Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Should Companies Share Criminal Blame In ID Theft?

ScuttleMonkey posted more than 5 years ago | from the whole-system-stinks dept.

Security 328

snydeq writes "Deep End's Paul Venezia criticizes the lack of criminal charges for corporate negligence in data breaches in the wake of last week's Best Western breach, which exposed the personal data of 8 million customers. 'The responsibilities attached to retaining sensitive personal identity information should include criminal charges against the company responsible for a leak, in addition to the party that receives the information,' Venezia writes. 'Until the penalties for giving away sensitive information in this manner include heavy fines and possibly even jail time for those responsible for securing that information, we'll see this problem occur again and again.' As data security lawyer Thomas J. Smedinghoff writes, data security law is already shifting the blame for data breaches onto IT, thanks to an emerging framework of complex regulations that could result in grave legal consequences should your organization suffer a breach. To date, however, IT's duty to provide security and its duty to disclose data breaches does not include criminal prosecution. Yet, with much of the data security framework being shaped by 'IT negligence' court cases over 'reasonable' security, that could very well be put to the test some day in court." It's a slippery slope to be sure, but where should the buck stop?

Sorry! There are no comments related to the filter you selected.

fp (-1, Redundant)

Anonymous Coward | more than 5 years ago | (#24741477)

first post

Yea! (0)

Anonymous Coward | more than 5 years ago | (#24741481)

If they do not, who will?

Re:Yea! (4, Insightful)

corsec67 (627446) | more than 5 years ago | (#24741619)

Next step:
Actually punishing companies that break laws, in such a way they can't just dissolve the front and start with a new name and the same people.

Re:Yea! (4, Interesting)

Anonymous Coward | more than 5 years ago | (#24741645)

Exactly right. Nobody.

At the very least, they should be held civilly liable. We should be suing every last one of these MFing companies that hand our personal data over to criminals to the fullest extent provided by law. There should be statutes on the books allowing for statutory damages to be awarded when our personal data is negligently handled.

And where are the amulance chasers in all this? Why aren't there ads on my TV for shysters who will take on these cases?

Follow the money... who's getting paid? The politicians. Barack Obama, John McCain...doesn't matter who you vote for, because they both have their hands in the same pockets!

Is it even illegal? (4, Interesting)

cayenne8 (626475) | more than 5 years ago | (#24741781)

Thing it even illegal at all, to divulge customer data?

I mean, I know HIPPA takes care of issues with respect to people's medical records, but, I don't think that there are actually any laws against the release of people's data. If there were, there would be a whole lot less of companies out there that held and traded in such information.

It is a crime to break into a computer to gather this data. But, I don't think at this point, in the US it is a crime to lose it.

If I happened to have a database of people's information, and I want to freely publish it, I don't actually think there is a statute against me doing that.

If there is, can someone cite it or give links on this?

Yes/No (5, Insightful)

HappySqurriel (1010623) | more than 5 years ago | (#24741551)

I think it is entirely appropriate to investigate a company when large ammounts of personal information ends up being 'stolen' ... If it turns out that the company did not take the necessary steps to protect people's personal information they should face some consequences. At the same time, there has to be an understanding that even the best technologies available and best practices may not prevent all personal information theft so a company should not face harsh consequences if they took the necessary steps to protect people's information.

Re:Yes/No (4, Insightful)

penix1 (722987) | more than 5 years ago | (#24741611)

I've got a better idea. Ban the collection of personal information beyond the time required for the transaction. I don't but it that companies somehow need to store all this info on people especially years after the transaction has occurred. If you are going to be light on them when they lose it, then be heavy on what they can keep.

Re:Yes/No (5, Interesting)

kannibal_klown (531544) | more than 5 years ago | (#24741743)

I've got a better idea. Ban the collection of personal information beyond the time required for the transaction. I don't but it that companies somehow need to store all this info on people especially years after the transaction has occurred. If you are going to be light on them when they lose it, then be heavy on what they can keep.

Well what about long-term services like Life Insurance? A service like that would need to keep your Name, Birthday, Social Security Number, address, next of kin, etc until you died and someone collected. And what about Banks and Loan offices?

A friend of mine got a notice from his life insurance firm saying that a laptop was stolen that probably had his records on it. Why it would be on a flippin LAPTOP I have no idea, something like that should be a server only accessible from the company's encrypted network (but I digress).

I could also see the benefit of some stores keeping some light data on you (name, address, phone) so they can contact you but I think they should get rid of your credit card info after X days/weeks.

In all, it's a mixed bag of blame. Personally I think the government and law enforcement should take Identify Theft a lot more seriously, with major penalties against these fraudulent jerks.

Re:Yes/No (5, Interesting)

thesolo (131008) | more than 5 years ago | (#24742087)

A friend of mine got a notice from his life insurance firm saying that a laptop was stolen that probably had his records on it. Why it would be on a flippin LAPTOP I have no idea, something like that should be a server only accessible from the company's encrypted network (but I digress).

$10 says someone was either creating top-line reports or other such nonsense based on spreadsheets full of live data, and they brought it home/outside of the office to continue working on it past business hours.

I can't even tell you how many times I've seen people in insurance companies take live data home with them so they can whip up statistical reporting. People don't follow IT protocol when it becomes inconvenient for them to do so. (i.e. staying late at the office vs going home & working there.)

Re:Yes/No (2, Interesting)

nine-times (778537) | more than 5 years ago | (#24742177)

Well what about long-term services like Life Insurance?...A friend of mine got a notice from his life insurance firm saying that a laptop was stolen that probably had his records on it.

It seems like you could have a rule to dispose of data after the transaction except in businesses/industries where it's necessary, and then regulate those businesses/industries better than we do now. How about it's illegal for a company to put that sort of data onto a laptop?

Re:Yes/No (0)

Anonymous Coward | more than 5 years ago | (#24742195)

Apparently you have not purchased life insurance recently.

I'll be brief.

When an Agent sells you a policy they bring along a laptop and enter your personal information into it.

Following along so far? Good.

The laptop is then lugged back to the Office and the data is uploaded from there. I would imagine that the original data still resides on the laptop.

No Insurance company will issue cell cards to their agents just to sell a life insurance policy, and i sure as heck wouldn't want the portal to my info accessible through the internet anyway.

So I'm sorry your friend's info was stolen. But that is the nature of the beast.

Re:Yes/No (2, Interesting)

jellomizer (103300) | more than 5 years ago | (#24741993)

Great idea lest threw business back 2 decades. This data is used beyond just advertising and marketing it is used to improve the business on the whole.

