Should Companies Share Criminal Blame In ID Theft?

snydeq writes "Deep End's Paul Venezia criticizes the lack of criminal charges for corporate negligence in data breaches in the wake of last week's Best Western breach, which exposed the personal data of 8 million customers. 'The responsibilities attached to retaining sensitive personal identity information should include criminal charges against the company responsible for a leak, in addition to the party that receives the information,' Venezia writes. 'Until the penalties for giving away sensitive information in this manner include heavy fines and possibly even jail time for those responsible for securing that information, we'll see this problem occur again and again.' As data security lawyer Thomas J. Smedinghoff writes, data security law is already shifting the blame for data breaches onto IT, thanks to an emerging framework of complex regulations that could result in grave legal consequences should your organization suffer a breach. To date, however, IT's duty to provide security and its duty to disclose data breaches does not include criminal prosecution. Yet, with much of the data security framework being shaped by 'IT negligence' court cases over 'reasonable' security, that could very well be put to the test some day in court." It's a slippery slope to be sure, but where should the buck stop?

Yes/No

[HappySqurriel]

I think it is entirely appropriate to investigate a company when large ammounts of personal information ends up being 'stolen' ... If it turns out that the company did not take the necessary steps to protect people's personal information they should face some consequences. At the same time, there has to be an understanding that even the best technologies available and best practices may not prevent all personal information theft so a company should not face harsh consequences if they took the necessary steps to protect people's information.

Re:Yes/No

[penix1]

I've got a better idea. Ban the collection of personal information beyond the time required for the transaction. I don't but it that companies somehow need to store all this info on people especially years after the transaction has occurred. If you are going to be light on them when they lose it, then be heavy on what they can keep.

Re:Yes/No

[kannibal_klown]

I've got a better idea. Ban the collection of personal information beyond the time required for the transaction. I don't but it that companies somehow need to store all this info on people especially years after the transaction has occurred. If you are going to be light on them when they lose it, then be heavy on what they can keep.

Well what about long-term services like Life Insurance? A service like that would need to keep your Name, Birthday, Social Security Number, address, next of kin, etc until you died and someone collected. And what about Banks and Loan offices?

A friend of mine got a notice from his life insurance firm saying that a laptop was stolen that probably had his records on it. Why it would be on a flippin LAPTOP I have no idea, something like that should be a server only accessible from the company's encrypted network (but I digress).

I could also see the benefit of some stores keeping some light data on you (name, address, phone) so they can contact you but I think they should get rid of your credit card info after X days/weeks.

In all, it's a mixed bag of blame. Personally I think the government and law enforcement should take Identify Theft a lot more seriously, with major penalties against these fraudulent jerks.

Re:Yes/No

[Sylver+Dragon]

I think there is a way to go about it that would work.
The first thing that would have to be done is that we would need some guidelines as to what a "reasonable" level of security is, and even that might be scaled based on the type of information stored. This should then be re-evaluated yearly by a commission of qualified IT managers from industry. There are other limitations which should be placed on the commission, but that's outside the scope of this uninformed rant.

Just as an example:
Storing customer names and addresses - Database encryption and basic perimeter security may be considered reasonable. Losing data and not being there should result in fines and maybe some jail time.

Storing Credit Card info - Same as above, but add backup encryption, laptop hard-disk encryption, internal firewall for DB servers and source code audit on all applications with DB connections. Failure to comply and losing data would be hefty fines, jail time for those responsible for the systems, and civil liability to those people affected.

Storing Social Security Numbers - All the above, but damages increase substantially, as does jail time, with c-level execs getting in on the PMITA action. And civil liability is increased to "the affected customers now own your ass" level.

The problem, of course, is that it would be the government doing it, so they would invariably screw it up.

Re:Yes/No

[thesolo]

A friend of mine got a notice from his life insurance firm saying that a laptop was stolen that probably had his records on it. Why it would be on a flippin LAPTOP I have no idea, something like that should be a server only accessible from the company's encrypted network (but I digress).

$10 says someone was either creating top-line reports or other such nonsense based on spreadsheets full of live data, and they brought it home/outside of the office to continue working on it past business hours.

