Personal Data Exposed! Can Legislation Fix It? 154
rabblerouzer writes "Millions have had their personal information stolen because of lax security and may not even know it because of the patchwork of state laws that fail to mandate timely notification of victims. Boston-based law firm Mintz Levin is seeking feedback on what you would like to see included in draft legislation."
More laws are the key ... to EVERYTHING (Score:5, Insightful)
I'm sure this is the one. No one will accidentally release anyone's private details when it's illegal.
Why haven't they made getting in a car accident illegal?
Current Liability Causes Indifference (Score:5, Insightful)
Don't legislate ! (Score:5, Insightful)
-Zero day exploits: crooks will rush to do zero day exploits as an official confirmation will prove they've got good data (so more sophisticated gangs will buy it from them, most fraud happens in the first 24 hours)
-Honeytrap: When identity theft occurs law enforcement agencies may wish to honeytrap the thieves by letting them use the say credit card details & thus tracking them.
-White Noise Defense: smart companies ought have "white noise" dud systems, easily hacked containing white noise data with honeytrap triggers (eg a valid credit card number but one that belongs to say FBI) in it !
- and so on.
But they should be forced to notifiy law enforcement agencies.
Re:What *I* Would Like to See in Legislation? (Score:4, Insightful)
News just in:- Female IT workers around the world have breathed a collective sigh of relief.
Seriously though, accountability seems to be the key. It feels like (hands up, I'm no expert in this area) that people can get away with some of the shoddiest practices when it comes to safeguarding other peoples' personal data. I don't think it is enough to expect the market (in that serious breach of security and loss of data will cost that organisation customers) to regulate itself. It's like shutting the gate after the horse has bolted. There needs to be something up front - focusing organisations' minds on making sure this does not happen in the first place. I would say that an organisation that handles, for example, credit card data should be made accountable for any losses directly attributable to mishandling that data plus some compensation in lieu of the time required to close the account, order new cards, etc..
Re:More laws are the key ... to EVERYTHING (Score:4, Insightful)
Re:More laws are the key ... to EVERYTHING (Score:3, Insightful)
Oh... wait, I think there's been something like that already. Anyone know whether it worked?
That's no problem (Score:3, Insightful)
Comment removed (Score:3, Insightful)
Secrets are the problem (Score:1, Insightful)
We need systems that are more like paypal or your online banking account where you *send* payments to the people you want to send money to rather than having those people *take* the money from you.
Implementing it in a way that that is as easy to use and prevelent as credit cards is unfortunately a major undertaking and I'm not sure exactly how it would even be done but its the only way to stop the continuous drum beat of many of these sorts of issues. With the penetration of cell phones and instant network access everywhere its an idea that is getting easier and easier to implement every day.
There are separate issues with SSN..etc that are not addressable in this way but perhaps a central government system which uses a kind of kerberos Ticket-Granting-Ticket scheme could allow third party verification of credentials and storage of tickets without their actual knowledge of what those credentials are. It seems a little spooky though
The next best approach I see is a deterministic hash like algorithms that still allow SSNs to be used between systems and as keys for storage in applications but prevent their outright knowledge.
As far as legislation
I don't think legislation which prescribes solutions or requrements in terms of security is useful. Market pressures which come from notification requirements can do a lot in this regard and IMHO should be the focus for government involvement.
The problem is even seemingly obvious requirements such as "use firewalls" may not have any real actual effect on the security properties of a system or do anything to stop insider threats. Technology is too complex and changes too fast for our elected officials and their self appointed experts to reasonably understand and more importantly *predict*.
Re:More laws are the key ... to EVERYTHING (Score:3, Insightful)
Can legislation fix it? (Score:4, Insightful)
The summary and the FA were short on information, but here is my stab at this.
How about we just keep our private information private? The increase in the amount of personal data that is attempted to be acquired by private companies is increasing, and remind me how my giving of my personal data to Pets-R-Us is going to benefit me?
I paid cash for a car, and the people wanted my social security number. Why?
A health club near me wants my social security number to lift weights and stuff. Why?
Oh, and don't get me started with those so-called "Privacy Agreements" that some of these comanies give out to you. All of those end with the clause "we can change our mind at any time w/o notifying you", so how is this any kind of agreement? By signing one of those I am agreeing to nothing.
So, I think that the laws should say that there are 2 kinds of personal information. One kind is something that can clearly identify me. My address, phone number, ssn, name, etc. And none of that should be shared with anyone. Abstract data for marketing reasons is OK. My age, sex, or whatever they can get from me that does not directly tie the information to me is OK.
Target the credit bureaus (Score:4, Insightful)
I'd rather outlaw the use of your SSN as both username and password. Why are the credit bureaus allowed to let anyone who knows those nine irrevocable digits mess with your credit report?