Eg. When you call your credit card company you can usually get your balance and access what most usually called features right away. I bet if you call them a few times and not go that route that the phone system may change for you to get you on and off the line quicker making you happy as you are spending less time on the line and them happy not having to pay to keep you on the line for longer times.

Or if you go back to the store or an online store then it can fill out all the information for you that you entered in already making checkout a lot quicker.

How about tracking progress of a product line. They see that while a product is still selling strongly they may find that some areas stopping and spreading thus time to change the product or offer services to extend the product. Or change the shipment quanties around so one location isn't overstocked and the other has a stock out.

Data is key for a successful company as IT Guys you really should know this already. Lack of data will cause you to go by the gut and just start guessing.

Re:Yes/No (4, Insightful)

Zironic (1112127) | more than 5 years ago | (#24742117)

Tell me again what part of those features require my personal data? Learn to use a serial number seriously.

Code violations (2, Insightful)

Brain-Fu (1274756) | more than 5 years ago | (#24741733)

Most forms of construction must adhere to a code. Why should software be any different?

It would be nice, IMO, if we could formulate a set of minimum requirements for any kind of personal-data-handling software (including codes for operating procedures). Things like "all passwords in the system must use strong encryption" and "backups of the data cannot be stored on personal laptops" and the like.

Then legally require businesses to higher some ratio of software developers who have passed a code certification and logged sufficient hours under the apprenticeship of a certified master, and cite them if any such developers blow the whistle on them.

It is not a perfect solution. It has problems with implementation. And of course M$ will do its darndest to ensure that codes require the use of its software. But it it is still better than the situation we have now.

Re:Code violations (1)

morgan_greywolf (835522) | more than 5 years ago | (#24741983)

Then legally require businesses to higher some ratio of software developers who have passed a code certification and logged sufficient hours under the apprenticeship of a certified master, and cite them if any such developers blow the whistle on them.

Hmmm...smells like a union...

Re:Code violations (0)

Anonymous Coward | more than 5 years ago | (#24742029)

I formulated them already on my laptop, but it got stolen and the only backup was still in the CD drive.

I will now invest in a RAID array so I have 3 distinct places of storage.

Re:Code violations (1)

blueg3 (192743) | more than 5 years ago | (#24742135)

Things like "all passwords in the system must use strong encryption" and "backups of the data cannot be stored on personal laptops" and the like.

Sadly, that sounds about accurate for the results if such a code was written.

Passwords don't use encryption of any sort, and data backups shouldn't be stored on any laptop, personal or not (nor on an individual user's work desktop, nor on any personal machine...).

Re:Yes/No (2, Funny)

zappepcs (820751) | more than 5 years ago | (#24741757)

So all is ok if the stolen laptop had everything encrypted? That would seem legally equivalent to someone hacking at a server in the company's data center but not getting in. Then what kind of paperwork etc. is required for a contractor to use laptops from the company contracting them? The point being, how far can culpability be extended through the food chain? If an employee is not a security expert and does what IT told them to do but a compromise still happens, is the company or an employee guilty? If my details are leaked and my ID stolen, can I sue the company, the CIO, and the employee?

Sarbanes-Oxley has already wreaked havoc on the business world. Extending culpability for data breaches to criminal prosecution would be even more destructive in terms of the changes and security costs involved in protecting the company from financial damages in the event of a data breach.

I'm still waiting for DHS confiscation of a laptop to cause a data breach. When (not if) that happens, can we sue the government?

(I am playing devil's advocate, or rather corporate advocate)

Re:Yes/No (5, Interesting)

David Gerard (12369) | more than 5 years ago | (#24742095)

The Economist ran a report pointing out that companies had whined at length about how Sarbanes-Oxley was crippling their business, but they did an investigation and found that the companies in question were doing as well as before or better.

(The Economist is absolutely gung-ho to the point of stupidity about free markets, so I don't think they have some sort of corporate agenda in saying so.)

Re:Yes/No (4, Interesting)

Sylver Dragon (445237) | more than 5 years ago | (#24741975)

I think there is a way to go about it that would work.
The first thing that would have to be done is that we would need some guidelines as to what a "reasonable" level of security is, and even that might be scaled based on the type of information stored. This should then be re-evaluated yearly by a commission of qualified IT managers from industry. There are other limitations which should be placed on the commission, but that's outside the scope of this uninformed rant.

Just as an example:
Storing customer names and addresses - Database encryption and basic perimeter security may be considered reasonable. Losing data and not being there should result in fines and maybe some jail time.

Storing Credit Card info - Same as above, but add backup encryption, laptop hard-disk encryption, internal firewall for DB servers and source code audit on all applications with DB connections. Failure to comply and losing data would be hefty fines, jail time for those responsible for the systems, and civil liability to those people affected.

Storing Social Security Numbers - All the above, but damages increase substantially, as does jail time, with c-level execs getting in on the PMITA action. And civil liability is increased to "the affected customers now own your ass" level.

The problem, of course, is that it would be the government doing it, so they would invariably screw it up.

Re:Yes/No (3, Informative)

javelinco (652113) | more than 5 years ago | (#24742165)

The credit card industry has mandatory PCI compliance. This basically covers your concerns. Supposedly, those companies not compliant will not be allowed to process credit cards - and the requirements must be audited and proven by an outside firm. It's QUITE expensive. The problem is whether or not these rules are being enforced. They ARE getting more stringent as time goes forward.

Re:Yes/No (0)

Anonymous Coward | more than 5 years ago | (#24742143)

If a company is going to collect and store personal data, it should have to notify annually all who in the database. Like FDIC, all data stewards need to carry insurance of say $250,000.00 per account for potential losses.

Too many companies are holding data without the ability to protect it.

civil not criminal (4, Interesting)

v(*_*)vvvv (233078) | more than 5 years ago | (#24741559)

This would be a great civil class action case, but criminal? The slope is quite slippery, and like previous posters have said, the cops don't do much when it comes to non-violent, non-domestic, non-street crimes.

Of course, some would argue that the banks and lenders behind the whole sub-prime mortgage crisis deserve to be criminally punished for causing a global recession and for the number of lives they've destroyed.

Re:civil not criminal (2, Insightful)

sm62704 (957197) | more than 5 years ago | (#24741749)

the cops don't do much when it comes to non-violent, non-domestic, non-street crimes.

I know a man who was charged with home invasion and attempted murder for breaking into a man's home and trying to kill him with a butcher knife, and plea bargained down to two weeks in the county jail.