I can't even tell you how many times I've seen people in insurance companies take live data home with them so they can whip up statistical reporting. People don't follow IT protocol when it becomes inconvenient for them to do so. (i.e. staying late at the office vs going home & working there.)

Re:Yes/No

[David+Gerard]

The Economist ran a report pointing out that companies had whined at length about how Sarbanes-Oxley was crippling their business, but they did an investigation and found that the companies in question were doing as well as before or better.

(The Economist is absolutely gung-ho to the point of stupidity about free markets, so I don't think they have some sort of corporate agenda in saying so.)

Re:Yes/No

[Zironic]

Tell me again what part of those features require my personal data? Learn to use a serial number seriously.

Re:Yes/No

[Foofoobar]

Nobody needs to store SSN's except the government that issues them. The fact that people made the MISTAKE of standardizing on SSN's as primary keys for users to begin with is their own fault. Mainly because SSN's are horrible primary keys since they REPEAT!!! Yes look it up... they DO get reissued after death and with longterm storage, this will only cause issues for storage of personal data.

Second, data loss is a quick route to a lawsuit as a result of storing SSN's; People and companies need to stop this bad procedure especially since laws in several states have been passed banning the practice. Good security can only do so much as human error is inevitably your final point of failure. And do you want to have a couple million social security numbers relying on the security of a backup tape in the back of your juniour sys admin's Pinto overnight?

civil not criminal

[v(*_*)vvvv]

This would be a great civil class action case, but criminal? The slope is quite slippery, and like previous posters have said, the cops don't do much when it comes to non-violent, non-domestic, non-street crimes.

Of course, some would argue that the banks and lenders behind the whole sub-prime mortgage crisis deserve to be criminally punished for causing a global recession and for the number of lives they've destroyed.

Criminal charges for companies != jail time

[religious+freak]

If a COMPANY is being prosecuted criminally, you obviously cannot have jail time, because it's a non-person.

However, you can (and IMO should) have much stiffer penalties than civil courts allow. When a data security breach is so bad to as harm society itself, it should be prosecuted criminally - this is the doctrine for criminal prosecution of companies. Criminal penalties can range from massive monetary damages, to shutting the entire company down, or forcing changes in management. This is the correct route to go.

Obviously, if the implication is that the IT workers themselves should be thrown in jail, this is absurd and would cause all kinds of damage, both foreseeable and unintended.

Re:Criminal charges for companies != jail time

[TubeSteak]

If a COMPANY is being prosecuted criminally, you obviously cannot have jail time, because it's a non-person.

It is tiring that this line of reasoning keeps getting trotted out.
WTF do you think executive officers are for?

"The Company" doesn't do anything illegal, the corporate officers & various (vice) presidents are the ones in charge and they have always born the responsibility of the company's actions.

Self reporting of a felony would not happen

[frith01]

You have a choice, allow organizations to report the data breach, or have them cover it up to avoid the penalty.

[ Why would anyone report a data breach when that means they would face jail time ? ]

Remember, the odds of an external entity finding out about the data breach is extremely small (except for the ones taking the data of course ).

Re:Self reporting of a felony would not happen

[sampson7]

I completely disagree with your assertion that a company would not self-report. As a compliance officer with a major international corp (albeit in a different field), we are often faced with the difficult question of whether to self-report a potential violation. We are generally faced with three options when a potential violation arises:

1. Self-report the violation, fix the problem/install appropriate controls, get the "credit" for active compliance, take the medicine and move on.

2. Document the potential violation internally, fix the problem/install the appropriate controls, establish the paper record documenting the potential violation, but explaining why it is arguably not a violation or that there is no affirmative duty to self-report.

3. Actively attempt to conceal the violation or ignore a clear legal requirement to self-report.

Pop quiz! Which of these three "options" could lead to massive fines by the appropriate governmental regulator, share-holder lawsuits, top managers being fired and even the destruction of your company?

