Should Companies Share Criminal Blame In ID Theft?

snydeq writes "Deep End's Paul Venezia criticizes the lack of criminal charges for corporate negligence in data breaches in the wake of last week's Best Western breach, which exposed the personal data of 8 million customers. 'The responsibilities attached to retaining sensitive personal identity information should include criminal charges against the company responsible for a leak, in addition to the party that receives the information,' Venezia writes. 'Until the penalties for giving away sensitive information in this manner include heavy fines and possibly even jail time for those responsible for securing that information, we'll see this problem occur again and again.' As data security lawyer Thomas J. Smedinghoff writes, data security law is already shifting the blame for data breaches onto IT, thanks to an emerging framework of complex regulations that could result in grave legal consequences should your organization suffer a breach. To date, however, IT's duty to provide security and its duty to disclose data breaches does not include criminal prosecution. Yet, with much of the data security framework being shaped by 'IT negligence' court cases over 'reasonable' security, that could very well be put to the test some day in court." It's a slippery slope to be sure, but where should the buck stop?

Yes/No

[HappySqurriel]

I think it is entirely appropriate to investigate a company when large ammounts of personal information ends up being 'stolen' ... If it turns out that the company did not take the necessary steps to protect people's personal information they should face some consequences. At the same time, there has to be an understanding that even the best technologies available and best practices may not prevent all personal information theft so a company should not face harsh consequences if they took the necessary steps to protect people's information.

Re:Yes/No

[kannibal_klown]

I've got a better idea. Ban the collection of personal information beyond the time required for the transaction. I don't but it that companies somehow need to store all this info on people especially years after the transaction has occurred. If you are going to be light on them when they lose it, then be heavy on what they can keep.

Well what about long-term services like Life Insurance? A service like that would need to keep your Name, Birthday, Social Security Number, address, next of kin, etc until you died and someone collected. And what about Banks and Loan offices?

A friend of mine got a notice from his life insurance firm saying that a laptop was stolen that probably had his records on it. Why it would be on a flippin LAPTOP I have no idea, something like that should be a server only accessible from the company's encrypted network (but I digress).

I could also see the benefit of some stores keeping some light data on you (name, address, phone) so they can contact you but I think they should get rid of your credit card info after X days/weeks.

In all, it's a mixed bag of blame. Personally I think the government and law enforcement should take Identify Theft a lot more seriously, with major penalties against these fraudulent jerks.

Re:Yes/No

[thesolo]

A friend of mine got a notice from his life insurance firm saying that a laptop was stolen that probably had his records on it. Why it would be on a flippin LAPTOP I have no idea, something like that should be a server only accessible from the company's encrypted network (but I digress).

$10 says someone was either creating top-line reports or other such nonsense based on spreadsheets full of live data, and they brought it home/outside of the office to continue working on it past business hours.

I can't even tell you how many times I've seen people in insurance companies take live data home with them so they can whip up statistical reporting. People don't follow IT protocol when it becomes inconvenient for them to do so. (i.e. staying late at the office vs going home & working there.)

Re:Yes/No

[David+Gerard]

The Economist ran a report pointing out that companies had whined at length about how Sarbanes-Oxley was crippling their business, but they did an investigation and found that the companies in question were doing as well as before or better.

(The Economist is absolutely gung-ho to the point of stupidity about free markets, so I don't think they have some sort of corporate agenda in saying so.)

Self reporting of a felony would not happen

[frith01]

You have a choice, allow organizations to report the data breach, or have them cover it up to avoid the penalty.

[ Why would anyone report a data breach when that means they would face jail time ? ]

Remember, the odds of an external entity finding out about the data breach is extremely small (except for the ones taking the data of course ).

Criminal Charges?

[db32]

Sure...while we are at it lets put a cop in jail every time someone in their city gets mugged, murdered, raped, etc.

I will be exiting the field the moment some kind of stupidity like what is suggested goes in place. I have a family, and I have no intention spending time in jail being a scapegoat for something like this. It is stupid to expect an individual to be held accountable criminally for something like this. Why should I spend time in jail or face fines personally because Vendor X couldn't be bothered to employ better programmers or test their stuff. Nevermind there will ALWAYS be vulnerabilities. Or maybe I go to jail because some worker brought in an infected USB photo frame. The only way you can really secure the desktop computer completely from the user is to cut the power cable and give them a pad of paper and a pen.

That said...I think there should be something to "encourage" companies to actually invest the resources in protecting that data, or just to stop collecting it. Seems to me not collecting it is far easier and more viable in many many cases. I agree that there is a problem in the value that data provides the company and their lack of "encouragement" to protect it. The notion of holding already overtaxed administrators criminally liable will only make the problem worse. The field will shrink even further and I imagine many of the competent ones will find work elsewhere not wanting to be a whipping boy under idiotic laws like this.

Not IT, but business

[Ohrion]

I disagree with the prospect of placing blame directly on IT/IS. I do believe however that much of the blame needs to be placed at the company level. Many times the risks are known ahead of time by both IT and the business, but the business has decided not to spend the money to fix the problem and have signed off on the risk. Sometimes there is nothing further the IT department can do without the express permission of business. In fact, this is fairly frequent.

I also disagree with this blame being in the form of a crime, unless it is negligence or gross negligence. Fines maybe, but jail-time no. The exception to this, is if the theft is an inside job. Of course, there are already laws to deal with that.

Re:Yea!

[Lumpy]

Actually wrong.

The first step is to financially ruin and have real "pound me in the ass" prison terms for the executive staff that cut the IT departments budget to increase security.

If the CEO has the fear of being raped by bubba while the CTO is told "you're next pretty boy" They will quit spending money on their company BMW's and office remodels and actually give the IT departments the funding they need to have the staff and hardware to do their FUCKING job.

Do I seem a bit jaded?