Long-Term Liability For One-Time Security Breaches? 119
An anonymous reader writes "Not a month goes by where we don't hear about a theft of some organization's laptop containing sensitive personal information, not to mention the even more frequent — but often kept secret — breaches into company networks and databases. It is definitely true that you should be responsible for the security of your information when you handle it, but what happens when the theft of your information is not your fault? You have handed over this information to a company or organization and trusted them to keep is secure, but they failed. They might notify you of the breach or theft, and they might even set up a credit monitoring service for you for a year or two, but the problem is that this information may be used years from now. Is it fair that you have to worry for decades and pay for further credit monitoring when they are to blame for your information ending up in the wrong hands?"
Re:Two oddities (Score:5, Informative)
The first oddity is why the author believes that the data would sit around for years before being used. Like there's an "exploit bank" where you can deposit your collection of stolen data and gain interest on it until you "cash them in". I'd think far more likely it'll get used fairly rapidly, or never. How you fence or launder millions of records is kind of a mystery to begin with.
There are - and it's been covered here, even if not called those terms. There are "organizations" that do nothing but collect this info and then sell it off over time to whoever wants to buy it. I'm sure they dont put expiration dates on their data, and will gladly sell you a collection of records with 10 day old data and 10 year old data, all mixed together.
important links (Score:2, Informative)
TFA is the summary segued into mentioning the Data Accountability and Trust Act is before the Sentate. Here is the tracking site for that act, and the important Summary:
http://www.govtrack.us/congress/bill.xpd?bill=h111-2221 [govtrack.us]
http://www.govtrack.us/congress/bill.xpd?bill=h111-2221&tab=summary [govtrack.us]
It's fairly straightforward. It defines terms and requires the information holders to follow a structured method of protection and reporting. Places oversight with the FTC. Notably "Prohibits the FTC ... from requiring the deployment or use of any specific products or technologies." Does not mention encryption.
But also note this is hardly the first time such a bill has been presented.
http://www.govtrack.us/congress/bill.xpd?bill=h111-2221&tab=related [govtrack.us]
Nor is there mention of what bizarre shotgun-marriage legislation this bill is combined with, or indicates what kind of support there currently is for this bill.
I don't know... I'm horribly cynical about this sort of thing. But one good result might be that legislated and audited & enforced care of personal information (simple as name + credit card number) might finally make sites and services not just a little more careful with databases, but start to question whether they should have them at all. Right now, there's nearly no costs or responsibility overhead for collecting everything you can about your customers, and passers by. This bill makes it costly; that'll limit businesses to acquiring (and holding) only the information they need to conduct business.
Still, I'd like to see specific time limits on holding things like credit card number after a transaction, and very specific limit on sharing that information with "partners" etc. Also I'd like to see my "conduct business" above limited to processing the original transaction with you; that the personal information acquired cannot be used to make money in any other way whatsoever.
(Sorry for doing your job, Soulskill, by supplying those links. Perhaps you could add the car analogy?)
Re:Two oddities (Score:5, Informative)
There are - and it's been covered here, even if not called those terms. There are "organizations" that do nothing but collect this info and then sell it off over time to whoever wants to buy it. I'm sure they dont put expiration dates on their data, and will gladly sell you a collection of records with 10 day old data and 10 year old data, all mixed together.
You beat me to it. Why would we expect exploit lists to differ substantially from marketing lists - and just how separated do we really think these groups are? I'd expect that data to get passed around like a bottle of cheap wine.
As to using it - it may be true that CC#s for exploitation are only used from "fresh" lists. But what about all your other data, depending on where they got it? You probably won't move due to this event. Your SSN won't expire - or if it does, you have bigger problems than identity theft. So yeah, if your ID gets out there it's not good news, and not something I'd expect to cease being a threat.
Incidentally, some might be surprised how long lists stay in the wild. I recall once getting snail mail spam addressed to the previous owner of the house. This wouldn't have been remarkable, except that *we'd* lived in the house 20 years or so.
"Breach", not "Breech" (Score:3, Informative)
The correct term is "data breach", not "data breech."
A "breech" is either a pair of short pants ("breeches"), the hind end of the body or a birth where the baby is coming out backward ("breech birth"), or the rear of the barrel of a firearm.
So the term "data breech" means short pants made from data, data that is coming out of a system backward, or the back end of an Ethernet cable, I suppose.
This teaching moment sponsored a chunk of my karma from the inevitable "Offtopic" and "Troll" mods this post will undoubtedly earn me.
Re:Information wants to be free (Score:3, Informative)
The system in place for internet banking in sweden is (usually) based around you being issued basically just ssuch a device. That is, you have a pin code (which is blocked after three wrong inputs) to log in to the device, and get a one-time code to log in with to the actual system. Any transaction are then further validated against the device, with transfers to a previously unknown person requiring you to not only validate the transaction, but the recipient as well.
However, this is not the whole truth, as what you describe is something government-signed, which this (as far as I know) is not. That is, the existance of the device is (in theory) only known by you and the bank, and used only to communicate with the bank. You may have several devices for several banks/accounts/roles, and although you are expected to show who you are when getting the account/device in the first place, this is something which is normal procedure in Sweden.
Two-factor authentication: it works, bitches.
30 million illegals prove it isn't so (Score:1, Informative)
There are thrity million illegal aliens in the US. They work without showing ID or showing laughable ID. I have personally watched one open a bank account without showing a single blessed thing. Stood right there and watched the entire sign up process, the bank did NOT ask for any ID, took the illegals word on everything, and had a convenient foreign language speaker teller do the assisting. I was three feet away standing in line, saw it happen. They get drivers licenses in a lot of places, and all sorts of other goodies, can open any utility service they want, etc. free medical care for any sniffle at any emergency room. Free schooling for their anchor babies. The feds are now going to sue a state to keep that "no ID verification needed" practice up and running. They can sign up for and receive free or heavily subsidized college education, whereas legal citizens have to pay through the nose and show valid ID.
ID that is even remotely verifiable is only for the legal honest citizens, if you are illegal, the government doesn't seem to care very much. Heck, they will arrest (for committing some nasty crime) and deport illegals numerous times in a row, but they still come back and can do whatever they want, no ID of any consequence or verification required. ID is the last thing they worry about, it's a joke.
Re:A nice point. (Score:1, Informative)
Sorry the reason for your anonymity evades me, I guess its not as obvious as you think.
The reason reason for my anonymity is because I don't have a Slashdot account (I've never been able to decide on a pseudonym to use).