Anybody who thinks a potential release of information could not bite you in the ass needs to imagine the type of risk/reward analysis the company goes through. I can easily envision the following scenario. Company loses critical personal information. Company actively hides the loss and/or actively ignores legal obligation to self-report. The thief attempts to use the stolen credit card numbers/whatever. Thief is caught. Thief tells police where he acquired the information. Police investigate the breach. Internal emails/IMs reveal that the company knew about the breach but did nothing. Company faces multiple class action lawsuits from: (1) the people harmed by the breach of their personal information; and (2) shareholders who should have been informed in the quarterly SEC-required disclosures that the Company faced a potential liability.

Now some fly-by-night company might reach a different cost-benefit analysis. But any large company should immediately recognize that the potential harm of trying to cover something like this up. When you're talking about a bank or large medical company? Would you as CEO or internal compliance officer risk millions or even billions on something that is so likely to become discovered? Even if the chances are 10,000-to-1 against the breach ever coming to light? Frankly, the rewards are simply not worth the risk.

Re:Yea!

[corsec67]

Next step:
Actually punishing companies that break laws, in such a way they can't just dissolve the front and start with a new name and the same people.

Yes

[sm62704]

Not only should there be criminal damages, but attempting to keep the thieft secret should carry an even heavier penalty.

There should also be, upon conviction in criminal court, monetary redress for the poor slobs whose data was compromised, and it should be a LOT more than it cost the compromised person. Say, enough to buy a new car.

Why can't we have the death penalty for corporations? The standard answer is "all those people who get trhrown out of work", but there IS a death penalty for corporations; ENRON suffered the death penalty, but the people in charge (at least the ones that didn't go to prison) suffered no penalty at all.

How about a "death penalty" where the victims are given the company itself?

as simple as due diligence ,,,

[Brigadier]

If your going to store my private data without my expressed permission. In other words I didn't specifically request it (as opposed to having it thrown in as a caveat on some user agreement). Then you are responsible for all mishaps that may be incurred by your actions.

If I ask you to save my data then I accept that I am giving permission to said company as is. In other words it now is my responsibility to look over all disclosures.

The inherent problem however is there is no means of specifically identifying a person. first and last name no longer work. you can assign them a unique code but most people get tired of bringing around and ID card for every business they do business with. Thus you are forced to use a.) a phone number which is subject to change, social security ID, or credit card number.

So though I do believe they should be held responsible for negligence and saving information without expressed permission. I do think the credit industry as a whole is responsible. There needs to be a fixed ID system which is separate from the credit system (as in credit score) and governmental ID systems.

This one ID bullshit needs to stop. Each person should have a superficial ID which can be changed at request. A credit ID which requires in person transactions (loan etc) a government ID and a health care ID. all of which should be maintained by different independent agencies.
 

Re:Yea!

Exactly right. Nobody.

At the very least, they should be held civilly liable. We should be suing every last one of these MFing companies that hand our personal data over to criminals to the fullest extent provided by law. There should be statutes on the books allowing for statutory damages to be awarded when our personal data is negligently handled.

And where are the amulance chasers in all this? Why aren't there ads on my TV for shysters who will take on these cases?

Follow the money... who's getting paid? The politicians. Barack Obama, John McCain...doesn't matter who you vote for, because they both have their hands in the same pockets!

Fix the bank and lending system instead

[lena_10326]

Stop giving out credit to every person who walks up to a cash register. Stop warehousing critical information that can be used to apply for credit. Stop approving credit based on only Name/SSN/Address. Stop this culture of unlimited, unchecked credit to anyone, any time, any place.

The problem is the lending system, not the fact your data is leaked. In web terms, credit applications need to be double opt-in, not single opt-in.

Criminal Charges?

[db32]

Sure...while we are at it lets put a cop in jail every time someone in their city gets mugged, murdered, raped, etc.

I will be exiting the field the moment some kind of stupidity like what is suggested goes in place. I have a family, and I have no intention spending time in jail being a scapegoat for something like this. It is stupid to expect an individual to be held accountable criminally for something like this. Why should I spend time in jail or face fines personally because Vendor X couldn't be bothered to employ better programmers or test their stuff. Nevermind there will ALWAYS be vulnerabilities. Or maybe I go to jail because some worker brought in an infected USB photo frame. The only way you can really secure the desktop computer completely from the user is to cut the power cable and give them a pad of paper and a pen.