A woman I know spent four months in Dwight Correctional Center for a non-violent drug offense (possession). It seems to me that being careless with thousands of peoples' lives, let alone attempted murder, should carry a far heavier burden than a crime with no victim.

Re:civil not criminal (0)

Anonymous Coward | more than 5 years ago | (#24742205)

i guess no one told you that drugs are funding terrorists.. and killing kids with harmless sounding names like 'cheese'.

Think of the terrorists!
  Think of the children!

Criminal charges for companies != jail time (4, Insightful)

religious freak (1005821) | more than 5 years ago | (#24741561)

If a COMPANY is being prosecuted criminally, you obviously cannot have jail time, because it's a non-person.

However, you can (and IMO should) have much stiffer penalties than civil courts allow. When a data security breach is so bad to as harm society itself, it should be prosecuted criminally - this is the doctrine for criminal prosecution of companies. Criminal penalties can range from massive monetary damages, to shutting the entire company down, or forcing changes in management. This is the correct route to go.

Obviously, if the implication is that the IT workers themselves should be thrown in jail, this is absurd and would cause all kinds of damage, both foreseeable and unintended.

Re:Criminal charges for companies != jail time (3, Insightful)

sm62704 (957197) | more than 5 years ago | (#24741841)

Freezing a companies' assets and disallowing any business for two years would be the equivalent of putting a human in prison for two years. So you could, in fact, "jail" a corporation. You could shield its employees (at least the ones not responsible) by forcing the company to pay them anyway. If it goes bankrupt, well, people go bankrupt after incaration, why shouldn't businesses?

Or converseley, put its CEO and Board of Directors in a maximum security prison with the other criminals, many of whom caused far less damage to people, or none at all.

The thing is, the corporations are deemed too valuable to be punished. THIS is what should change.

Re:Criminal charges for companies != jail time (1, Interesting)

Anonymous Coward | more than 5 years ago | (#24742101)

Agreed! Corporations have all the benefits of "being a person" and none of the liabilities. If they are convicted of criminal behavior, basically they just pay...and maybe some employees go to jail. The corporation, however, blindly continues on with perhaps a lower quarterly earning that month. Corps are chartered and if we had the guts, they could be un-chartered. Shut down a company for a year and other corps would (hopefully) be terrified. People would lose work, shareholders would freak, but think about it. It wouldn't be long before both those parties held the corporations feet to fire.

Re:Criminal charges for companies != jail time (4, Insightful)

TubeSteak (669689) | more than 5 years ago | (#24742171)

If a COMPANY is being prosecuted criminally, you obviously cannot have jail time, because it's a non-person.

It is tiring that this line of reasoning keeps getting trotted out.
WTF do you think executive officers are for?

"The Company" doesn't do anything illegal, the corporate officers & various (vice) presidents are the ones in charge and they have always born the responsibility of the company's actions.

Well (0)

Anonymous Coward | more than 5 years ago | (#24741581)

I'm reminded of what that guy from Jurassic Park said: 'I don't blame people for their mistakes, but I do ask they pay for them.'

Corporations are EVIL (-1, Flamebait)

all5n (1239664) | more than 5 years ago | (#24741585)

Corporations are EVIL, don't you know?

Yes, this is another good opportunity to HURT them and make them PAY.

Re:Corporations are EVIL (0)

Anonymous Coward | more than 5 years ago | (#24741799)

HAHA... you obviously don't know about Karma. You'll be modded to oblivion, until you give up your posts in frustration. No dissenting opinions allowed.

Long live /. groupthink!

Re:Corporations are EVIL (1)

all5n (1239664) | more than 5 years ago | (#24741905)

You can always tell when you hit upon someone's real motives. To these people it is not a question of the law, but how the law may be manipulated to further a socialist agenda.

Self reporting of a felony would not happen (5, Insightful)

frith01 (1118539) | more than 5 years ago | (#24741591)

You have a choice, allow organizations to report the data breach, or have them cover it up to avoid the penalty.

[ Why would anyone report a data breach when that means they would face jail time ? ]

Remember, the odds of an external entity finding out about the data breach is extremely small (except for the ones taking the data of course ).

Re:Self reporting of a felony would not happen (2, Interesting)

MozeeToby (1163751) | more than 5 years ago | (#24742031)

Easy, make the peanalty dependent upon the companies handling of the situation. If the company comes clean the penalty is X dollars per victim. If the company attempts to hide the situation the penalty is 100 * X dollars per victem.

Re:Self reporting of a felony would not happen (1)

nine-times (778537) | more than 5 years ago | (#24742207)

That just motivates them to either cover it up really well, or else maintain some level of plausible deniability. You just can't make something illegal with a stiff penalty and then expect that people will come forward and report themselves.

Re:Self reporting of a felony would not happen (4, Informative)

sampson7 (536545) | more than 5 years ago | (#24742183)

I completely disagree with your assertion that a company would not self-report. As a compliance officer with a major international corp (albeit in a different field), we are often faced with the difficult question of whether to self-report a potential violation. We are generally faced with three options when a potential violation arises:

1. Self-report the violation, fix the problem/install appropriate controls, get the "credit" for active compliance, take the medicine and move on.

2. Document the potential violation internally, fix the problem/install the appropriate controls, establish the paper record documenting the potential violation, but explaining why it is arguably not a violation or that there is no affirmative duty to self-report.

3. Actively attempt to conceal the violation or ignore a clear legal requirement to self-report.

Pop quiz! Which of these three "options" could lead to massive fines by the appropriate governmental regulator, share-holder lawsuits, top managers being fired and even the destruction of your company?

Anybody who thinks a potential release of information could not bite you in the ass needs to imagine the type of risk/reward analysis the company goes through. I can easily envision the following scenario. Company loses critical personal information. Company actively hides the loss and/or actively ignores legal obligation to self-report. The thief attempts to use the stolen credit card numbers/whatever. Thief is caught. Thief tells police where he acquired the information. Police investigate the breach. Internal emails/IMs reveal that the company knew about the breach but did nothing. Company faces multiple class action lawsuits from: (1) the people harmed by the breach of their personal information; and (2) shareholders who should have been informed in the quarterly SEC-required disclosures that the Company faced a potential liability.

Now some fly-by-night company might reach a different cost-benefit analysis. But any large company should immediately recognize that the potential harm of trying to cover something like this up. When you're talking about a bank or large medical company? Would you as CEO or internal compliance officer risk millions or even billions on something that is so likely to become discovered? Even if the chances are 10,000-to-1 against the breach ever coming to light? Frankly, the rewards are simply not worth the risk.

