Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Privacy Security Your Rights Online

Long-Term Liability For One-Time Security Breaches? 119

Posted by Soulskill
from the neverending-can-of-worms dept.
An anonymous reader writes "Not a month goes by where we don't hear about a theft of some organization's laptop containing sensitive personal information, not to mention the even more frequent — but often kept secret — breaches into company networks and databases. It is definitely true that you should be responsible for the security of your information when you handle it, but what happens when the theft of your information is not your fault? You have handed over this information to a company or organization and trusted them to keep is secure, but they failed. They might notify you of the breach or theft, and they might even set up a credit monitoring service for you for a year or two, but the problem is that this information may be used years from now. Is it fair that you have to worry for decades and pay for further credit monitoring when they are to blame for your information ending up in the wrong hands?"
This discussion has been archived. No new comments can be posted.

Long-Term Liability For One-Time Security Breaches?

Comments Filter:
  • Well you could always change all the numbers and important information that you can. After that I recommend praying to your favorite diet(y|ies). That or keeping all of your money in a shoebox under your bed.
  • Contract (Score:4, Insightful)

    by decipher_saint (72686) on Monday July 12, 2010 @12:54PM (#32876590) Homepage

    Not to sound condescending, but when you hand your stuff over to a third party generally there is a contract signed between you and them, what you are looking for *should* be in that contract.

    • Contracts simply state what is agreed to, and to some extent, what happens when what specifically agreed-to elements of the contract are not met -- usually this mostly means termination of the agreement. Contracts might contain verbiage about keeping data and equipment secure; if security is breeched, that's where the contract ends and liability law begins.

      When someone makes a mistake and a laptop gets stolen because someone failed to secure it properly, this is called 'negligence' and it's an actionable t

    • Not really. That is an internal thing between you and the third party company. When you outsource a job, you are still 100% liable for it. So outsourcing should be done with good checks, apart from the good contract. In programmer's speak: it is like encapsulation. The customer should not be able to tell the difference between you doing the job or a subcontractor doing it. And if the customer can tell the difference, it is your liability (which you may be able to outsource as well, but it starts end ends wi
  • A nice point. (Score:1, Interesting)

    by Anonymous Coward

    Ironically, the four UK Credit Reference Agencies have announced today that you can do a web based credit check on youself for the sum of £2.00. PReviously only one of them allowed web one time (ie non annual contract) checks.

    If they make it quick and also cheap then maybe more people will take responsibilty for checking their own details on a regular basis.

    Posting anon for obvious reasons....

    • by MoonBuggy (611105)

      Quick question: is it worth getting the statutory £2 report from all of the companies (incidentally, the ICO only lists [ico.gov.uk] three) or will it be sufficient to go with one?

      Not that it particularly matters at £2 per go, I suppose, but it'd still save some time if it turns out they're all working from shared info.

      • by Zerth (26112)

        They don't necessarily have the same info and they definitely don't share "this is bogus information" notices. They are competitors.

    • by Sir_Lewk (967686)

      Posting anon for obvious reasons....

      Yes of course, perfectly understandable.

    • Re: (Score:1, Informative)

      by Anonymous Coward

      Sorry the reason for your anonymity evades me, I guess its not as obvious as you think.

      The reason reason for my anonymity is because I don't have a Slashdot account (I've never been able to decide on a pseudonym to use).

  • the real reason (Score:2, Interesting)

    by Bizzeh (851225)

    the real reason we hear more about it and hear of more of them every day is because they are the media topic of the moment, just like when northern rock was in trouble, suddenly, all the banks where in trouble and everyone took their money and caused the financial meltdown.

    in short, this sort of thing isnt happening more frequently than it previously was, its just being reported on more

  • Two oddities (Score:3, Insightful)

    by vlm (69642) on Monday July 12, 2010 @12:59PM (#32876644)

    The first oddity is why the author believes that the data would sit around for years before being used. Like there's an "exploit bank" where you can deposit your collection of stolen data and gain interest on it until you "cash them in". I'd think far more likely it'll get used fairly rapidly, or never. How you fence or launder millions of records is kind of a mystery to begin with.

