Long-Term Liability For One-Time Security Breaches?

An anonymous reader writes "Not a month goes by where we don't hear about a theft of some organization's laptop containing sensitive personal information, not to mention the even more frequent — but often kept secret — breaches into company networks and databases. It is definitely true that you should be responsible for the security of your information when you handle it, but what happens when the theft of your information is not your fault? You have handed over this information to a company or organization and trusted them to keep is secure, but they failed. They might notify you of the breach or theft, and they might even set up a credit monitoring service for you for a year or two, but the problem is that this information may be used years from now. Is it fair that you have to worry for decades and pay for further credit monitoring when they are to blame for your information ending up in the wrong hands?"

Re:Two oddities

[RobertM1968]

The first oddity is why the author believes that the data would sit around for years before being used. Like there's an "exploit bank" where you can deposit your collection of stolen data and gain interest on it until you "cash them in". I'd think far more likely it'll get used fairly rapidly, or never. How you fence or launder millions of records is kind of a mystery to begin with.

There are - and it's been covered here, even if not called those terms. There are "organizations" that do nothing but collect this info and then sell it off over time to whoever wants to buy it. I'm sure they dont put expiration dates on their data, and will gladly sell you a collection of records with 10 day old data and 10 year old data, all mixed together.

Re:Two oddities

[Mr.+Underbridge]

There are - and it's been covered here, even if not called those terms. There are "organizations" that do nothing but collect this info and then sell it off over time to whoever wants to buy it. I'm sure they dont put expiration dates on their data, and will gladly sell you a collection of records with 10 day old data and 10 year old data, all mixed together.

You beat me to it. Why would we expect exploit lists to differ substantially from marketing lists - and just how separated do we really think these groups are? I'd expect that data to get passed around like a bottle of cheap wine.

As to using it - it may be true that CC#s for exploitation are only used from "fresh" lists. But what about all your other data, depending on where they got it? You probably won't move due to this event. Your SSN won't expire - or if it does, you have bigger problems than identity theft. So yeah, if your ID gets out there it's not good news, and not something I'd expect to cease being a threat.

Incidentally, some might be surprised how long lists stay in the wild. I recall once getting snail mail spam addressed to the previous owner of the house. This wouldn't have been remarkable, except that *we'd* lived in the house 20 years or so.