Hard to say (2, Insightful)

Anonymous Coward | more than 5 years ago | (#24741601)

Almost any system can be hacked by someone sooner or later. If a crack was found in SSH that allowed a root shell, would the person responsible for the code be held responsible? or the guy who admins the server?

Re:Hard to say (4, Insightful)

hairyfeet (841228) | more than 5 years ago | (#24742141)

The problem ISN'T hackers and thieves,the problem is rampant King Kong sized stupidity. How about we only bust them for gross negligence? Let's face it,it is these morons that have thousands of customer records on unencrypted laptops,or leave an unencrypted backup tape sitting in the parking lot in their car,or the idiots at my local phone company who put a bunch of machines on the curb without bothering to wipe the drives first.

I think we can all agree that there is a BIG difference between taking precautions and getting hacked and these brain trusts that don't even bother to show even the tiniest bit of common sense. We need to have penalties for the ones that don't even bother to try,otherwise why would they spend the money on security when they aren't really going to be punished when they screw everybody? And I agree with the earlier poster that there needs to be a time limit for most of this stuff. While a previous poster used the example of an insurance company the simple fact is there are way too many companies that hang onto every scrap of information that comes there way for years. We should come up with a set of criteria that has to be met before you are allowed to keep data for longer than the transaction requires. But as always this is my 02c,YMMV

Yes (4, Insightful)

sm62704 (957197) | more than 5 years ago | (#24741621)

Not only should there be criminal damages, but attempting to keep the thieft secret should carry an even heavier penalty.

There should also be, upon conviction in criminal court, monetary redress for the poor slobs whose data was compromised, and it should be a LOT more than it cost the compromised person. Say, enough to buy a new car.

Why can't we have the death penalty for corporations? The standard answer is "all those people who get trhrown out of work", but there IS a death penalty for corporations; ENRON suffered the death penalty, but the people in charge (at least the ones that didn't go to prison) suffered no penalty at all.

How about a "death penalty" where the victims are given the company itself?

Re:Yes (1)

nasor (690345) | more than 5 years ago | (#24741751)

Not only should there be criminal damages, but attempting to keep the thieft secret should carry an even heavier penalty.

Although I can appreciate the sentiment behind this, I think a better solution would be for companies to stop pretending that something like a social security number can act as a magic password that magically proves people are who they claim to be on a credit card or cell phone application. Then it wouldn't particularly matter if our "personal information" gets out.

Re:Yes (1)

ArsonSmith (13997) | more than 5 years ago | (#24741945)

Of course pointing at the problem and solving it are completely different tasks.

What fool proof identification system do you propose?

I've always figured going with all three identifying items.

1) Something you have. (IE the credit card)
2) Something you know. (IE the PIN number)
3) Something you are. (IE fingerprint, retina scan, DNA, etc)

1 & 2 can easily enough be changed or updated if a breach happens, 3 is something you can always have verified by some kind of identification authority.

Re:Yes (1)

nasor (690345) | more than 5 years ago | (#24742007)

I don't know of any fool-proof identification schemes, but "Ah, you know a social security number, so CLEARLY you are the person who that social security number belongs to!" is about as idiotic as you can get.

Re:Yes (1)

moderatorrater (1095745) | more than 5 years ago | (#24741807)

That reminds me of when Bart owned a factory downtown, which made Frank Grimes hate Homer even more.

Is this the fate you wish to subject me to?

Re:Yes (0)

Anonymous Coward | more than 5 years ago | (#24741897)

What's that smell... Ahhhhhhhh /. socialism.

Nothing quite like it in the whole world

Re:Yes (1)

sm62704 (957197) | more than 5 years ago | (#24742099)

What's that smell... Ahhhhhhhh /. sociopathic anarchy. []

Nothing quite like it in the whole world. If you harm me, you should make good on your damage to me. That's what government is for -- to protect me from sociopathic anarchists like you.

Re:Yes (0)

Anonymous Coward | more than 5 years ago | (#24741941)

If you could get actual damages instead of vouchers and coupons it would be an absolute miracle. The problem is that the only people who get cash from class actions are the lawyers who are *supposed* to be representing the class. All the companies do is determine if they can win. If not, they determine how much money it will take to settle and make the lawyers go away. The class gets fucked every time.

No (1)

holophrastic (221104) | more than 5 years ago | (#24742041)

There seems to be something being forgotten here. In any pure game of cat and mouse, the cat always wins. The game ends when the cat catches the mouse. There is no end-game scenario for the mouse "gets away". When it comes to securing something, physical or electronic, the game of cat and mouse becomes the game of cops and robbers.

In any pure game of cops and robbers, the better funded group always wins. When it comes to physical property, robbers need to break locks, sneak in, sneak out, and escape capture. Furthermore, physical property can often be recaptured, and destroyed property can typically be repaid. But when it comes to electronic data like credit card numbers, there's no returning it once it's been exposed. There's no escaping or sneaking, or transport.

Obviously, exposing people to criminal charges when a robber breaks into your home is incredibly stupid. But it's even worse if you go down the road of charging corporations when they are exposed to electronic theft.

I think it's pretty fair to say that Ethan Hunt can steal anything from anyone. There's always some way to break in, or coerce someone on the inside. Right now, the only thieves willing to do so are those with experience, ability, and something to gain.

Hmmm, break into my competitor's database, and my competitor goes down. Hmm, break into that other company's database, and their stock drops. It very quickly becomes worthwhile to do so. All you've done is add one more way for the criminal to benefit from the crime.

So how about stiffer penalties for the criminal? The cause of theft is not opportunity, it's motive.

Re:Yes (0)

Anonymous Coward | more than 5 years ago | (#24742077)

Question one. What happens to the people who own stocks in the corporation?

Question two. How many lawmakers own lots of stock in corporations?

as simple as due diligence ,,, (4, Interesting)

Brigadier (12956) | more than 5 years ago | (#24741625)

If your going to store my private data without my expressed permission. In other words I didn't specifically request it (as opposed to having it thrown in as a caveat on some user agreement). Then you are responsible for all mishaps that may be incurred by your actions.

If I ask you to save my data then I accept that I am giving permission to said company as is. In other words it now is my responsibility to look over all disclosures.

The inherent problem however is there is no means of specifically identifying a person. first and last name no longer work. you can assign them a unique code but most people get tired of bringing around and ID card for every business they do business with. Thus you are forced to use a.) a phone number which is subject to change, social security ID, or credit card number.