    The second oddity is we are mostly dealing with the bottom percentiles of personnel, equipment, hardware, software, and design. So the article blissfully dreams "Let's hope that these reasonable measures will include the use of encryption." But you know that fools are just going to add another column to the database called "encryption key" so as to decode the other columns. Or store the key in C:\key.txt. Or go all ROT-13 or whatever the unicode version is of ROT-13. If you're dealing with screwups, adding more conditions just makes their screwups more rube goldberg and hilarious, it doesn't prevent them from screwing up.

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      Yeah, I agree. Also this falls into the category of "Yeah, so?". Lots of things are unfair, and yeah, we should probably try to change them, but the feasibility is the issue: most people have probably been part of some security breach in the past 30 years. Do we monitor credit for everyone? Okay, where does it end?

      Also these credit monitoring services, while helpful, aren't foolproof. Just look at that lifelock jackass.

      I'm not saying it isn't unfair - it is - it just seems a lot like wishful thinking,

    • Re:Two oddities (Score:5, Informative)

      by RobertM1968 (951074) on Monday July 12, 2010 @01:21PM (#32876910) Homepage Journal

      The first oddity is why the author believes that the data would sit around for years before being used. Like there's an "exploit bank" where you can deposit your collection of stolen data and gain interest on it until you "cash them in". I'd think far more likely it'll get used fairly rapidly, or never. How you fence or launder millions of records is kind of a mystery to begin with.

      There are - and it's been covered here, even if not called those terms. There are "organizations" that do nothing but collect this info and then sell it off over time to whoever wants to buy it. I'm sure they dont put expiration dates on their data, and will gladly sell you a collection of records with 10 day old data and 10 year old data, all mixed together.

      • Re:Two oddities (Score:5, Informative)

        by Mr. Underbridge (666784) on Monday July 12, 2010 @01:40PM (#32877118)

        There are - and it's been covered here, even if not called those terms. There are "organizations" that do nothing but collect this info and then sell it off over time to whoever wants to buy it. I'm sure they dont put expiration dates on their data, and will gladly sell you a collection of records with 10 day old data and 10 year old data, all mixed together.

        You beat me to it. Why would we expect exploit lists to differ substantially from marketing lists - and just how separated do we really think these groups are? I'd expect that data to get passed around like a bottle of cheap wine.

        As to using it - it may be true that CC#s for exploitation are only used from "fresh" lists. But what about all your other data, depending on where they got it? You probably won't move due to this event. Your SSN won't expire - or if it does, you have bigger problems than identity theft. So yeah, if your ID gets out there it's not good news, and not something I'd expect to cease being a threat.

        Incidentally, some might be surprised how long lists stay in the wild. I recall once getting snail mail spam addressed to the previous owner of the house. This wouldn't have been remarkable, except that *we'd* lived in the house 20 years or so.

    • by mysidia (191772)

      A record "encryption key" column in a database is fine as long as that encryption key is (A) generated in a sufficiently strong manner that it cannot be guessed, for example a SHA256 hash of a strong shared key salted with a pseudorandom value and the record id, and (B) accompanied by an initialization vector generated from truly random data, and (C) the encryption key in the enc. key column is itself encrypted using a strong public crypto, and (D) the secret key is not stored in the database, is prefera

    • by The Moof (859402)

      The first oddity is why the author believes that the data would sit around for years before being used

      Some stolen information does. Credit cards and the like ("short term" data) usually is 'use as fast as possible' due to its nature (not going to be around long). However, when it comes to data that cannot be changed/very difficult to change, ie, Social Security Numbers, they sometimes sit around for years before ever being used.

      My local paper ran an article about this a year or two ago. A man in his 20's apparently had his SSN stolen when he was 13, and it just started getting used. The paper covered

    • by mea37 (1201159)

      The first oddity is why you think data would stop being used after some finite time period.

      The second oddity is that you clearly don't understand how corporate organizations use encryption on laptops once they decide to do it.

  • The more financial liability we push off to those who make the mistakes, the more we will pay in the costs of goods and services and/or the more companies will play organizational games like incorporating overseas or contracting out data-gathering to "independent third parties" who can simply file liquidation bankruptcy in the event of a too-expensive data breach.

    Or, when that is not possible, goods and services may not be offered at all because no company will sell them at a price that the public will pay

    • The more financial liability we push off to those who make the mistakes, the more we will pay in the costs of goods and services and/or the more companies will play organizational games like incorporating overseas or contracting out data-gathering to "independent third parties" who can simply file liquidation bankruptcy in the event of a too-expensive data breach.

