Personal Data Exposed! Can Legislation Fix It?

rabblerouzer writes "Millions have had their personal information stolen because of lax security and may not even know it because of the patchwork of state laws that fail to mandate timely notification of victims. Boston-based law firm Mintz Levin is seeking feedback on what you would like to see included in draft legislation."

More laws are the key ... to EVERYTHING

[Kohath]

I know we're just one law short. With one more law, nothing will ever go wrong and everyone will live forever. Just one more law.

I'm sure this is the one. No one will accidentally release anyone's private details when it's illegal.

Why haven't they made getting in a car accident illegal?

Re:

[PPH]

How about one to prohibit shooting people on college campuses?

Re:

[Opportunist]

Why not go all the way and outlaw murder?

Oh... wait, I think there's been something like that already. Anyone know whether it worked?

Re:

[Fulcrum of Evil]

Guns are already illegal there, so noone would do that.

Re:

[PPH]

How about relaxing the privacy laws on these complete nutbags so we know who they are?

I guess that Anonymous Coward person who posts on /. would really be pwned.

Re:More laws are the key ... to EVERYTHING

[KiahZero]

Laws are just codified rules. The question is, what rules would you want people to follow, and what penalties should exist for breaking those rules?

Re:

[TubeSteak]

Laws are just codified rules.

And look who is writing a draft of those rules: A law firm.

Unfortunately, that's how a lot of laws get written. Law firms, think tanks & lobbying organizations write up their wish list and then sweet talk Congressmen or Senators into submitting it.

This happens at both the Federal and State levels.

Maybe the public representatives (in reality, their staff) should be writing up the rules.

"Oh, but we like this set of rules!"
My response: think of all those laws you didn't like.

Re:More laws are the key ... to EVERYTHING

[Qzukk]

because we can't be trusted to make the right choices on our own, but legislators can

None of the credit agencies seem to be willing to lift a finger to do "the right thing". I guess we're going to have to start suing the credit agencies for defamation or something whenever they associate our identity and credit with a criminal in order for them to take notice, if we're not going to be allowed to make laws to tell the credit agencies to get their act together.

Re:

[pnutjam]

Could you point me at a copy of this law? I'm in Indiana and I haven't heard about it, unless it's related to the Indiana Do Not Call list.

Do you have a mohawk and wear safety pins?

[spun]

Let me ask you then, do you think that societies should have rules? Should there be consequences for breaking those rules? How should those rules be decided upon?

You can't just throw away one of the most basic tenets of civilization of the past 5,000 years without some explanation of why this most universal and ancient system should be demolished, and what it should be replaced with. I mean, sure, you could do what you just did, and apparently there are even a few people with mod points willing to reward yo

Re:

[Kohath]

...give up the rule of law...

I'm pretty sure this is what you misunderstand. The "rule of law" doesn't mean that there should be a law to rule every action, inaction, transaction, or interaction in life. "Rule of law" means that governments can only use force according to the law. It stands in contrast to "rule of men" where individual rulers impose their will on the folks who are ruled.

There another concept called "freedom" where individuals are free to act largely without the oversight of a ruler or a

Re:

[spun]

I know what the rule of law means. I never suggested that every action or inaction be regulated. We agree there has to be a balance, but probably differ on where the correct balance lies. In general, I agree that creating a new law should be a last resort.

However, you were not arguing against any specific case. You appeared to be arguing against all laws in general. Now that I know where you actually stand, I can ask you specifically: how should this situation be handled? Because this certainly seems to fit

Re:

[Kohath]

This is a law to protect against force and fraud.

Really? Who is the aggressor? Who is the defrauder?

It seems clear that any law in this case would regulate innocent third parties rather than the aggressor. Hence, the government becomes the aggressor with the innocents, as always, being the victims. Is it really just to harshly punish the folks who disobey this new law? (Mild punishments don't deter.)

Rather than make a new law here, we should repeal a bunch of other laws. Then the government agents who

Re:

[spun]

The agressor or defrauder is likely a third party. However, I believe in the concept of negligence, and I believe that people who allow others to come to harm through negligence should be held responsible for the harm caused. Do you disagree?

Without a law forcing companies to disclose breaches of privacy, do you think any will do so? How else would people even be notified that their identity and credit were at risk? You give vague generalities, but nothing concrete that can be analyzed objectively.

I ask you

Re:

[Kohath]

Mouthing empty platitudes in place of real analysis and problem solving gives all anarchists and libertarians a bad name.

I'm not an anarchist. Anarchists should look bad. They are bad.

And mouthing empty platitudes is good enough for 99% of the rest of political debate, why should I be held to a different standard (especially considering I got the FP)? Your belief in thoughtful, honest political debate is naive and outdated. People don't care about intellectual honesty. If they agree with you, you don't

Re:

[spun]

You sure sound like an anarchist. You do know that libertarians are but a minor offshoot of anarchism, don't you? Are you a libertarian?