So though I do believe they should be held responsible for negligence and saving information without expressed permission. I do think the credit industry as a whole is responsible. There needs to be a fixed ID system which is separate from the credit system (as in credit score) and governmental ID systems.

This one ID bullshit needs to stop. Each person should have a superficial ID which can be changed at request. A credit ID which requires in person transactions (loan etc) a government ID and a health care ID. all of which should be maintained by different independent agencies.

Probably, yes (0)

Anonymous Coward | more than 5 years ago | (#24741627)

The legal distinction between civil law and criminal law is that civil law is intended to redress a grievance between two parties or organizations, whereas criminal law involves the punishment for an action considered to be injurious to society as a whole.

In this case, these disclosures/leaks lead to widespread identity fraud, which victimizes many many people (not just the individual whose identity is stolen, also banks, merchants, people who may be scammed by the imposter, etc.)

So I'd say, yes, this action (lax IT security) can be considered harmful to society as a whole.

Executive level. (0)

Anonymous Coward | more than 5 years ago | (#24741643)

The IT department is likely completely unable to set policy, and cannot be responsible for the incompetence of call-center type workers.

Fines against IT-level individuals will just cause the companies involved to outsource their IT, and won't solve any of the security breaches.

By holding executives directly responsible, they will be forced to make the correct decisions at the hiring, policy, and training level.

Fix the bank and lending system instead (4, Insightful)

lena_10326 (1100441) | more than 5 years ago | (#24741649)

Stop giving out credit to every person who walks up to a cash register. Stop warehousing critical information that can be used to apply for credit. Stop approving credit based on only Name/SSN/Address. Stop this culture of unlimited, unchecked credit to anyone, any time, any place.

The problem is the lending system, not the fact your data is leaked. In web terms, credit applications need to be double opt-in, not single opt-in.

Re:Fix the bank and lending system instead (2, Funny)

db32 (862117) | more than 5 years ago | (#24741745)

Clearly you are confused. If we take away the ability for people to spend themselves into oblivion with easy credit the terrorists win! I want the prices of everything on the market artificially inflated by peoples spending habits of imaginary money. I am simply not satisfied until I have to pay $50 for a $5 item because the supply and demand curve is completely screwed due to the massive influx of imaginary money into the consumers hands!

You must be some kind of dirty pinko commie bedwetter if you want to stop the massive debt spending credit system.

Re:Fix the bank and lending system instead (3, Insightful)

lena_10326 (1100441) | more than 5 years ago | (#24741933)

100% on-topic. Data breach => identify theft => credit and lending fraud. Fix it at the tail end by making the data useless to fraudsters. Think it through next time, mod. Just think it through.

My two cents (1)

Van Cutter Romney (973766) | more than 5 years ago | (#24741651)

If it's negligence in case of the company then it does make sense to sue the company. No employee should be running around with a laptop full of SSNs [] and addresses around (even if they are encrypted). That's negligence and the full force of the law should be brought on those people.

If it's due to a physical theft, say a burglary, you can't do too much about it. You can only review your procedures and make sure it doesn't happen again.

The worst is when companies fail to report it [] . They're the ones who should be sued to hell and back.

Criminal Charges? (5, Insightful)

db32 (862117) | more than 5 years ago | (#24741653)

Sure...while we are at it lets put a cop in jail every time someone in their city gets mugged, murdered, raped, etc.

I will be exiting the field the moment some kind of stupidity like what is suggested goes in place. I have a family, and I have no intention spending time in jail being a scapegoat for something like this. It is stupid to expect an individual to be held accountable criminally for something like this. Why should I spend time in jail or face fines personally because Vendor X couldn't be bothered to employ better programmers or test their stuff. Nevermind there will ALWAYS be vulnerabilities. Or maybe I go to jail because some worker brought in an infected USB photo frame. The only way you can really secure the desktop computer completely from the user is to cut the power cable and give them a pad of paper and a pen.

That said...I think there should be something to "encourage" companies to actually invest the resources in protecting that data, or just to stop collecting it. Seems to me not collecting it is far easier and more viable in many many cases. I agree that there is a problem in the value that data provides the company and their lack of "encouragement" to protect it. The notion of holding already overtaxed administrators criminally liable will only make the problem worse. The field will shrink even further and I imagine many of the competent ones will find work elsewhere not wanting to be a whipping boy under idiotic laws like this.

Re:Criminal Charges? (2, Informative)

blindd0t (855876) | more than 5 years ago | (#24741963)

That said...I think there should be something to "encourage" companies to actually invest the resources in protecting that data, or just to stop collecting it.

Chargebacks (card holders disputing charges with their credit card company) are good incentive. Ultimately, it is the vendor that looses money when a user claims a charge is unrecognized and the vendor is unable to provide sufficient proof that it was a legitimate purchase (though the CVV2 number helps the vendors here). To add to that, even more incentive is provided by the banks because they keep track of the unresolved chargebacks on all merchant accounts. If they find your merchant account has had too many unresolved chargebacks per month, they'll typically send you a notice informing you that you have 30 days to find another bank, and setting that up to continue your sales is generally next to impossible to achieve. It is, in some cases, possible to pay the bank extra money to keep the merchant account active for a bit longer, however.

Seems to me not collecting it is far easier and more viable in many many cases.

Indeed, it is. A vendor's ability to meet PCI [] DSS standards is much simpler when card data is not retained. However, there are some cases, such as automatic recurring payments, where storing card data is appropriate. At that point, additional measures are obviously necessary.

Personally, since the monetary liability ultimately comes back to the vendor, I don't feel criminal charges are necessary. That, and it seems like it may be simple to exploit such a system to make money suing vendors via charges designed to appear fraudulent. Additionally, many of the chargeback requests are often people simply not recognizing charges (i.e. they didn't remember making the purchase, and/or the card processing was done by a third party on behalf of the company selling the product). Now, fraudulent use of retained credit card data is an obvious crime. But provided a vendor has not abused their data and has taken the appropriate measures to meet the PCI DSS guidelines, I'd say they should be in the clear in terms of criminal charges. However, I may agree that reasonably increasing chargeback fees would significantly increase incentive.

Re:Criminal Charges? (1)

JerryLove (1158461) | more than 5 years ago | (#24742005)

Perhaps we should indeed hold law-enfocrcement responsable when, for example, they leave a cell-door unlocked and a criminal escapes and commits crimes.