      Or, when that is not possible, goods and services may not be offered at all because no company will sell them at a price that the public will pay after factoring in liability costs.

      Great idea. Let's just let all corporations do anything they want. After all, we wouldn't want them to actually be accountable for anything, would we?

    • Seriously? It would cost a fraction of what the board of directory on any of these companies makes in order to actually protect data. Not only that, but why is "well, the companies will just try to find ways around it" a good excuse for just letting them do what they want anyway. Yes, we might have to play whack-a-mole with some oddly structured corporations (huh, funny, this group of privately held corporations funneling money to each other is all run by the same group of people. Maybe we should look into
    • Re: (Score:3, Insightful)

      by mcgrew (92797) *

      The cost of a company's mastakes are a cost of doing business. Why should I pay for your mistakes? I'd rather the company go out of business, even all companies like it, than let them continue with shoddy security that may cost me dearly. If they aren't made to pay for their mistakes, the mistakes will continue to be made.

      You have morals, but corporations do not.

  • Screwup? (Score:4, Insightful)

    by girlintraining (1395911) on Monday July 12, 2010 @01:11PM (#32876784)

    Your security should be more costly to bypass than what the security is protecting. If you can't do this, you're making a business proposition to the world: "Hey, free profit at my expense. Inquire Within." If you don't want to pay to protect it properly, then the best you can hope for is that someone else's stuff is more shiny than yours.

    • Re: (Score:3, Insightful)

      by ThosLives (686517)

      This isn't security in the first place. True information security would be a situation where even if someone had all your "authentication data" it wouldn't be possible to abuse. (I'm not claiming I know how to obtain such security, and I admit it is an idealized statement.)

      It seems to me that the current situation we experience related to (financial) authentication is due to the fact that we have traded the necessity of actually knowing your banker or clients personally for what are essentially anonymous tr

  • by khb (266593) on Monday July 12, 2010 @01:19PM (#32876882)

    That all of the really useful data tends to have infinite life (birthdate, SSN or equiv for non-US, place of birth) compounds the problem (the "use case" that comes to mind is some aged drive surfaces in the used parts market and some scofflaw procures it and uses it long after the breach itself).

    Obviously, each organization should have their own ID numbers, and any given "customer" ID should be able to be associated with various time varying external credentials and really good stuff which isn't time varying shouldn't be in the hands of third parties.

    Regulators (e.g. SOX, HIPPA, UK data protection act(s)) all seem to miss the boat about limiting the scope of breeches. Legislating that no breech ever occur is laudable, but impractical. So minimizing the harm done should be the focus.

  • More a matter of when, not if, should a large government agency loses a massive amount of business records.

    Their main protection is government systems are "self-encrypting", that is written mostly in pre-1980 OS-360 COBOL.
  • Of course (Score:4, Insightful)

    by John Hasler (414242) on Monday July 12, 2010 @01:26PM (#32876956) Homepage

    > Is it fair that you have to worry for decades and pay for further credit
    > monitoring when they are to blame for your information ending up in the
    > wrong hands?

    You are liable for the actions of your agents. If they screwed up you can sue them but you are still responsible to your customers.

  • I'm 99.44% sure that my check card info was compromised in a data theft incident but I have no proof. One day, I got a call from my bank saying that my current check card was susceptible to fraud and that a new card had been sent to my mailing address. Please call if you have not received this card.

    That set off a couple WTF questions in my head. First of all, it was implied that my replacement card should have arrived which means they'd sent it at least 2-3 days earlier. If fraudulent activity had been

    • Re: (Score:1, Flamebait)

      by XanC (644172)

      Anybody who uses a card with the Visa or MasterCard logo which is connected directly to his bank account (a so-called "check card") deserves what he gets.

  • important links (Score:2, Informative)

    by Anonymous Coward

    TFA is the summary segued into mentioning the Data Accountability and Trust Act is before the Sentate. Here is the tracking site for that act, and the important Summary:
    http://www.govtrack.us/congress/bill.xpd?bill=h111-2221 [govtrack.us]
    http://www.govtrack.us/congress/bill.xpd?bill=h111-2221&tab=summary [govtrack.us]

    It's fairly straightforward. It defines terms and requires the information holders to follow a structured method of protection and reporting. Places oversight with the FTC. Notably "Prohibits the FTC ... from requirin

  • I feel that the information I share is at my own peril. Perhaps we should worry less about data security and invest more energy in learning how to get stuff done without the need to share important info in the first place.

