Personal Data Exposed! Can Legislation Fix It?

rabblerouzer writes "Millions have had their personal information stolen because of lax security and may not even know it because of the patchwork of state laws that fail to mandate timely notification of victims. Boston-based law firm Mintz Levin is seeking feedback on what you would like to see included in draft legislation."

Criminal Identity Theft

[G27 Radio]

I've been writing a bit about my personal experiences with Criminal Identity Theft. It's something quite a bit different than your typical identity theft. I'm wouldn't hold my breath waiting for the states to do much about theft of personal data on their own. They didn't even bother to notify me when they found out some jerk had been using my names to commit crimes. I've come to the conclusion that the government just doesn't give a rats ass about these things.

I'll be writing something to these guys. If you're interested in what I've been dealing with, my story starts here:

http://g27radio.blogspot.com/2007/04/think-youre-s afe.html [blogspot.com]

Accountability

[AK Marc]

There is only one thing that companies are accountable to, and that's the shareholders. If you can save $200 with crappy security and screw over 100,000 people with a breach, a company is under pressure to save the $200. If you place huge fines on exposed data, companies will be able to compare the cost of the security measures to the cost of a breach and make a financial decision that will (hopefully) work out best for both the company and the customers/clients/etc. Fine them up to $1000 per person exposed. Oh, lose the data of 100,000 people on an encrypted laptop left in an airport lounge? That'll be $100,000,000. Also, make concealing a breach (as opposed to reporting it) a jail-able offense. Yes, that may make losing a laptop and hiding that fact get someone more time in jail than a murderer, but we need to drop the "what would a rapist get" dogma. Yes, raping someone is bad. But what about a little loss multiplied by 100,000? Wouldn't screwing up thousands of people's lives (even if the inconvenience isn't really that large) really be in the same league as messing up one person's life really badly?

Recap:

Required disclosure
Jail for those that purposefully avoid disclosure
Large fines for breaches

Change the cost/benefit to discourage hoarding

[Urban Garlic]

My fantasy strategy is to punish the owners of inaccurate personal information.

Legislation that provided a penalty for holding inaccurate personal data about someone would strongly discourage people from grabbing personal info just because they can. If bit-rot in personal-info databases had legal consequences, people would be more careful about what they collected, and would take the trouble to verify its integrity. It'd be harder to sell a database like that, too, since the buyer would want the means to keep it up to date. Also, you can bet that every personal-info-storing website would switch to an "opt-in" model about as fast as their lawyers could say "liability risk".

The major downside would be that it would disproportionately hurt small organizations. Sadly, I don't have a solution for that.

Legislation has never fixed anything.

[pair-a-noyd]

There are millions of laws and all of them are ignored by the criminals.
Honest people obey them but criminals do not.

What it will take is to enact a DEATH PENALTY for computer crimes / identity theft.
That's right, strap the bastards down in Ol' Sparky and televise it to the world.

Two or three public executions and the problem will pretty much go away over night.
Do it from another country you say? No problem. Send a Special Forces hit team to kill them in the dark of night.

Seriously though, one day someone is going to get really, really pissed off and they'll go get a pound of flesh from the companies that allowed the data breach to happen. It's only a matter of time.
There are a lot of unhinged people on the edge as it is now.

This has gone on way too long. Enough with the useless laws, let's start up public executions.

Re:Accountability

[walt-sjc]

The problem is that perfect security is IMPOSSIBLE, especially since the data "needs" to be available to a large portion of the company in order for work to be done.. We can certainly be better though. Forbid the storage of personal data on laptops with jail time for anyone that transfers such data to a laptop or other portable media (with the exception of backup media.)

How about restricting the collection and storage of personal information in the first place? How many companies REALLY need your SSN? How about schools? Do THEY need it? Really? Can we ban the use of SSN's as primary identifiers? How about a federal registry where collectors would have to register that they have personal information about someone, and allow the person to request that the info be removed (obviously need exceptions to this...) How about requiring written approval for businesses wanting to share your data with others? The honest truth is that most businesses have no need to store all that data in the first place. How many web sites want your birth date? Do any of them really need it? with VERY few exceptions, the answer is a definitive NO.

A simple fix I'd like to see ...

[timholman]

There is one very reasonable change I'd like to see enacted. I want to have the option of putting my credit file on permanent Fraud Alert with the major credit reporting agencies. Currently consumers have the right to make a phone call to an automated line which places a Fraud Alert on their credit files (I call Equifax at 800-525-6285, who then shares the alert with the other agencies). This alert prevents identity thieves from opening a new line of credit in your name without the agency contacting you first.

The only problem is that the alert must be renewed every 90 days. To get a permanent Fraud Alert, you must prove you've already been a victim of identity theft - essentially closing the barn door after the horse has gotten out.

Consumers need to have the right to request a permanent alert without question, and for any reason. I am long past the point in my life where I need instant credit. I can afford to wait long enough for the credit agency to call me if I need to open a new account. Of course, the credit agencies will fight any such measure tooth and nail (the 90 day alert had to be forced upon them by law), but unlike some proposals I've read so far, this one is actually doable with a realistic amount of effort on everyone's part.

Re:More laws are the key ... to EVERYTHING

[technicalandsocial]

In Canada, we have PIPEDA http://www.privcom.gc.ca/legislation/02_06_01_01_e .asp [privcom.gc.ca], as well as provincial and industry related privacy legislation that is useful. If you have a violation, you can submit it to the privacy commissioner, as well as http://www.cippic.ca./ [www.cippic.ca]

Re:More laws are the key ... to EVERYTHING

[TubeSteak]

Laws are just codified rules.

And look who is writing a draft of those rules: A law firm.

Unfortunately, that's how a lot of laws get written. Law firms, think tanks & lobbying organizations write up their wish list and then sweet talk Congressmen or Senators into submitting it.

This happens at both the Federal and State levels.

Maybe the public representatives (in reality, their staff) should be writing up the rules.

"Oh, but we like this set of rules!"
My response: think of all those laws you didn't like.