Long-Term Liability For One-Time Security Breaches? 119
An anonymous reader writes "Not a month goes by where we don't hear about a theft of some organization's laptop containing sensitive personal information, not to mention the even more frequent — but often kept secret — breaches into company networks and databases. It is definitely true that you should be responsible for the security of your information when you handle it, but what happens when the theft of your information is not your fault? You have handed over this information to a company or organization and trusted them to keep is secure, but they failed. They might notify you of the breach or theft, and they might even set up a credit monitoring service for you for a year or two, but the problem is that this information may be used years from now. Is it fair that you have to worry for decades and pay for further credit monitoring when they are to blame for your information ending up in the wrong hands?"
Contract (Score:4, Insightful)
Not to sound condescending, but when you hand your stuff over to a third party generally there is a contract signed between you and them, what you are looking for *should* be in that contract.
Two oddities (Score:3, Insightful)
The first oddity is why the author believes that the data would sit around for years before being used. Like there's an "exploit bank" where you can deposit your collection of stolen data and gain interest on it until you "cash them in". I'd think far more likely it'll get used fairly rapidly, or never. How you fence or launder millions of records is kind of a mystery to begin with.
The second oddity is we are mostly dealing with the bottom percentiles of personnel, equipment, hardware, software, and design. So the article blissfully dreams "Let's hope that these reasonable measures will include the use of encryption." But you know that fools are just going to add another column to the database called "encryption key" so as to decode the other columns. Or store the key in C:\key.txt. Or go all ROT-13 or whatever the unicode version is of ROT-13. If you're dealing with screwups, adding more conditions just makes their screwups more rube goldberg and hilarious, it doesn't prevent them from screwing up.
Its a cost we all must bear (Score:1, Insightful)
The more financial liability we push off to those who make the mistakes, the more we will pay in the costs of goods and services and/or the more companies will play organizational games like incorporating overseas or contracting out data-gathering to "independent third parties" who can simply file liquidation bankruptcy in the event of a too-expensive data breach.
Or, when that is not possible, goods and services may not be offered at all because no company will sell them at a price that the public will pay after factoring in liability costs.
Re:Is it fair? (Score:2, Insightful)
Yes, seriously, if the informations is that important, why is it on a unencrypted laptop HDD ??
Screwup? (Score:4, Insightful)
Your security should be more costly to bypass than what the security is protecting. If you can't do this, you're making a business proposition to the world: "Hey, free profit at my expense. Inquire Within." If you don't want to pay to protect it properly, then the best you can hope for is that someone else's stuff is more shiny than yours.
Re:Two oddities (Score:1, Insightful)
Yeah, I agree. Also this falls into the category of "Yeah, so?". Lots of things are unfair, and yeah, we should probably try to change them, but the feasibility is the issue: most people have probably been part of some security breach in the past 30 years. Do we monitor credit for everyone? Okay, where does it end?
Also these credit monitoring services, while helpful, aren't foolproof. Just look at that lifelock jackass.
I'm not saying it isn't unfair - it is - it just seems a lot like wishful thinking, kind of like: WOULDN'T IT BE NEAT IF EVERYONE GOT ALONG AND THERE WASN'T WAR? WOULDN'T IT BE NEAT IF WE ALL HAD NO IDENTITY THEFT PROBLEMS DO TO MAGICAL CREDIT MONITORING SERVICES THAT WE GET FOR FREE? And if I had four wheels, I'd be a wagon...
infinite lifetime considered harmful (Score:5, Insightful)
That all of the really useful data tends to have infinite life (birthdate, SSN or equiv for non-US, place of birth) compounds the problem (the "use case" that comes to mind is some aged drive surfaces in the used parts market and some scofflaw procures it and uses it long after the breach itself).
Obviously, each organization should have their own ID numbers, and any given "customer" ID should be able to be associated with various time varying external credentials and really good stuff which isn't time varying shouldn't be in the hands of third parties.
Regulators (e.g. SOX, HIPPA, UK data protection act(s)) all seem to miss the boat about limiting the scope of breeches. Legislating that no breech ever occur is laudable, but impractical. So minimizing the harm done should be the focus.
Of course (Score:4, Insightful)
> Is it fair that you have to worry for decades and pay for further credit
> monitoring when they are to blame for your information ending up in the
> wrong hands?
You are liable for the actions of your agents. If they screwed up you can sue them but you are still responsible to your customers.