That really is the better analogy.

I wonder how many of the security breaches really come down to bad IT, and how many can be traced to individual users. In my experience, the biggest danger is from people putting data where they should not, leaving their laptops lying around, leaving their passwords on pieces of paper, etc.

Re:Criminal Charges? (0)

Anonymous Coward | more than 5 years ago | (#24742043)

Hi. This is the real world. We're talking about negligence. I don't think you have anything comparable to that in your fantasy world where no one is responsible for their actions or decisions.

Yes, Yes they should. (1)

ag3ntugly (636404) | more than 5 years ago | (#24741659)

It would appear to me that big companies don't consider personal info to be as valuable as something like thier trade secrets. I work for a large manufacturing company, and If I were to lose any data storage device with a large number of confidential details about our manufacturing processes or data/drawings of our parts and products, I would expect to be thrown under the bus.

If a laptop or hard drive or thumb drive with some personal info gets "lost" or stolen, anyone in the company who knew that said data was stored on such a portable and and easy to steal/misplace sort of device should be sent to prison simply for being an idiot.

Now, if the data is lost through a an attack on secured servers, and the company did thier due diligence to protect that data (multiple layers of security, multiple auths, firewalls, IDSs, etc..) then they shouldn't be punished, but if data is lost simply due to someone being stupid, then they should pay dearly.

Corps will see the inside of a court room only if (0, Offtopic)

denis-The-menace (471988) | more than 5 years ago | (#24741665)

Corps will see the inside of a court room only if your name is the title of a song and the personal info gets posted! (MediaSentry will "Find it")

Currently in the US, Corps have more rights than you or I even though they are considered "A Person".
Corps that inadvertently/intentionally kill people at most must pay a fine.
If you or I do this, we don't even get the option to pay our way out.

Until this changes corps can do what they want.

Socialist Europe does it better (0, Troll)

Anonymous Coward | more than 5 years ago | (#24741671)

In socialist England the gov't gives it all away free! []

Who gets the shaft? (0)

Anonymous Coward | more than 5 years ago | (#24741675)

So let me get this straight. We're going to give IT the shackles, when 9 out of 10 times, they are doing what they are told?

In my experience, IT has very little control, but all of the responsibility. Management of the company set the rules, even if the law is in favor of securing the data, that doesn't mean the managers allocate the budget to ensure that happens.

IT workers rarely stand up and say "I refuse", because when it comes down to it, it is their mortgage on the line.

Now it'll be their mortgage, or their freedom? Awesome, where do I sign up?

Not IT, but business (5, Informative)

Ohrion (814105) | more than 5 years ago | (#24741677)

I disagree with the prospect of placing blame directly on IT/IS. I do believe however that much of the blame needs to be placed at the company level. Many times the risks are known ahead of time by both IT and the business, but the business has decided not to spend the money to fix the problem and have signed off on the risk. Sometimes there is nothing further the IT department can do without the express permission of business. In fact, this is fairly frequent.

I also disagree with this blame being in the form of a crime, unless it is negligence or gross negligence. Fines maybe, but jail-time no. The exception to this, is if the theft is an inside job. Of course, there are already laws to deal with that.

Doctors, lawyers, engineers, IT? (1, Insightful)

Anonymous Coward | more than 5 years ago | (#24741689)

I'm a professional engineer (PE). My wife is a physician. I we screw up, ruining somebody's life, we get sued.

IT is not more complicated than medicine, yet seems to fail at security all the time. Perhaps it's time for malpractice/negligence to whip companies into shape.

Possibly too far (2, Interesting)

avatar4d (192234) | more than 5 years ago | (#24741699)

I am not sure that criminal charges are necessarily needed. Who would get the jail time? I mean does the SA have to prove that he recommended better security to the PHB? Does management automatically go directly to jail?

I might be happy enough with the company being responsible for any identity theft of the people listed in their data. Maybe only for the next 5 or 10 years, but if their credit starts getting messed up, then the company which lost the data should be responsible to take the blame and also partially (split between the bank and the company) financially responsible.

Even that suggestion has issues though. People will then fraud the company that lost their data by pretending that their identities were stolen and that someone is purchasing things in their name. All the while it was that person themselves.

Regardless, I think the whole identity/information theft thing is more complicated than most (non-technical/non-business) people take into account.

What about the little guy? (0)

Anonymous Coward | more than 5 years ago | (#24741701)

That would suck for the small web developers who can't pay for insurance for this sort of thing.

Chain of responsibilty (0)

Anonymous Coward | more than 5 years ago | (#24741723)

Directors and High level execs should be first on the jail cell lines unless they can prove that they;

1) Listened to reasonable IT security concerns (it's not their job to do the research),

2) Properly funded and supported efforts to insure data protection.

And yes I have been involved as low level IT support, a Director and an high level exec.


Worrisome... (2, Insightful)

tekiegreg (674773) | more than 5 years ago | (#24741735)

Forgive me for not RTFA in advance but...

I'm a developer, I've worked on many an app that has stored credit cards, social security numbers, and other pieces of juicy data. I've always acted with integrity and you'll never find a credit card or social security number posted on the Internet of my own free will. Generally I take best efforts to secure this information. Using appropriate technology such as hashing, encryption, access controls and authentication as appropriate for the information, etc. Documenting as throughly as possible to make sure that nothing happens, and what to do to further protect things.

Despite all this, if my programming is ever compromised, am I now jail potential? I'm finding a new job...

Careful with that word 'crime' (4, Interesting)

ScentCone (795499) | more than 5 years ago | (#24741769)

Leaked data, by itself, isn't a crime in this regard. No harm comes to anyone until someone with criminal intent actually does something to it. Not counting, of course, the harm of feeling appropriately uneasy as you wonder if/when someone will do something with it following a leak - but I'm not sure that sort of anxiety rises to the level of crime on the part of the hotel chain... you could have the same anxiety about whether or not someone holding your data will at some point have a leak that hasn't even happened yet, and likely never will.

There's a reason that someone who sues McDonalds over the hot coffee she dumps in her own lap doesn't ask a DA to go after them criminally. Likewise with slipping on a wet restroom floor that doesn't have one of those "caution" signs put up by the maintenance crew. Being bad (or even, unlucky) at your job could well be grounds for a civil suit, but it isn't usually - and shouldn't usually - be considered an actual crime. That's pretty dangerous stuff, there.

When some wackadoo in full-on tinfoil hat mode brings a gun or a knife to work and kills the PHB he's hated for years, and is now convinced is working for Alien Overlords... is the employer who didn't see that coming an accessory to the crime that was committed, for having failed to prevent it?