I won't even dignify the next paragraph with a response, except to say, I hope to God that was a poor attempt at sarcasm or irony or some such.

And the last paragraph is more empty platitudes with no thought behind them. I feel dirty from merely having had this conversation. I'm done here.

Re:

[Kohath]

I won't even dignify the next paragraph with a response, except to say, I hope to God that was a poor attempt at sarcasm or irony or some such.

Nope. That's the current reality. There's no benefit in pretending reality is different than it is. I haven't seen a counter example to my assertions on intellectual honesty in several years. And the trend is against it.

And the last paragraph is more empty platitudes with no thought behind them. I feel dirty from merely having had this conversation. I'm done here

Re:

[jZnat]

But corporations aren't individuals, so I don't see why you'd be upset with regulating them. If corporations were individuals, they'd be diagnosed with several psychological disorders (e.g., sociopathism) and would be deemed unfit for society.

You can't trust a corporation to do anything but maximise its profit. Some corps will have responsible owners/shareholders that also want the corp to be a productive member of society, but most corps are controlled by shareholders whose only interest is seeing quarte

Re:

[Kohath]

But corporations aren't individuals, so I don't see why you'd be upset with regulating them

Corporations are groups of individuals. You can't harm a corporation without harming individuals.

Re:

[DragonWriter]

Laws are legislators substituting their choices for yours and mine (because we can't be trusted to make the right choices on our own, but legislators can). Or, more accurately, because we've specifically selected legislators for the purpose of making choices about the rules governing society (i.e., laws.) Legislators are our choice.

Re:

[CastrTroy]

It's not about making it illegal to lose the information, it's about letting the people who when it inevitably happens.

Re:

[CastrTroy]

Sorry, That should be

"it's about letting the people who are affected know when it inevitably happens"

Re:

[sconeu]

Verbing weirds words.

Re:

[technicalandsocial]

In Canada, we have PIPEDA http://www.privcom.gc.ca/legislation/02_06_01_01_e .asp [privcom.gc.ca], as well as provincial and industry related privacy legislation that is useful. If you have a violation, you can submit it to the privacy commissioner, as well as http://www.cippic.ca./ [www.cippic.ca]

Re:

[Goaway]

I thought it was mostly teenager who thought it was clever to substitute cynicism for insight, but judging from your user ID, you're probably not one. So what gives?

Re:

[Kohath]

So suggesting that new laws aren't the answer to every problem is "cynicism"?

Re:

[Goaway]

No, the attitude that people who make laws are idiots and that laws are useless is cynicism, and totally misguided.

Especially in this case, where the only regulating mechanism is the law, as there's zero economic pressure to handle sensitive data securely.

Re:

[Kohath]

And the attitude that individuals are idiots and can never be trusted to run their own lives without laws governing their every move? That's not "cynicism"?

Especially in this case, where the only regulating mechanism is the law, as there's zero economic pressure to handle sensitive data securely.

Huh? What makes the data "sensitive" then? You seem to be saying that the data has no value and the disclosure of the data harms no one. If the data has value and the disclosure of that data causes harm, then I

Re:

[Goaway]

The disclosure of the data causes little to no harm to those who are in possession of it, at least as long as the disclosure is kept secret, which is easy to do.

It causes great harm to others, but they have no way to influence its handling and no way to find out it has even been disclosed.

Now where's the motive to protect it?

Re:

[treeves]

I completely agree with the gist of what you're saying: that it's stupid to think that just passing another law will solve the problem, but you err in saying they want to make it illegal to release the data. What the law is for is to require that those whose data were released must be notified that it happened. Mind you, that's not going to solve everything either, but it is different from what you suggest.

Re:More laws are the key ... to EVERYTHING

[hey!]

True, laws cannot prevent bad things from happening to you. But they can deter unreasonable things from being done to you. And they can also compel people who willfully do such acts to make the damage good.

These are the kinds of laws that a rational person can support. It's laws that are meant to protect us from ourselves we have to many of.

In fact, we do not so much need new laws, but clarifications of how existing legal principles apply.

If I park my car and do not set the brake, and it rolls down the hill into your house, the law says I have to pay for the damages to your house. Not you. You get an estimate of, say $2000, and I have to pay that plus a certain amount to compensate your for your inconvenience.

That isn't paternalism, it's common sense.

Now suppose I negligently release private information about you, and that results in your identity being stolen. The damage I've done to you is incalculable. And therein lies the rub. I am not responsible for the criminal misdeeds of others, but I have caused you far more than $2000 of trouble by my negligence. It is the inability to put a dollar amount on that damage that keeps me immune from being sued by you.