Re:More laws are the key ... to EVERYTHING (Score:4, Insightful)
None of the credit agencies seem to be willing to lift a finger to do "the right thing". I guess we're going to have to start suing the credit agencies for defamation or something whenever they associate our identity and credit with a criminal in order for them to take notice, if we're not going to be allowed to make laws to tell the credit agencies to get their act together.
"patchwork of state laws"??? (Score:4, Insightful)
Re:FUD-vertisement! (Score:2, Insightful)
Like anything, like war, cancer or flooding, the whole problem seems silly and irrelevant when it happens to other people. Then one day it happens to you.
I'm not comparing this to war or cancer -- but I don't think you've thought through the seriousness of this problem. Ask yourself this: What's your time worth?
What if you had to spend a hundred hours to fix this? Three hundred hours? What is 300 hours of your time worth?
What's it worth to you? to the economy at large? to your wife and family?
It's not Fox news, dude, it's real. Bury your head and feel lucky. That's the privilege of youth.
Re:More laws are the key ... to EVERYTHING (Score:5, Insightful)
These are the kinds of laws that a rational person can support. It's laws that are meant to protect us from ourselves we have to many of.
In fact, we do not so much need new laws, but clarifications of how existing legal principles apply.
If I park my car and do not set the brake, and it rolls down the hill into your house, the law says I have to pay for the damages to your house. Not you. You get an estimate of, say $2000, and I have to pay that plus a certain amount to compensate your for your inconvenience.
That isn't paternalism, it's common sense.
Now suppose I negligently release private information about you, and that results in your identity being stolen. The damage I've done to you is incalculable. And therein lies the rub. I am not responsible for the criminal misdeeds of others, but I have caused you far more than $2000 of trouble by my negligence. It is the inability to put a dollar amount on that damage that keeps me immune from being sued by you.
If Congress set a standard $1000 damage level for negligent disclosure of private financial data, you could sue me. But you wouldn't have to. If I managed a database of a thousand people, I'd be looking at a cool million in direct liability. It would alter my calculations. I wouldn't be sending your private data home on an unsecured laptop so a temp I've done no background checks on can do a little data entry.
That's the common theme we've seen in "shocking" cases of data mismanagement. It's not shocking at all, it's inevitable. If the cost of mishandled data is zero, then I'll risk exposing you to identity theft for a penny on an account, multiplied by enough accounts and that's real money.
It isn't hard to secure data to the point that the risk of disclosure is negligible. But it's impossible if the cost of disclosure is zero.
Re:Do you have a mohawk and wear safety pins? (Score:3, Insightful)
I'm pretty sure this is what you misunderstand. The "rule of law" doesn't mean that there should be a law to rule every action, inaction, transaction, or interaction in life. "Rule of law" means that governments can only use force according to the law. It stands in contrast to "rule of men" where individual rulers impose their will on the folks who are ruled.
There another concept called "freedom" where individuals are free to act largely without the oversight of a ruler or a law to regulate them through every step in their day.
Freedom trusts the individual. Laws are created to help ensure that the individual is free from force or fraud. The individual can decide things for himself and is expected to decide things based on his best interest.
Tyranny, totalitarianism, authoritarianism, socialism, and monarchy tend to distrust the individual. Laws are created to regulate the individual's everyday actions in as minute a level of detail as possible. That way, he'll make the right decisions to further the goals of the dictator or ruling class or majority, whatever those goals happen to be.
I only suggest that the presumption should be that freedom is correct. Therefore, "make a new law" should be the option of last resort on a problem.
Legislation can't fix it (Score:3, Insightful)
Re:Do you have a mohawk and wear safety pins? (Score:3, Insightful)
Really? Who is the aggressor? Who is the defrauder?
It seems clear that any law in this case would regulate innocent third parties rather than the aggressor. Hence, the government becomes the aggressor with the innocents, as always, being the victims. Is it really just to harshly punish the folks who disobey this new law? (Mild punishments don't deter.)
Rather than make a new law here, we should repeal a bunch of other laws. Then the government agents who were enforcing those other laws can focus on catching the criminals who commit the crimes rather than regulating innocents or collecting fines to enlarge the treasury.
Re:Accountability (Score:3, Insightful)
Perfect security of data is easy. You destroy it.
especially since the data "needs" to be available to a large portion of the company in order for work to be done.
If the risk of fines is high, they'll find a way to no longer need it.
How about restricting the collection and storage of personal information in the first place? How many companies REALLY need your SSN? How about schools? Do THEY need it? Really? [...] How many web sites want your birth date? Do any of them really need it?
Well, it looks like you are wanting to take a micro-manage way of the exact same thing I want. Rather than trying to get them to not collect some specific point of data through lots of very specific legislation, just making the consequences bad enough and they will find ways to deal with data in a manner that is not personally identifiable. You don't have to tell the businesses what they can and can't do. You tell them the consequences after they screw it up, and they'll not do it or they'll do it with greater care. Fewer laws and easier to manage that way...