If data is leaked, and no crime (based on the use of that data) is ever committed, and the laptop gets recovered with no expectation of it having been compromised... did a crime take place, not counting the person who ripped off the laptop from an employee's luggage? Is the employer actually a criminal because that happened? The opportunities for Really Bad Precedents here are vasty.

Re:Careful with that word 'crime' (0)

Anonymous Coward | more than 5 years ago | (#24742213)

The buck should stop with the CEO (0)

Anonymous Coward | more than 5 years ago | (#24741805)

Agree that IT is the one that owns access to the data in question. But security is a organizational matter and should include data security - just like protecting other intellectual property. This should be mandated by the top management and verified.
SOX legislation is around for a reason and it is not the journal accountant who is held responsible. It is the CEO.

How long data is needed (2, Interesting)

Todd Knarr (15451) | more than 5 years ago | (#24741819)

I'm of the opinion that the liability should depend in part on whether the data's being kept longer than needed for the transaction or purpose it was provided for or not. For instance, if I buy something from an on-line merchant they need to keep my name and address on file at least long enough to ship my item, and almost certainly for the length of time I'm allowed to return the item for a refund or replacement. They need to keep my credit-card number on file long enough to authorize it, possibly long enough to settle the charges (depending on how they're set up with their clearing house), and possibly as long as I'm allowed to ask for a refund (if for instance the clearing house requires the card number to credit the money back). When a company keeps information around longer than needed, they should be held to a higher standard since now it's their choice that the data's being kept. And "needed" should be determined by the purpose or transaction the data was provided for, not by what the company wants to do. When I provide a billing/shipping address for a purchase, I'm not providing it so the company can do better advertising later. If they insist that I create a profile and leave that information on file permanently for their convenience or benefit, they should be taking more responsibility for it's security than if they're keeping it just long enough to do what I asked of them and then discarding it.

Where does the blame fall? (1)

DaveV1.0 (203135) | more than 5 years ago | (#24741823)

Does it fall on the IT department for possibly having lax security procedures or using problematic software?
Does it fall on management who approves or dictates the security levels and procedures, and/or may exempt themselves from the procedures?
Does it fall on the software vendor who provided the software with a security hole?

Where does the blame fall?

Kill them all (1)

blueZ3 (744446) | more than 5 years ago | (#24742037)

God will know His own

Best Western .. might not be 8 mil customers (1)

oneiros27 (46144) | more than 5 years ago | (#24741829)

Best Western claims that it was a single hotel [] , and that they purge older data when it's not needed.

Of course, as it's been so widely reported, the chances of people believing anything other than the worst case scenario is unlikely, as how many blogs are going to post a 'oh, nevermind, I was wrong' article? (and the newspapers would hide it somewhere on page 24)

Commie Scum (1)

gentimjs (930934) | more than 5 years ago | (#24741851)

Syndeq, You suggested any form of accountability/responsibility for a corporate entity. What are you, some kind of commie scum? The ability to perform any level/kind/etc of illegal, amoral, corrupt, or otherwise-unacceptable conduct while under the 'name' of a corporate entity, then when you get caught to say "Hey man, it was the company!" to avoid blame, is the cornerstone - nay - the single most essential principle of the US economy. After all, harder to bring "Acme, INC" to jail then "John Doe" isnt it? In all seriousness, as long as the illusion of "corporate personhood" exists, we'll never escape this reaganic ideal of responsiblity-free wrongdoings.

Depends on the case (1)

thetoadwarrior (1268702) | more than 5 years ago | (#24741871)

You can't just say the IT department is at fault in all cases. It would have to be looked at on a case by case basis and it certainly wouldn't just be IT. The company as a whole can determine how well an IT department runs.

If a company flat out does something stupid then of course there should be some sort of compensation or punishment for the company.

Why companies and not government employees? (0)

Anonymous Coward | more than 5 years ago | (#24741873)

Why should this only apply to companies? Why not government employees, heads of departments, or for those countries that have them, ministers of various departments?

It can't be so that a set of actions that should not happen give criminal liability and is morally condemnable if you do them as a private person or a company, but invokes the +5 Invisible Adamantite Brick Wall of No Traceable Responsibility if the government does them. That would be unfair and discriminatory for no good reason.

Blame Data Retention (1)

pdq332 (849982) | more than 5 years ago | (#24741901)

Company data practices share some of the blame. But why are they gathering and retaining the data to begin with? Like a clean desk policy at a bank, companies should be required to purge credit card details, most contact info, Driver's license numbers, SSNs, etc after a transaction is concluded. As soon as you decide to retain data, it will be broken into someday, and there ain't no Great Wall of China that's going to keep 'em out. Charging IT professionals criminally in this scenario is like charging overworked housecleaning staff with entropy violations.

There's a simple princple that covers this (1)

Solandri (704621) | more than 5 years ago | (#24741909)

No taxation without representation.

And its converse: No profit without responsibility.

The latter also covers cases like Monsanto, which wants to profit from the wind blowing their GM seeds to other fields (sue the farmer for using the seeds without paying), but denies responsibility when those same seeds cause problems (contaminating the crops of organic farmers). If you want to be the beneficiary of a product or mechanism, they you must also be liable for any negative consequences of that product or mechanism.

Re:There's a simple princple that covers this (1)

David Gerard (12369) | more than 5 years ago | (#24742055)

The whole point of exporting Intellectual Property through trade agreements and so on is to own the brains of the poorer countries - recolonise them without having to actually maintain force of arms there.

I'm sure Rudyard Kipling would have called it "the corporate man's burden." [] It's for their own good, I'm sure.

Yes! (0)

Anonymous Coward | more than 5 years ago | (#24741917)

This should raise to the same level as accounting fraud. Without regard to the details of the security breach, the various CxO's and the board of directors should be held to be ultimately responsible. In other business entity configurations, it should be the ownership group. Leaving this up to self-policing and even trade group policing just is not working. I don't believe the majority of organizations take infosec, and customer privacy in particular, nearly as serious as they should and they won't until they are looking at spending some time in jail. I also feel that this responsibility should not be 'firewalled' by contractual agreements between firms, i.e. Company A contract with Company 2 that looses the data. Company A's mangement/ownership should be on the hook just as Company 2's is.

Where the buck should stop. (1)

misterjava66 (1265146) | more than 5 years ago | (#24741929)

RE: It's a slippery slope to be sure, but where should the buck stop?