If Congress set a standard $1000 damage level for negligent disclosure of private financial data, you could sue me. But you wouldn't have to. If I managed a database of a thousand people, I'd be looking at a cool million in direct liability. It would alter my calculations. I wouldn't be sending your private data home on an unsecured laptop so a temp I've done no background checks on can do a little data entry.

That's the common theme we've seen in "shocking" cases of data mismanagement. It's not shocking at all, it's inevitable. If the cost of mishandled data is zero, then I'll risk exposing you to identity theft for a penny on an account, multiplied by enough accounts and that's real money.

It isn't hard to secure data to the point that the risk of disclosure is negligible. But it's impossible if the cost of disclosure is zero.

Re:

[starfishsystems]

Beautifully said. I don't know when I've seen a concept put forward so clearly and succinctly on Slashdot. Cheers!

Re:

[mandelbr0t]

I'm sure there's probably enough laws if people were interested in applying existing laws in the context of the Internet. The main problem is more one of enforcement: if I see undesirable network traffic (spam, phishing, malformed packets, etc.), I have no idea who it is. It takes considerable resources and a subpoena to bring even the lowliest spammer or phisher to justice. I'm pretty sure it's illegal to divulge people's personal information without their knowledge or permission in most circumstances; we

Current Liability Causes Indifference

[SRA8]

Currently, vendors losing data typically offer 3 months of identity detection, as if that does anything. Criminals can simply wait 3 months and begin stealing identities freely, as most people cannot afford to purchase these costly (and largely useless) services. Unless vendors are presented with liability, as are most other businesses, data will continue to be lost all the time. There is virtually no cost to losing data.

Re:

[qwijibo]

I'm sure there is no way to implement your idea into law, but I do like the idea of being inversely proportional to the protection provided. Companies don't spend money on making the data or systems secure because it's simply not cost effective. Putting some senior management in jail and finding the company for this kind of carelessness would be nice, but there's just no way it would work.

The best a law can do is create a new market for people claiming to sell solutions. If a company goes with a system b

What *I* Would Like to See in Legislation?

[lbmouse]

Televised ritualistic testicular hangings as punishment. Two strikes and you're sterile.

Re:What *I* Would Like to See in Legislation?

[symes]

Televised ritualistic testicular hangings as punishment. Two strikes and you're sterile.

News just in:- Female IT workers around the world have breathed a collective sigh of relief.

Seriously though, accountability seems to be the key. It feels like (hands up, I'm no expert in this area) that people can get away with some of the shoddiest practices when it comes to safeguarding other peoples' personal data. I don't think it is enough to expect the market (in that serious breach of security and loss of data will cost that organisation customers) to regulate itself. It's like shutting the gate after the horse has bolted. There needs to be something up front - focusing organisations' minds on making sure this does not happen in the first place. I would say that an organisation that handles, for example, credit card data should be made accountable for any losses directly attributable to mishandling that data plus some compensation in lieu of the time required to close the account, order new cards, etc..

Re:

[Aadain2001]

News just in:- Female IT workers around the world have breathed a collective sigh of relief.

All three of them...

Re:

[morgan_greywolf]

Televised ritualistic testicular hangings as punishment. Two strikes and you're sterile.

But the Legislation would never impose this penalty on themselves!

Oh, you mean for the criminals...

That's no problem

[Opportunist]

When you consider how lobbyists twist them around their little finger, I'd wager politicians don't have any balls anyway.

I felt a great disturbance in the Force...

[UnanimousCoward]

...as if millions of voices suddenly cried out in terror and don't even know why.

Jail the CEO

[EmbeddedJanitor]

Hanging jail time in front of the CEO tends to get some focus in the organisation.

Old saying: a fish rots from the head. If the CEO isn't onboard, then the CIO etc won't give this priority.

What would I like in draft legislation?

[eln]

I'd like legislation protecting my right as an American to slap the shit out of my elected representatives whenever I choose. I think this could greatly improve their sense of accountability to the electorate. Also, sales of ice packs in Washington would skyrocket.

Or were you looking for legislation more specific to the whole identity theft issue?

Criminal Identity Theft

[G27 Radio]

I've been writing a bit about my personal experiences with Criminal Identity Theft. It's something quite a bit different than your typical identity theft. I'm wouldn't hold my breath waiting for the states to do much about theft of personal data on their own. They didn't even bother to notify me when they found out some jerk had been using my names to commit crimes. I've come to the conclusion that the government just doesn't give a rats ass about these things.