Re:Screwup? (Score:3, Insightful)
This isn't security in the first place. True information security would be a situation where even if someone had all your "authentication data" it wouldn't be possible to abuse. (I'm not claiming I know how to obtain such security, and I admit it is an idealized statement.)
It seems to me that the current situation we experience related to (financial) authentication is due to the fact that we have traded the necessity of actually knowing your banker or clients personally for what are essentially anonymous transactions. In the past, someone had to try quite hard to mimic your identity physically if they wanted to walk into a bank and raid your account, and they could only mimic one person at a time.
Now, all someone has to do is steal keys, so to speak, because nobody at the bank really knows who you are; all they have is a database entry. We have actually given up some control over our accounts for the "convenience" of forgoing relationships with our financial institutions.
As an aside, I actually hate the fact that this type of event is called "identity theft" because identity cannot be stolen. What is stolen (or copied or misappropriated or whatever) is authentication information, which is not the same thing as identity. It's very alarming to think that your authentication information and records define an identity.
The real problem with the system isn't that people can get your authentication information but that you can do too much with that authentication information.
Why do they need so much private info anyway? (Score:2, Insightful)
I feel that the information I share is at my own peril. Perhaps we should worry less about data security and invest more energy in learning how to get stuff done without the need to share important info in the first place.
Independent ID-Checking Service (Score:4, Insightful)
Why is it still possible to get these things in the US without going into e.g. a bank and showing them a valid photo ID (passport, driver license,
If you've got a problem with a bank seeing you in person (why?), maybe a new institution could be founded that does only that: Check IDs of people for others. Like this:
1. Request a loan
2. Get a unique magic number of your bank that doesn't carry any information but the bank knows it belongs to you and that loan
3. go to the ID-check-service and let them sign that number, e.g. with: "Person xyz has proven his identity" (if paperwork, or better get a digital signature)
4. Give signed number back to the bank
Bank knows you are you, without you ever going there in person and the ID-check-service doesn't know what you needed that signature for (they just got a "random" number and signed it for a fee).
Expand this scheme for other services (governmental, etc.) and you get all the privacy you got now with a whole bunch of more security.
Re:Information wants to be free (Score:5, Insightful)
Whoever came up with the concept of "identity theft" needs to be given an award for sheer chutzpah, then clubbed to death. The problem isn't "identity theft", an "identity" in this context is simply a bunch of information that is only copied, not destroyed or removed when compromised. The problem is bank fraud and various other sorts of fraud perpetrated by people using those data, against institutions who, in a masterful display of doublethink, simultaneously ask you for your SSN when you do anything more sophisticated than taking 20 bucks out of the ATM and treat the SSN like a double-secret-super password that only you could possibly know, on the strength of which loans will be granted, accounts opened, and so forth.
However, by using the term "identity theft", the implication is created that you are the responsible party. As a token, whoever was responsible for the breach might be forced by law or bad PR to offer you a year of credit monitoring or something; but that doesn't address the root problem: banks, and other such institutions will accept laughably trivial factoids as incontrovertible evidence that somebody is you, and then try to stick you with the bag when the mistake is discovered. The problem isn't that somebody knows my mother's maiden name and my SSN, the problem is that numerous financial institutions and other such entities will happily accept possession of those facts as evidence that just about anybody is actually me. However, because it is "identity theft", I'm the one who has to watch my credit vigilantly forever, and wonder what might bubble up on a background check done in my name, rather than it being "bank fraud" or "inadequate police work", which would place the burden of responsibility on the party who ought to be responsible.
Between public records and massive data breaches, virtually all "identity" information is effectively public knowledge. Any institution who treats possession of that information as proof of identity should be treated as guilty of gross negligence, and responsible for the consequences. The idea that if those pesky consumers were just a little more careful, we wouldn't have this issue, is as elegantly malicious as it is utterly wrong.
The "secret information game" (Score:5, Insightful)
This is a ridiculous game we keep playing over and over again. We have "secret information" we entrust to every business entity with which we do transactions. They aren't quite as secret any longer. And these other entities have people in them... not all of them can be trusted and you will never know who or how many whos have had access to the information. It's a very flawed system especially in light of modern communications technologies available today.
We need a system in which credentials for transactions are good for one-time-only. I present my credit/debit card and this information doesn't change again until either the expiration date arrives or I have it changed. But if I do something with my account "device" that issues a payment ticket number (rather like a cheque in many respects) that is then presented to the business entity to be used only by that business entity and only works once, twice or however often it can be used as approved by you. That code would only be useful for the other side of the transaction because of their encryption key token must work with the ticket number I issued. Then these stupid open secrets won't need to be a concern any longer.