  • The NASD has been known to levy multimillion dollar fines and pull dealer licenses for offenses made by previous staff. Their reasoning is that any competent professional would see and correct pre-existing issues. To be fair, they gave me and my staff 6 months to fix some stuff related to email auditing and retention and even made suggestions...

  • by pwilli (1102893) on Monday July 12, 2010 @01:37PM (#32877084)
    This is probably about identity theft and getting e.g. loans by simply knowing the "magic" numbers of someone else's life.

    Why is it still possible to get these things in the US without going into e.g. a bank and showing them a valid photo ID (passport, driver license, ...) to let them check if you are really the person you claim to be? Makes it a lot more difficult to get these things, and shifts liability back to the banks (if you can show you never went there to prove your identity, they screwed up by giving that loan - their fault).

    If you've got a problem with a bank seeing you in person (why?), maybe a new institution could be founded that does only that: Check IDs of people for others. Like this:
    1. Request a loan
    2. Get a unique magic number of your bank that doesn't carry any information but the bank knows it belongs to you and that loan
    3. go to the ID-check-service and let them sign that number, e.g. with: "Person xyz has proven his identity" (if paperwork, or better get a digital signature)
    4. Give signed number back to the bank

    Bank knows you are you, without you ever going there in person and the ID-check-service doesn't know what you needed that signature for (they just got a "random" number and signed it for a fee).

    Expand this scheme for other services (governmental, etc.) and you get all the privacy you got now with a whole bunch of more security.
    • It surprises me that it is possible at all to open a bank account in the US without proper identification.

      In Switzerland, the country with super-seekrit-numbered accounts (at least according to some bad fiction writers) it is impossible to open an account (even a super-seekrit one) without personally identifying yourself to the bank with proper documents (i.e. passport).

      While you may find a more shady financial institution that takes a more flexible approach on the "know your customer" rule, this will not

    • by kbeyer (183903)

      Online Banks and other internet companies in Germany use Post-Ident for this.

      It's a service by the post office where you have to go to the next shop, show your personal identification card and they send the post-ident back to the company:

      http://www.deutschepost.de/dpag?tab=1&skin=hi&check=yes&lang=de_EN&xmlFile=1016309

  • We ditched Google for Faculty and Staff at our university and this was one of the reasons why. Too much information given to a third party and no true liability if some of it were lost or stolen. If you're working on potentially patentable research, and you send it through Google's servers, and some "glitch" lets someone else look at your email...well, you might have lost a patent. And Google doesn't pay. And Google could argue that, well, what do you want for free? At which point, we say, "Nothing, th

  • by erroneus (253617) on Monday July 12, 2010 @01:41PM (#32877140) Homepage

    This is a ridiculous game we keep playing over and over again. We have "secret information" we entrust to every business entity with which we do transactions. They aren't quite as secret any longer. And these other entities have people in them... not all of them can be trusted and you will never know who or how many whos have had access to the information. It's a very flawed system especially in light of modern communications technologies available today.

    We need a system in which credentials for transactions are good for one-time-only. I present my credit/debit card and this information doesn't change again until either the expiration date arrives or I have it changed. But if I do something with my account "device" that issues a payment ticket number (rather like a cheque in many respects) that is then presented to the business entity to be used only by that business entity and only works once, twice or however often it can be used as approved by you. That code would only be useful for the other side of the transaction because of their encryption key token must work with the ticket number I issued. Then these stupid open secrets won't need to be a concern any longer.

    The big problem isn't that people can or can't securely store this information because we already know it can't ever be stored safely and also be useful. So it needs to be stored "safely enough" but also with limited usability. What it all comes down to is a system that requires end-to-end user accountability. As it stands now, "identity theft victims" are held accountable for EVERYONE's mistakes. It's just not fair.

    • by Zironic (1112127)

      As far as I know a number of banks offer virtualised credit cards with a specified limit and expiration date. If you generate those cards with the exact amount of money your transaction is worth then the card is useless their database gets hacked.

      • by tool462 (677306)

        Yup. My bank offers this as well, and I've started making use of it after having some invalid charges show up on my account a couple of times. It's quite simple and useful, though only useful for online purchases.