I'll be writing something to these guys. If you're interested in what I've been dealing with, my story starts here:

http://g27radio.blogspot.com/2007/04/think-youre-s afe.html [blogspot.com]

Accountability

[AK Marc]

There is only one thing that companies are accountable to, and that's the shareholders. If you can save $200 with crappy security and screw over 100,000 people with a breach, a company is under pressure to save the $200. If you place huge fines on exposed data, companies will be able to compare the cost of the security measures to the cost of a breach and make a financial decision that will (hopefully) work out best for both the company and the customers/clients/etc. Fine them up to $1000 per person exposed. Oh, lose the data of 100,000 people on an encrypted laptop left in an airport lounge? That'll be $100,000,000. Also, make concealing a breach (as opposed to reporting it) a jail-able offense. Yes, that may make losing a laptop and hiding that fact get someone more time in jail than a murderer, but we need to drop the "what would a rapist get" dogma. Yes, raping someone is bad. But what about a little loss multiplied by 100,000? Wouldn't screwing up thousands of people's lives (even if the inconvenience isn't really that large) really be in the same league as messing up one person's life really badly?

Recap:

Required disclosure
Jail for those that purposefully avoid disclosure
Large fines for breaches

Re:

[HangingChad]

If you place huge fines on exposed data, companies will be able to compare the cost of the security measures to the cost of a breach and make a financial decision that will (hopefully) work out best for both the company and the customers/clients/etc.

One can hope, but it would be unwise to hold your breath waiting for big fines. Even if Congressed passed big fines for losing Privacy Act data, it's quite possible most companies would not pay them, even if they were grossly negligent. In response to a big

Re:

[walt-sjc]

The problem is that perfect security is IMPOSSIBLE, especially since the data "needs" to be available to a large portion of the company in order for work to be done.. We can certainly be better though. Forbid the storage of personal data on laptops with jail time for anyone that transfers such data to a laptop or other portable media (with the exception of backup media.)

How about restricting the collection and storage of personal information in the first place? How many companies REALLY need your SSN? How a

Re:

[AK Marc]

The problem is that perfect security is IMPOSSIBLE,

Perfect security of data is easy. You destroy it.

especially since the data "needs" to be available to a large portion of the company in order for work to be done.

If the risk of fines is high, they'll find a way to no longer need it.

How about restricting the collection and storage of personal information in the first place? How many companies REALLY need your SSN? How about schools? Do THEY need it? Really? [...] How many web sites want your birth d

Re:

[Fulcrum of Evil]

You don't have to tell the businesses what they can and can't do.

Sure you do - that's called regulation. It's much better to proactively require safe practices than clean up the mess afterwards. Haven't you heard of SOX or PCI?

Re:

[AK Marc]

Sure you do - that's called regulation.

Are you too stupid to understand what I wrote, or smart enough to know you purposefully twisted what I said in a lame and futile attempt to make me look stupid? You don't have to tell companies what to do to get them to do what you want them to do. You just have to make it financially better for them to do the right thing, and they'll do it. And the great thing about that approach is that they will probably do it better than what you could have made them do with s

Re:

[Fulcrum of Evil]

Aren't those the same thing? We don't tell people not to rob each other, we just lock them up if they do.

Re:

[nadamsieee]

This has been tried before with the Data Accountability and Trust Act [loc.gov]. It was a decent piece of legislation until the corporate lobbyist screwed it up [schneier.com]...

Don't legislate !

[cyberianpan]

Why you shouldn't force notifications to customers

-Zero day exploits: crooks will rush to do zero day exploits as an official confirmation will prove they've got good data (so more sophisticated gangs will buy it from them, most fraud happens in the first 24 hours)
-Honeytrap: When identity theft occurs law enforcement agencies may wish to honeytrap the thieves by letting them use the say credit card details & thus tracking them.
-White Noise Defense: smart companies ought have "white noise" dud systems, easily hacked containing white noise data with honeytrap triggers (eg a valid credit card number but one that belongs to say FBI) in it !
- and so on.

But they should be forced to notifiy law enforcement agencies.

If you want data, be responsible OR ELSE

[Opportunist]

Here's what I'd like to see in a law:

If you store personal data, you're responsible for everything that happens if this data gets stolen. Everything. No matter if you're in any way responsible or whether it has been deemed "correctly" stored. You lose my data, you stand up for all the damage done.

Yes, that includes governmental organisations.

Don't want to be held responsible for losing my data? Don't store it.

Wait a Minute....

[asphaltjesus]

I've got a few questions:

1. How is it that this law firm gets paid for the privilege of drafting our laws? Before anyone hits the reply button, what makes you think this is some kind of pro-bono cause for the law firm? The likelihood this is some kind of charitable effort is miniscule. What makes you think citizens preferences will win over the corporate interests?

This story encapsulates what's wrong with our democracy.
-The Law has been abstracted and complicated to such a degree that the above-average (

Re:

[asphaltjesus]

Your alternative leads one down the blind path of non-accountability and no transparency whatsoever.

You propose the fall guy remains way-way down the chain of authority and the executive class retains authority, and the salary to reflect that, but no liability.

