in making sure it'll never happen again.
Who is John Galt?
Oh for fuck's sake. If you're going to blame anyone, how about blaming the people resposible?
Some jackass shows up at a bank, gives my name and social security number, gets a loan, and then the bank harasses me for their money. Sounds like the bank is the one to blame. They're the dumbasses who didn't adequately determine who they were dealing with, and they're the ones who sought to ruin me financially by trying to collect money I didn't owe them.
The problem isn't that companies are leaking my social security number, the problem is that I can't tell everyone my social security number because a lot of dumbass companies assume it to be a PIN number and will make my life hell if anyone else happens to know it.
Major investors should be punished, yes. Minor stock-holders...no more than losing their investment. Directors, yes. Corporate executives, yes.
It should be handled analogously to fiscal malfeasance. ... Or rather as fiscal malfeasance should be handled.
I think we've pushed this "anyone can grow up to be president" thing too far.
True. I just reread the SSA standings thanks to your comment. My original basis was due to their numbering scheme; the first 3 digits of an SSN is a regional code, the second two is a grouping number and the last 4 is the serial number (this is your actual number). Based on that, the logic was that given living and dead persons, since the original creation of the SSN system, they would have had to reassign to stay within the regional assignment system. But according to the SSA, they admit to fudging on regional so as to avoid reassigning; if one regional code is full, they just start assigning you to another regional code. So if the regional code of New York is all out of SSN's, they'll just assign you to New Jersey.
This is my sig. There are many like it but this one is mine.
That makes NO sense! I know that theoretically it's the company's responsibility to secure the data, but if some 1337z h4x04z figure out some crazy way into the system, then why should the company's top people face criminal charges? If you don't want to risk your information getting stolen, then don't give it to anyone. The company is also a victim in this case. Charging the victim is like this: You have bars on your windows and locks on your door. One night, a burglar busts in someone and jacks your PS3. You get charged with a crime. Does that make sense? No. And neither does this.
McCain/Palin '08. Now THAT's hope and change!
If you try to jail the CEO, he will say it's the CTO's job to secure the systems. He in turn blames the head-of-IT-ops, who in turn blames the lonely sysop. So who's going to jail? All of them? The top? The bottom?
If YOU do something bad, YOU have to pay the price. We've got several gradations here: pay a fine, go to jail, both in different amounts.
If a company does something bad, what can we do to make it pay? Well, exactly that: Make it pay.
Now, if YOU know that a fine for XYZ is $1, and it's easier for you to do XYZ than something else, then you'll easily do XYZ. Besides that the chances of getting caught are usually small, the fine is such that you can easily pay up. If you have to pay $10000 as the fine most of us will think twice, and be really careful.
In the case of a big company, $10000 is nothing. So fines you put on companies should be proportional to their size. Faking profits or losses is easy. So it should be proportional to their turnover.
Here in Europe, MicroSoft got fined EUR 1 billion for ignoring antitrust laws. This is an amount that even a company like MicroSoft feels.
With several situations, legally someone is responsible. But after they have "paid" in whatever way that is, they might then be able to hold someone else responsible. For example, if I buy a stereo here in The Netherlands, I've got warranty service from the shop. They can claim: "factory warranty: 1 year" all they want, but the law gives me the right to ask the shop to fix problems in the product during a "reasonable time" no matter what they claim. (i.e. warranty: 1 week will not work either!).
So, if a company pays a fine, and finds that this evidently the fault of a certain employee, they can sue that employee afterwards.
The problem of scale then kicks in. If the company pays a $1M fine, but this is evidently the fault of precisely one employee. (Say he was told not to do X, but he did so anyway, finding clever ways to escape the regular checks of the company to see if he was complying with the order) Then how can that single employee pay the $1M "damages" to the company?