Long-Term Liability For One-Time Security Breaches?

An anonymous reader writes "Not a month goes by where we don't hear about a theft of some organization's laptop containing sensitive personal information, not to mention the even more frequent — but often kept secret — breaches into company networks and databases. It is definitely true that you should be responsible for the security of your information when you handle it, but what happens when the theft of your information is not your fault? You have handed over this information to a company or organization and trusted them to keep is secure, but they failed. They might notify you of the breach or theft, and they might even set up a credit monitoring service for you for a year or two, but the problem is that this information may be used years from now. Is it fair that you have to worry for decades and pay for further credit monitoring when they are to blame for your information ending up in the wrong hands?"

infinite lifetime considered harmful

[khb]

That all of the really useful data tends to have infinite life (birthdate, SSN or equiv for non-US, place of birth) compounds the problem (the "use case" that comes to mind is some aged drive surfaces in the used parts market and some scofflaw procures it and uses it long after the breach itself).

Obviously, each organization should have their own ID numbers, and any given "customer" ID should be able to be associated with various time varying external credentials and really good stuff which isn't time varying shouldn't be in the hands of third parties.

Regulators (e.g. SOX, HIPPA, UK data protection act(s)) all seem to miss the boat about limiting the scope of breeches. Legislating that no breech ever occur is laudable, but impractical. So minimizing the harm done should be the focus.

Re:Two oddities

[RobertM1968]

The first oddity is why the author believes that the data would sit around for years before being used. Like there's an "exploit bank" where you can deposit your collection of stolen data and gain interest on it until you "cash them in". I'd think far more likely it'll get used fairly rapidly, or never. How you fence or launder millions of records is kind of a mystery to begin with.

There are - and it's been covered here, even if not called those terms. There are "organizations" that do nothing but collect this info and then sell it off over time to whoever wants to buy it. I'm sure they dont put expiration dates on their data, and will gladly sell you a collection of records with 10 day old data and 10 year old data, all mixed together.

Re:Information wants to be free

Did you seriously just complain that you have to give out your home address in order to have something delivered to you?

Re:Information wants to be free

[fuzzyfuzzyfungus]

The submitter of TFA(TFAS?) has swallowed the "identity theft" myth, and all its deliberately problematic implications, hook, line and sinker.

Whoever came up with the concept of "identity theft" needs to be given an award for sheer chutzpah, then clubbed to death. The problem isn't "identity theft", an "identity" in this context is simply a bunch of information that is only copied, not destroyed or removed when compromised. The problem is bank fraud and various other sorts of fraud perpetrated by people using those data, against institutions who, in a masterful display of doublethink, simultaneously ask you for your SSN when you do anything more sophisticated than taking 20 bucks out of the ATM and treat the SSN like a double-secret-super password that only you could possibly know, on the strength of which loans will be granted, accounts opened, and so forth.

However, by using the term "identity theft", the implication is created that you are the responsible party. As a token, whoever was responsible for the breach might be forced by law or bad PR to offer you a year of credit monitoring or something; but that doesn't address the root problem: banks, and other such institutions will accept laughably trivial factoids as incontrovertible evidence that somebody is you, and then try to stick you with the bag when the mistake is discovered. The problem isn't that somebody knows my mother's maiden name and my SSN, the problem is that numerous financial institutions and other such entities will happily accept possession of those facts as evidence that just about anybody is actually me. However, because it is "identity theft", I'm the one who has to watch my credit vigilantly forever, and wonder what might bubble up on a background check done in my name, rather than it being "bank fraud" or "inadequate police work", which would place the burden of responsibility on the party who ought to be responsible.

Between public records and massive data breaches, virtually all "identity" information is effectively public knowledge. Any institution who treats possession of that information as proof of identity should be treated as guilty of gross negligence, and responsible for the consequences. The idea that if those pesky consumers were just a little more careful, we wouldn't have this issue, is as elegantly malicious as it is utterly wrong.

Re:Two oddities

[Mr.+Underbridge]

There are - and it's been covered here, even if not called those terms. There are "organizations" that do nothing but collect this info and then sell it off over time to whoever wants to buy it. I'm sure they dont put expiration dates on their data, and will gladly sell you a collection of records with 10 day old data and 10 year old data, all mixed together.

You beat me to it. Why would we expect exploit lists to differ substantially from marketing lists - and just how separated do we really think these groups are? I'd expect that data to get passed around like a bottle of cheap wine.

As to using it - it may be true that CC#s for exploitation are only used from "fresh" lists. But what about all your other data, depending on where they got it? You probably won't move due to this event. Your SSN won't expire - or if it does, you have bigger problems than identity theft. So yeah, if your ID gets out there it's not good news, and not something I'd expect to cease being a threat.

Incidentally, some might be surprised how long lists stay in the wild. I recall once getting snail mail spam addressed to the previous owner of the house. This wouldn't have been remarkable, except that *we'd* lived in the house 20 years or so.

The "secret information game"

[erroneus]

This is a ridiculous game we keep playing over and over again. We have "secret information" we entrust to every business entity with which we do transactions. They aren't quite as secret any longer. And these other entities have people in them... not all of them can be trusted and you will never know who or how many whos have had access to the information. It's a very flawed system especially in light of modern communications technologies available today.

We need a system in which credentials for transactions are good for one-time-only. I present my credit/debit card and this information doesn't change again until either the expiration date arrives or I have it changed. But if I do something with my account "device" that issues a payment ticket number (rather like a cheque in many respects) that is then presented to the business entity to be used only by that business entity and only works once, twice or however often it can be used as approved by you. That code would only be useful for the other side of the transaction because of their encryption key token must work with the ticket number I issued. Then these stupid open secrets won't need to be a concern any longer.

The big problem isn't that people can or can't securely store this information because we already know it can't ever be stored safely and also be useful. So it needs to be stored "safely enough" but also with limited usability. What it all comes down to is a system that requires end-to-end user accountability. As it stands now, "identity theft victims" are held accountable for EVERYONE's mistakes. It's just not fair.

Re:Two oddities

[shentino]

The problem is that identity theft is profitable for more than just the thief.

The credit bureaus make shitloads of money from identity thieves taking out loans and triggering credit reports.

Re:Information wants to be free

[Hognoxious]

In a remotely just world, the response would be "You, a financial institution who really ought to know better, gave some guy ten grand because he knew a few pieces of public information? You dumb shit, I guess you are out the money."

Actually, it should be "The CEO of your bank has agreed to waive the alleged debt, pay my outstanding legal and other costs and indemnify me against any future, plus an ex-gratia payment of fifty grand for my trouble. I have it in writing, with his photo ID right here. All witnessed and notarized".

You then hand over a note written with a crayon in childish writing, with a picture of a smiling face at the top and the bank officer's name scrawled underneath. In a different coloured crayon it says "it tru dat, signed my best pal", superimposed with a mucky handprint.

Well why not? Basically, that's what they've got against you.