    • by cduffy (652)

      About a decade ago I got a research grant for a system for generating one-time per-transaction keys -- you had a card you carried with you with a display sufficient to display the price of the item you authorized and to allow a PIN to be entered if you wanted to approve a transaction; the card had a public identifier, a private key, and a counter; it generated a token consisting of the public identifier and a hash of the private key, the counter and the transaction data.

      Didn't go anywhere -- not economicall

    • As it stands now, "identity theft victims" are held accountable for EVERYONE's mistakes. It's just not fair.

      Actually, the victims of identity impersonation aren't even held accountable, which is why it keeps going on. The victims of course are the banks, who mistook someone else for you and gave out some of their money. They say it was you who are at fault, so they don't give a shit.

  • by natehoy (1608657) on Monday July 12, 2010 @01:46PM (#32877194) Journal

    The correct term is "data breach", not "data breech."

    A "breech" is either a pair of short pants ("breeches"), the hind end of the body or a birth where the baby is coming out backward ("breech birth"), or the rear of the barrel of a firearm.

    So the term "data breech" means short pants made from data, data that is coming out of a system backward, or the back end of an Ethernet cable, I suppose.

    This teaching moment sponsored a chunk of my karma from the inevitable "Offtopic" and "Troll" mods this post will undoubtedly earn me.

  • 1. We need to upgrade our personal information security rules. The standard right now is too low, in part because of the way we assign financial responsibility. By outsourcing it to credit card companies, who truly don't care because of the huge profits they make and relatively small cost of fraud, we have in effect allowed and encouraged ID theft. This needs to change.

    2. If the financial fraud was all that mattered, then this wouldn't really be a big deal. But the huge problems certain people have wh

    • by Haffner (1349071)
      You would really be willing to pay the government $1000 to permanently document your retinal prints? I certainly would not.
  • Is it fair that you have to worry for decades and pay for further credit monitoring when they are to blame for your information ending up in the wrong hands?

    For fuck's sake, is it fair that someone stole your data in the first place? No, of course it isn't. But ultimately, it's your problem and nobody else's. Trying to make it someone else's problem is childish and irresponsible. They did their best (at least for the amount of money you spent on the service), but there hasn't been a security system invented that is 100% foolproof. So now you have to watch your information like a hawk because someone is a thief. You can hire that out too if you want, but t

    • Your post is arguably correct in its claims; but really misses the point.

      Yes, it is arguably the case that it is the submitter's fault that somebody made off with some personal trivia concerning him. However, are those trivia valuable in themselves? No. They are just some random chunks of data. Why are they valuable? Because all kinds of third parties will, idiotically, accept knowledge of them as being identical to being the submitter, and do things like hand out loans. The value and the danger of what
      • Its not even "arguably correct". If someone makes off with my SSN etc., even if it is my fault, having this information is not a crime AFAIK and I am neither culpable for exposing it nor a victim of someone obtaining it. The crime occurs when some other party is defrauded, and they are a victim of both the fraud and their own lack of diligence.

        This only becomes a problem for me when these third parties take their problem and make it mine via a central credit reporting system that I am forced to be subject

  • by eth1 (94901)

    If you store someone's sensitive information, and their ID is compromised using any of the information you store, you're liable (along with everyone else that stores that info) for reimbursing any costs or lost assets that the victims incur.

    As a bonus, this system would be a strong disincentive to storing crap about us that companies don't absolutely require.

  • The chain of events should look like: you go into a bank and ID yourself with a piece of government issued photo id. Then you can open an account or get a mortgage. Otherwise, you can't. Next up, to do a credit transaction when the card is not physically present, you get a text on your mobile phone that you need to send back. Everyone has a goddamned mobile phone capable of sending messages. By the way? This is how it works in many European countries. Also, for online purchases, virtual cards especially one
  • Maybe you should find a bank that will just let you have access with the SSN or such blocked and tell them to let you withdraw with your ATM card or against (nationally issued) ID verification only. You may not have realized this but signatures on checks / credit cards are also ridiculously insecure, same as your SSN.

    At worst, you'll only find such a bank account abroads - however, they're easy to find anywhere else but in the US. Put your savings there, use the national account only for more frequent pay

I am not now, nor have I ever been, a member of the demigodic party. -- Dennis Ritchie

Working...