Instead of name-calling, how about a viable alternative where the chain of authority is clearly defined? Maybe it's just easier to shout-down ideas than it is to come up with some constructive alternatives?

Re:

[Artifakt]

I see your first point, but how in the hell did you get the idea that a CEO could be "never directly responsible"? That's a marvelously narrow definition of the word directly, it stands utterly opposed to the way that phrase is used in all the body of both corporate law and US criminal law, and if it's your real logical position, then you should be equally opposed to holding the getaway car driver responsible for a homicide resulting from a bank robbery, since he too is not directly responsible. Are you sur

Change the cost/benefit to discourage hoarding

[Urban Garlic]

My fantasy strategy is to punish the owners of inaccurate personal information.

Legislation that provided a penalty for holding inaccurate personal data about someone would strongly discourage people from grabbing personal info just because they can. If bit-rot in personal-info databases had legal consequences, people would be more careful about what they collected, and would take the trouble to verify its integrity. It'd be harder to sell a database like that, too, since the buyer would want the means to keep it up to date. Also, you can bet that every personal-info-storing website would switch to an "opt-in" model about as fast as their lawyers could say "liability risk".

The major downside would be that it would disproportionately hurt small organizations. Sadly, I don't have a solution for that.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Qzukk]

the government doesn't want to admit that if we took the government out of the equation, that the system would look a whole lot less broken than it really is.

Is that before or after all the banks and credit agencies implode when the government's social security number is taken away from them?

cause damages? pay them all

[swschrad]

and that means lifetime. if BigCo has enough data in their files to mess up somebody's credit, they pay for all damages, correcting the files, and for the life of the person, for every instance where impaired credit causes harm, pay for it.

some weasel steals your ID and you lose the house you're trying to buy? BigCo buys you a house, free and clear.

can't get that zero-percent car loan? BigCo pays for the car in cash and hands you the keys.

then and only then will companies get serious about how much stuff

Can legislation fix it?

[hackstraw]

The summary and the FA were short on information, but here is my stab at this.

How about we just keep our private information private? The increase in the amount of personal data that is attempted to be acquired by private companies is increasing, and remind me how my giving of my personal data to Pets-R-Us is going to benefit me?

I paid cash for a car, and the people wanted my social security number. Why?

A health club near me wants my social security number to lift weights and stuff. Why?

Oh, and don't get me started with those so-called "Privacy Agreements" that some of these comanies give out to you. All of those end with the clause "we can change our mind at any time w/o notifying you", so how is this any kind of agreement? By signing one of those I am agreeing to nothing.

So, I think that the laws should say that there are 2 kinds of personal information. One kind is something that can clearly identify me. My address, phone number, ssn, name, etc. And none of that should be shared with anyone. Abstract data for marketing reasons is OK. My age, sex, or whatever they can get from me that does not directly tie the information to me is OK.

Re:

[Red Flayer]

I paid cash for a car, and the people wanted my social security number. Why?

So the cash transaction can be reported to the IRS, as required by law (depending on the amount). This is supposedly to help detect money-laundering and drug trafficking.

A health club near me wants my social security number to lift weights and stuff. Why?

For a credit check, to make sure that you'll be likely to make the monthly installment payments on that annual membership, and probably to see if you're a high risk for stealing e

Re:

[Fulcrum of Evil]

So the cash transaction can be reported to the IRS, as required by law (depending on the amount). This is supposedly to help detect money-laundering and drug trafficking.

What law? If I write a check for a car, they aren't getting a SSN from me.

For a credit check, to make sure that you'll be likely to make the monthly installment payments on that annual membership, and probably to see if you're a high risk for stealing equipment.

If you can rip off a gym, you probably don't need a membership. Seriously

Re:

[Red Flayer]

What law? If I write a check for a car, they aren't getting a SSN from me.

Is that check over $10,000? Good luck with that.

If you can rip off a gym, you probably don't need a membership. Seriously, who steals iron weights?

People who want to be able to work out at home? Barbells disappear quickly from gyms if they are not watched carefully.

Re:

[Fulcrum of Evil]

Is that check over $10,000? Good luck with that.

It's a check. They can get my bank and account number just by reading it.

Corporal punishment

[ewg]

I favor more laws, especially if backed up with the threat of corporal punishment [wikipedia.org].