The big problem isn't that people can or can't securely store this information because we already know it can't ever be stored safely and also be useful. So it needs to be stored "safely enough" but also with limited usability. What it all comes down to is a system that requires end-to-end user accountability. As it stands now, "identity theft victims" are held accountable for EVERYONE's mistakes. It's just not fair.
Re:Is it fair? (Score:4, Insightful)
Not everyone has the choice to "man up".
I could go on numerous examples but the biggest would be mandatory disclosure of information to an incompetent government.
And don't even think of telling me that "I could always choose to go to jail" when doing so means I get my prints and mug shot forcibly taken anyway.
Re:Two oddities (Score:5, Insightful)
The problem is that identity theft is profitable for more than just the thief.
The credit bureaus make shitloads of money from identity thieves taking out loans and triggering credit reports.
Re:Information wants to be free (Score:3, Insightful)
Between public records and massive data breaches, virtually all "identity" information is effectively public knowledge. Any institution who treats possession of that information as proof of identity should be treated as guilty of gross negligence, and responsible for the consequences.
I assume you have a better idea, then? About the only thing I can think of is government-signed (and revokable, such as in case of theft/loss) physical tokens that can do public-key cryptography, which (1) is only recently somewhat feasible, and (2) might not be that great an idea given how intertwingled all the functions of the government are.
Re:Information wants to be free (Score:3, Insightful)
Ok, a better idea. No more central credit reporting. They all rely on that, and it is exactly what the information leads to. So if every bank had to manage there own credit reporting and rely on there report with the customer then there would be no identity theft.
If the local branch of XYZ bank knows Joe Smith then it is hard for Jack to walk in and convince them that he is Joe. Add to it that Jack going to ABC bank and saying he is Joe does not get him any better chance of credit as he would have to take time and build a report with ABC Bank to get the credit.
Banks and many others seem to take the information in the three major credit agency files as golden and they rely on it for everything from loans to apartment rentals. The problem is that any information that is used to verify the identity of the person and connect them to the report can be found out and used by those who are less than honest. This leads to fraud and thus to issues.
Remove the three agencies and there is no more identity theft. When I have to work with the bank to build my credit at that bank it is hard for some one to steal it.
Re:Information wants to be free (Score:4, Insightful)
The fact that a bank will hand somebody a loan for some thousands because they know a couple pieces of biographic trivia about me is idiotic; but I am OK with that. It's their money, if they think that they can maximize profits by trading off security for convenience, more power to them. What really pisses me off, though, is that, after they do that, I am the "victim of identity theft" who has to watch his credit report forever, and fight an endless battle by certified mail with some Kafkaesque division of Equifax in order to rectify things. In a remotely just world, the response would be "You, a financial institution who really ought to know better, gave some guy ten grand because he knew a few pieces of public information? You dumb shit, I guess you are out the money."
There is no perfect defense against fraud; but I bet they'd come up with something better than what we currently have, if the costs fell on them.
Re:Is it fair? (Score:1, Insightful)
No. Who told you life was fair?
You're responsible for protecting yourself. Don't expose your data unless you need to; then change it if you can. Don't put your money where it can be stolen. Etc. (Wo)Man up. The world is not here to wrap you in cotton balls.
Yes. Don't ever accept a job (you'll have to show some sort of ID.) Likewise, don't ever open an account with a bank or credit union. Don't ever attend an institution of higher learning.
As for living, just move into a cardboard box. Not only is it cheap, which you'll need with no job, but you'd need to provide tax information to buy a residence, and apartments won't lease to you without some sort of proof employment, which you won't have. Or move to some third-world country and live in a shack.
And for best results, cover your shack or box in tinfoil. Also, consider making a hat....
It's your information, sheeple! Don't just fritter it away for the trappings of modern conveniences!
Re:How can this problem even exist? (Score:3, Insightful)
What if you're trying to get your first mobile phone?
Re:Its a cost we all must bear (Score:3, Insightful)
The cost of a company's mastakes are a cost of doing business. Why should I pay for your mistakes? I'd rather the company go out of business, even all companies like it, than let them continue with shoddy security that may cost me dearly. If they aren't made to pay for their mistakes, the mistakes will continue to be made.
You have morals, but corporations do not.