That said...I think there should be something to "encourage" companies to actually invest the resources in protecting that data, or just to stop collecting it. Seems to me not collecting it is far easier and more viable in many many cases. I agree that there is a problem in the value that data provides the company and their lack of "encouragement" to protect it. The notion of holding already overtaxed administrators criminally liable will only make the problem worse. The field will shrink even further and I imagine many of the competent ones will find work elsewhere not wanting to be a whipping boy under idiotic laws like this.

Not IT, but business

[Ohrion]

I disagree with the prospect of placing blame directly on IT/IS. I do believe however that much of the blame needs to be placed at the company level. Many times the risks are known ahead of time by both IT and the business, but the business has decided not to spend the money to fix the problem and have signed off on the risk. Sometimes there is nothing further the IT department can do without the express permission of business. In fact, this is fairly frequent.

I also disagree with this blame being in the form of a crime, unless it is negligence or gross negligence. Fines maybe, but jail-time no. The exception to this, is if the theft is an inside job. Of course, there are already laws to deal with that.

Careful with that word 'crime'

[ScentCone]

Leaked data, by itself, isn't a crime in this regard. No harm comes to anyone until someone with criminal intent actually does something to it. Not counting, of course, the harm of feeling appropriately uneasy as you wonder if/when someone will do something with it following a leak - but I'm not sure that sort of anxiety rises to the level of crime on the part of the hotel chain... you could have the same anxiety about whether or not someone holding your data will at some point have a leak that hasn't even happened yet, and likely never will.

There's a reason that someone who sues McDonalds over the hot coffee she dumps in her own lap doesn't ask a DA to go after them criminally. Likewise with slipping on a wet restroom floor that doesn't have one of those "caution" signs put up by the maintenance crew. Being bad (or even, unlucky) at your job could well be grounds for a civil suit, but it isn't usually - and shouldn't usually - be considered an actual crime. That's pretty dangerous stuff, there.

When some wackadoo in full-on tinfoil hat mode brings a gun or a knife to work and kills the PHB he's hated for years, and is now convinced is working for Alien Overlords... is the employer who didn't see that coming an accessory to the crime that was committed, for having failed to prevent it?

If data is leaked, and no crime (based on the use of that data) is ever committed, and the laptop gets recovered with no expectation of it having been compromised... did a crime take place, not counting the person who ripped off the laptop from an employee's luggage? Is the employer actually a criminal because that happened? The opportunities for Really Bad Precedents here are vasty.

Is it even illegal?

[cayenne8]

Thing is...is it even illegal at all, to divulge customer data?

I mean, I know HIPPA takes care of issues with respect to people's medical records, but, I don't think that there are actually any laws against the release of people's data. If there were, there would be a whole lot less of companies out there that held and traded in such information.

It is a crime to break into a computer to gather this data. But, I don't think at this point, in the US it is a crime to lose it.

If I happened to have a database of people's information, and I want to freely publish it, I don't actually think there is a statute against me doing that.

If there is, can someone cite it or give links on this?

Re:Is it even illegal?

[Stellian]

If I happened to have a database of people's information, and I want to freely publish it, I don't actually think there is a statute against me doing that.