New SSN

[Alchemar]

One of the biggest problems with identity theft is that SSN were not intened to be used for identification purposes. My Social Security card clearly states that it is for Tax and social security purposes only - not for identification. Yet every organization out there wants to use your SSN for an ID. It use to be my student number, my health care number, and I can't recall the last time I needed to access banking information that I wasn't asked for the last 4 digit to "VERIFY MY ID" The people that set up Social security numbers knew that using it for ID would be bad. Try refusing to give your SSN. Unless you are independently wealthy, that means no job, no bank account, no phone, no Drviers license, no house, no car, and no insurance. What I want is for them to enforce the laws that we have. If we must have a new law, make it a criminal offense to ask someone for their social security number unless they must file a tax in that person's name, and also make it a criminal offense to use the social security number for any purpose other than filing that tax form. The main problem is that since the Social security office doesn't recognize that a social security number is an ID, having your ID stolen is not a valid reason to get a new number. The social security office recomends that you move to a new country and start over, and other countries actually have fleeing the US for identity theft as one of the reasons to seek relocation into their country

If they absolutly need a national means of identifying people, then it needs to be in a secure manor. My suggestion is to issue everyone an electronic ID card. With all the extra "security" that goes into an id they can afford a small dedicated computer the size of a credit card calculator that only gives a secure ID number. When someone needs to verify your ID, they must request a key from the goverment, similar to a tax ID, but it is the public key for an encryption. They give you their public key, you enter it into your computer wich has your private key, it generates a number, the company sends that number to a goverment computer, it returns the critical information for the person involved. Name and Birthday. If they require more information, they must fill out the goverment forms explaining what information they need, and why; which becomes public record. Set it up so that your computer tells you what the company is, and what information they will be given. Now they have a secure means of identifing you, and you can verify who is requesting the information, and the ID number you give them is only good for that company. They can't use the data to request a new credit card, because the credit card company would be given a different number based on their public key. Set a password on the computer so that it can't be used if stolen, and set provisions where someone can request a new card and private key if it is compromised.

Re:

[Archangel Michael]

"If they absolutly need a national means of identifying people, then it needs to be in a secure manor. My suggestion is to issue everyone an electronic ID card."

Yeah, just tie this new number to a SSN so that all the old legacy systems can use either!

All kidding aside, why do we need numbers at all. How about using photographs? How about Fingerprints? How about anything other than something that is EASY clone? Whether or not it is SSN or some other numeric based ID, the problem with the system is the same.

Re:

[Alchemar]

One of my points was to make it an ID number NOT a tracking number. Enforce the existing laws so that they can't use the SSN by linking back to it. Part of making the plan work is that you have a different number for each company, so that they can't create a central database, which makes the data less valuable to people that would consider stealing it.

Re:

[Fulcrum of Evil]

There is no law against using the SSN as an ID number.

Re:

[Alchemar]

The law states what the goverment can use your social security for:

http://ssa-custhelp.ssa.gov/cgi-bin/ssa.cfg/php/e n duser/std_adp.php?p_faqid=78&p_created=955482891&p _sid=jw34mSzi&p_accessibility=0&p_lva=&p_sp=cF9zcm NoPTEmcF9zb3J0X2J5PSZwX2dyaWRzb3J0PSZwX3Jvd19jbnQ9 OSZwX3Byb2RzPSZwX2NhdHM9MTYsMzUmcF9wdj0mcF9jdj0yLj M1JnBfc2VhcmNoX3R5cGU9YW5zd2Vycy5zZWFyY2hfbmwmcF9w YWdlPTE*&p_li=&p_topview=1 [ssa.gov]

everything else is supose to be voluntary, but with the current method of doing

Re:

[Alchemar]

That is what I meant by "and set provisions where someone can request a new card and private key if it is compromised." What do you do if you lose your drivers license ... you go get a new one. Just make sure that people are issued a new private key if the old one is lost or compromised.

Legislation has never fixed anything.

[pair-a-noyd]

There are millions of laws and all of them are ignored by the criminals.
Honest people obey them but criminals do not.

What it will take is to enact a DEATH PENALTY for computer crimes / identity theft.
That's right, strap the bastards down in Ol' Sparky and televise it to the world.

Two or three public executions and the problem will pretty much go away over night.
Do it from another country you say? No problem. Send a Special Forces hit team to kill them in the dark of night.

Seriously though, one day someone is going to get really, really pissed off and they'll go get a pound of flesh from the companies that allowed the data breach to happen. It's only a matter of time.
There are a lot of unhinged people on the edge as it is now.

This has gone on way too long. Enough with the useless laws, let's start up public executions.

Re:

[jb.hl.com]

Enough with the useless laws, let's start up public executions.

This idea sounds sane and reasonable. An eye for a nasal hair, that's the spirit!

Target the credit bureaus

[Daffy Duck]

I doubt the solution is to make sure that all of the dozens of companies that hold your SSN must have perfect security inside and out for all eternity.

I'd rather outlaw the use of your SSN as both username and password. Why are the credit bureaus allowed to let anyone who knows those nine irrevocable digits mess with your credit report?

Re:

[Lithdren]

Agreed! A SSN is not, in any way, meant to identify you. Its for tax reasons only, to link up info for taxes for the goverment.

You use SSN now for EVERTYHING, from getting hired, to getting credit cards, to buying a house, to getting pulled over for speeding, to requesting tax forms. everything.

Whats worse, if you have an SSN, name, and DOB, a company will believe its really you, and not the guy stealing your identity. Its a large problem.

We either need to create something to replace the SSn that

Restrict the Creditors

[scruffy]

We need to make bad creditors pay for identity theft. It is their lax identification/authentication procedures that cause much of the problem.

1) Make creditors pay you triple damages when your identity is stolen.

2) Put an upper limit on interest rates so that creditors can't gouge the honest debtors to pay for the dishonest ones.

The problem isn't disclosure

[gillbates]

It is how banks and other institutions carry out identification. Typically, your name, address, and SSN are all that is needed for a criminal to commit fraud.

And typically, the worst you'll have to put up with should your identity be "stolen" is signing an affidavit to that effect. I'm not aware of any case in which someone whose identity was stolen ended up with out of pocket expenses. Typically, the merchant eats the fraud.

The banks, merchants, etc... are the real losers. However, if it was a s

Re:

[twbecker]

And typically, the worst you'll have to put up with should your identity be "stolen" is signing an affidavit to that effect. I'm not aware of any case in which someone whose identity was stolen ended up with out of pocket expenses

I guess you don't consider your time and effort an out of pocket expense. Time is money. While I thankfully don't have any first-hand experience with ID theft, from what I've heard recovering from it can involve many many hours of correspondance with financial institutions, credi

Re:

[CantStopDancing]

The banks, merchants, etc... are the real losers. However, if it was a serious problem, banks and merchants would be doing something about it.

and the reason they're not is because, and this is the important bit, they pass the costs on to their customers. That's right, banks and merchants don't lose one red cent over identity theft. They simply raise rates or add extra fees or apply previously non-existent charges, when it happens too often. *every* instance of identity theft is subsised by *every* customer

A simple fix I'd like to see ...

[timholman]

There is one very reasonable change I'd like to see enacted. I want to have the option of putting my credit file on permanent Fraud Alert with the major credit reporting agencies. Currently consumers have the right to make a phone call to an automated line which places a Fraud Alert on their credit files (I call Equifax at 800-525-6285, who then shares the alert with the other agencies). This alert prevents identity thieves from opening a new line of credit in your name without the agency contacting you first.

The only problem is that the alert must be renewed every 90 days. To get a permanent Fraud Alert, you must prove you've already been a victim of identity theft - essentially closing the barn door after the horse has gotten out.

Consumers need to have the right to request a permanent alert without question, and for any reason. I am long past the point in my life where I need instant credit. I can afford to wait long enough for the credit agency to call me if I need to open a new account. Of course, the credit agencies will fight any such measure tooth and nail (the 90 day alert had to be forced upon them by law), but unlike some proposals I've read so far, this one is actually doable with a realistic amount of effort on everyone's part.

Easy answer

[Marxist Hacker 42]

The problem isn't a lack of privacy- the problem is too much privacy. I say, the new law should be an utter *lack* of privacy in financial matters- an open records law. Then we can simply hire government auditors to watch for fraud patterns and punish only the criminals.

"patchwork of state laws"???

[Russ Nelson]

"patchwork of state laws"??? You morons, that's exactly HOW the United States is *supposed* to work. Look at the name: United States. We're not a single country, we're a union of independent states, each of which has its own government, and its own set of laws. The "patchwork of state laws" is our guarantee against a tyrranical central government. The different state laws allows people to pick and choose between the laws that protect them most and oppress them least. It's a feature, not a bug! [russnelson.com].

Re:

[Russ Nelson]

Sometimes, and those specific instances are clearly enumerated in the Constitution. Everything else that the federal government does is, well, unconstitutional. I mean, I can read as well as the Supreme Court. Given their decisions on what the federal government can and can't do, I think I can read better than the Supreme Court.

I know - let's pass a law to help the victims...

[GuyverDH]

If any number of client's data is exposed, lost, stolen then the following action will be taken. #1 All assets of the company that lost the data will be frozen. #2 Corporate officers will be held liable, and serve a prison term no less than 5 years. #3 The victims will be provided with identity theft insurance for the rest of their lives, paid for by #4. #4 All assets of the company will be sold, and said money will be distributed evenly to the victims, after subtracting the cost of lifetime identity theft

Free the victims from any consequences

[gelfling]

We assume that there is no security and no privacy therefore the only sane thing to do is force anyone to prove it is you who is you in order to collect moneys, rights or some other thing from you.

Won't really matter

[Deagol]

To quote the duck: "Consequences, shmonsequences...as long as I'm rich."

I don't really see how this will help. As it takes a big legal team to fight these big corporations, we'll mostly see results like most other big lawsuits. The laywers will settle for a huge amount, get most of it, and business will go on as normal. Even if it's not a class-action and comes down to a single plaintiff actually winning a substantial judgement, it won't be enough to curb the abuses. It never does.