No there's not - this the "problem" the original submitter want's to solve. I personally have huge issues about criminalizing any form of free-speech.
The identity of a person is not a secret, or a thing that can be stolen. The very way that identity works is by making it public:
"Hello, I'm John / Oh Hi John, I'm Susan"
Now if John is coy about revealing his identity for fear that Susan might open up a bank account in his name, the whole use of identity crumbles. I have nothing against anonymity, John can remain anonymous if he so desires. But the notion that you must somehow "protect" identity by keeping it a secret is a stupid trick that harms the usefulness of identity and our society as whole. The artificial distinction of allowing trusted people (banks, the phone company) access to it, while keeping it a secret for the general public (that includes identity thieves) is childish. As it is the proposal above, of criminalizing the act of compiling a list of people's identity using public data - as explained above, all identity data is public to some extent, by definition; if it's not public, it does not identify you.
Far for me to claim that it's safe to post your personal data on Slashdot. In this warped world we are living in, there is the danger of so called "identity theft".
The term of "identity theft" is a copious misnomer perpetrated on the public by the banking industry. The identity of a person cannot be stolen, only duplicated or impersonated. The real crime here is identity fraud. The distinction might not seem much, but it's of key importance: it shifts the victimization from the impersonated person to the banker/stock agent/realtor/whatever that accepts the fake identity.
After all, why should *I* pay for the fact that some bank lends money to someone who says it's me ? The bank has little incentive to properly authenticate the guy: they want as much customers as possible; the problem of "ID theft" is an externality. Meanwhile, I can do nothing to protect myself: my identity is in hundreds of public and private databases, out of my control: it's how I register to vote, how I get medical care, and how I install an Internet connection. I cannot function in this society without making my identity public, so It's unreasonable to require me to protect my identity from "theft".
You can find an excellent written article about the distinction between identity theft and fraud here, by noted security expert Bruce Schneier:
http://www.schneier.com/blog/archives/2005/04/mitigating_iden.html
The solution against identity fraud is making the enablers pay for it, breaking the externality. For example, a maximal 15-day clearing period of any wrong information on your credit report, after which the bank can be charged with libel.
Devising more intricate ways to keep our identity data "secret" is just band-aid.

(I have only approached the problem from the identity fraud perspective; I fully agree there are other reasons to wanting to have your data private, such as, well... privacy)

Erm... we already do

[jimicus]

In the UK (and, I believe, Europe), anyway.

The Data Protection Act briefly states:

• Data may only be used for the specific purposes for which it was collected.
• Data must not be disclosed to other parties without the consent of the individual whom it is about, unless there is legislation or other overriding legitimate reason to share the information (for example, the prevention or detection of crime). It is an offence for Other Parties to obtain this personal data without authorisation.
• Individuals have a right of access to the information held about them, subject to certain exceptions (for example, information held for the prevention or detection of crime).
• Personal information may be kept for no longer than is necessary.
• Personal information may not be transmitted outside the EEA unless the individual whom it is about has consented or adequate protection is in place, for example by the use of a prescribed form of contract to govern the transmission of the data.
• Subject to some exceptions for organisations that only do very simple processing, and for domestic use, all entities that process personal information must register with the Information Commissioner.
• Entities holding personal information are required to have adequate security measures in place. Those include technical measures (such as firewalls) and organisational measures (such as staff training).

It's not clear which country the Best Western incident took place in but if the systems were hosted in the UK and they processed bookings from UK customers, it looks like a fairly cut and dried breach of that law to me.

There is, however, the minor issue that I don't think anyone's ever been successfully prosecuted for not having inadequate security systems in place...

Re:Hard to say

[hairyfeet]

The problem ISN'T hackers and thieves,the problem is rampant King Kong sized stupidity. How about we only bust them for gross negligence? Let's face it,it is these morons that have thousands of customer records on unencrypted laptops,or leave an unencrypted backup tape sitting in the parking lot in their car,or the idiots at my local phone company who put a bunch of machines on the curb without bothering to wipe the drives first.

I think we can all agree that there is a BIG difference between taking precautions and getting hacked and these brain trusts that don't even bother to show even the tiniest bit of common sense. We need to have penalties for the ones that don't even bother to try,otherwise why would they spend the money on security when they aren't really going to be punished when they screw everybody? And I agree with the earlier poster that there needs to be a time limit for most of this stuff. While a previous poster used the example of an insurance company the simple fact is there are way too many companies that hang onto every scrap of information that comes there way for years. We should come up with a set of criteria that has to be met before you are allowed to keep data for longer than the transaction requires. But as always this is my 02c,YMMV

Re:Yea!

[Lumpy]

Actually wrong.

The first step is to financially ruin and have real "pound me in the ass" prison terms for the executive staff that cut the IT departments budget to increase security.

If the CEO has the fear of being raped by bubba while the CTO is told "you're next pretty boy" They will quit spending money on their company BMW's and office remodels and actually give the IT departments the funding they need to have the staff and hardware to do their FUCKING job.

Do I seem a bit jaded?