What we really nee

To answer the headline:

[frdmfghtr]

No. Legislation cannot fix this; that's like making bugs in code illegal.

Legislation can only make mistakes like this painful, but it cannot prevent them.

Along the same line of thought; traffic laws don't prevent accidents, they just assign blame for them.

No federal solution

[Thunderstruck]

The desire to fix things with a single, federal, solution is part of problem. As many of the above posts already note, identity theft is possible in large part due to the existence of single national identifiers. Further, a federal-law solution would be constitutionally limited, and could only regulate those organizations engaged in (interstate) commercial activity. Data collections created for governmental, political, religious, or research purposes would probably be above federal authority and subject

Fix Fair Credit Reporting Act

[zentec]

The problem lies in the fact that you do not own your personal information, it's considered an asset of the corporation holding it. The Fair Credit Reporting Act still puts the burden of monitoring and repairing credit profile on the individual. The free credit report legislated in the past couple years does nothing to stop identity theft, and the FCRA continues to be decidedly anti-consumer.

The Fair Credit Reporting Act should allow me full and unfettered access to the information about me whenever I dee

I'll make it really, really simple.

[hey!]

Simply adopt the EU Data Privacy Directive [wikipedia.org], lock stock and barrel.

It isn't just that this is the most well thought out approach to data privacy there is, although having the advantage of hindsight it probably is. It shows some family resemblance to the 1972 US HEW recommendations on "Records Computers and the Rights of Citizens", but with the benefit of two more decades of legal, technical and business experience.

It has actually been implemented. European society, and more importantly European commerce di

Law Firm?

[cybermage]

I'd like to see fewer laws drafted by lobbyists. Can they include that?

Legislation can't fix it

[PingXao]

Just like legislation didn't fix the spam problem. What will fix it is harsh penalties that are actually carried out on companies that lose peoples' private data. Legislating the penalties would fix it. Legislating another slap-on-the-wrist law that says, "Don't do that!" won't fix anything. A handfull of large penalties, say $1,000 per name, making a big splash will get most places to clean up their act quickly. Lose data on 10,000 customers and get fined $10 million. Put the onus where it belongs: on the companies collecting the data. Personally I'd like to see an ammendment to the US Constitution that explicitly spells out the right to privacy. Technically that right is reserved to the people since it's not spelled out in the Constitution, but we've seen violations of rights by the government an awful lot over the last few decades. Even the ones that ARE spelled out in the Constitution. Pass an ammendment and then pass laws that impose consequences for violating it.

A few things...

[TemporalBeing]

1. Notice to affected people within 72 hours (48 hours?) of knowledge of the incident.
2. Enforcement of all non-government groups not being allowed to collect or use information like SSN, Driver's License Number, Passport Number, except for as needed to fill out government forms, which basically means employers and places that have to either give you tax information or report it.
3. Requirement of all entities to obtain only the minimal amount of information
4. Requirement of all entities to receive written, nota

The government can't protect us... here's proof:

[SonicSpike]

The senseless and horrific killings last week on the campus of Virginia Tech University reinforced an uneasy feeling many Americans experienced after September 11th: namely, that government cannot protect us. No matter how many laws we pass, no matter how many police or federal agents we put on the streets, a determined individual or group still can cause great harm. Perhaps the only good that can come from these terrible killings is a reinforced understanding that we as individuals are responsible for our

Fix it?

[Brandybuck]

Can Legislation Fix It?

Whatever "it" is, the answer is most probably a resounding "no!"

I know this is Slashdot, home of the geeky nerd, but let me pull out my big ClueBat(tm) and whack you one: LIFE IS NOT SOFTWARE! You can't fix life's problems by adjusting a few of society's variables or getting government to run a different algorithm. Human beings are not cellular automata that you can manipulate in a social experiment.

For once, try thinking of a solution that doesn't involve laws and courts and cops and

How do you legislate intelligence?

[Richard Steiner]

A certain percentage of humanity will always be stupid, distracted, or otherwise impaired when dealing with their own (or their employer's/clients') system's security, and that ensures that at least some systems will always be insecure ... at least if secure configurations are dependent on actions taken by those people.

Re:

[ExileOnHoth]

Enjoy your sheltered life. I thought it was hype too, till it happened to me. now I hear myself ranting about "identity theft" and sometimes I stop and think, "when did I become this crackpot?"

Like anything, like war, cancer or flooding, the whole problem seems silly and irrelevant when it happens to other people. Then one day it happens to you.

I'm not comparing this to war or cancer -- but I don't think you've thought through the seriousness of this problem. Ask yourself this: What's your time worth?

What i

My vet can do that!

[EmbeddedJanitor]

You have not been "fixed" yet? Just stand in line with the tom cats.