If someone steals something from me, whether held in trust for another or my property, and does something bad with said property, it is the STEALER who should be criminally punished.

However, depending upon the arangments with the owner, if I'm holding something in trust for another, I could see that other person should have a right to persue me if I failed to protect the property in a reasonable manner.

Nominal "crime": leaving the keys in the ignition (3, Interesting)

RobertB-DC (622190) | more than 5 years ago | (#24741953)

In Texas (and in other states, it seems), it is against the law to leave your keys in the ignition [] . I haven't yet figured out exactly what the purpose is for that law, except to remind people that leaving your keys in the car invites theft. I certainly haven't heard of anyone being prosecuted for the "crime".

Perhaps a similar nominal criminal sanction should be in place for the company that leaves the keys to my identity in their corporate "ignition"? The penalty would be a slap on the wrist, or less -- because a stiff penalty would lead to coverups. But the law would still be on the books.

That would allow the bean counters to add an item on the balance sheet for "secure client data -- compliance required by law". That would carry more weight than "secure client data -- compliance with 'best practices' guidelines".

Re:Nominal "crime": leaving the keys in the igniti (1)

QuasiEvil (74356) | more than 5 years ago | (#24742229)

Wonder how that works if my car is started with a toggle switch because the real ignition switch went bad... Is it illegal to leave my toggle switch on the harness?

Criminal Charges? Yes... potentially. (1)

forrie (695122) | more than 5 years ago | (#24741997)

I agree with a previous poster, new technologies are difficult to follow, etc. However, that's ultimately not a good excuse.

If we begin to set standards, laws and consequences (that are enforced) then we'll see some change take place.

Companies are less likely to go the extra mile, if they don't feel they are legally compelled to.

Personally, if I were one of the unfortunate people who's identity was stolen, I'd be pretty angry at the negligence, talking to a lawyer and pursuing these companies.

What the UK needs (1)

David Gerard (12369) | more than 5 years ago | (#24742001)

What the UK needs [] is for the government to get the bill for breaches [] ;-)

Seriously, the Information Commissioner has actually served enforcement notices on the most incompetent departments [] and the Conservative opposition has called for prosecutions [] .

Re:What the UK needs (1)

David Gerard (12369) | more than 5 years ago | (#24742023)

Sorry, that first link [] is to a dupe in the firehose queue - the actual Slashdot story that ran on Friday is here [] .

Yes, without a doubt (1)

PingXao (153057) | more than 5 years ago | (#24742013)

The vast majority of computer security "incidents" we hear about, and most of the ones we don't hear about, would never have taken place if this was the stance adopted 10 or 15 years ago. Not IT liability... corporate liability. Ultimately it's the corporate level where goals and policies are set and approved, and budget decisions reign supreme.

If the first large-scale data security breach that happened to a retailer or a bank had been made into an example, we wouldn't be seeing what we see today.

Most companies (1)

SoulRider (148285) | more than 5 years ago | (#24742025)

have some sort of confidentiality agreement. If they do not live up to that agreement then they should be held liable. If they promise to keep my data confidential then it is their responsibility to implement the necessary security to actually keep that data confidential. I especially think hotels, car rental agencies, airlines or anyone else that requires that I transmit a cc number in some form or another, need to be audited and approved for security on a regular basis.

How about self regulation? (0)

Anonymous Coward | more than 5 years ago | (#24742039)

Lawyers do it, Doctors do it, Engineers do it, We should do it too.

We need a set of rules that the head of data security must live by for his job or else FIRED.

Legal decisions are up to lawyers and judges who don't understand what we do and why we do it. That's just dumb. If we create our own rules that we must abide by first we get to decide on the rules, second we can rule/pass judgement on it, third we can enforce it as we see fit.

No need for "laws" just rules we control and execute.

The law of negligence is well developed. (1)

dbc (135354) | more than 5 years ago | (#24742051)

And the concept of IT security negligence is little different from bank physical security or workplace safety negligence.

If a bank is robbed, of course you go after the robbers. But if the robbers cleaned out your safety deposit box, and it is shown that the bank was failing to use best practices with respect to security, you have an action against the bank as well.

If you suffer a workplace injury, and it can be shown that the company was not following safety regulations and requirements, then you can go after the company.

Why is IT negligence different? If you aren't following known best practices, then that is quite simply the standard definition of negligence. "Did know, or as a professional should have known. Didn't do it anyway. BZZZT! Thank you for playing."

Really, this is one place where the law developed over the past several hundred years applies perfectly to today's technology without much adjustment at all. It would be great if all technology law were such.

Erm... we already do (4, Informative)

jimicus (737525) | more than 5 years ago | (#24742079)

In the UK (and, I believe, Europe), anyway.

The Data Protection Act briefly states:

  • Data may only be used for the specific purposes for which it was collected.
  • Data must not be disclosed to other parties without the consent of the individual whom it is about, unless there is legislation or other overriding legitimate reason to share the information (for example, the prevention or detection of crime). It is an offence for Other Parties to obtain this personal data without authorisation.
  • Individuals have a right of access to the information held about them, subject to certain exceptions (for example, information held for the prevention or detection of crime).
  • Personal information may be kept for no longer than is necessary.
  • Personal information may not be transmitted outside the EEA unless the individual whom it is about has consented or adequate protection is in place, for example by the use of a prescribed form of contract to govern the transmission of the data.
  • Subject to some exceptions for organisations that only do very simple processing, and for domestic use, all entities that process personal information must register with the Information Commissioner.
  • Entities holding personal information are required to have adequate security measures in place. Those include technical measures (such as firewalls) and organisational measures (such as staff training).

It's not clear which country the Best Western incident took place in but if the systems were hosted in the UK and they processed bookings from UK customers, it looks like a fairly cut and dried breach of that law to me.

There is, however, the minor issue that I don't think anyone's ever been successfully prosecuted for not having inadequate security systems in place...

Criminal? No, but disclosure / liability needed (1)

QuasiEvil (74356) | more than 5 years ago | (#24742181)

I don't think criminal prosecution is the way to go. It's bad, but typically I'm not a fan of making incompetence in private matters criminal.

What I do believe should happen is twofold:

1) Any breach should come with mandatory disclosure and civil liability. Basically, we should be able to get a class action suit going for the time and effort necessary to change all of our card numbers, etc. in the event of a breach, plus costs for checking credit reports, etc. I'm sorry, but my credit card company changed my card number four times in a year on account of "breaches", and I could never find out who the hell it was. It's a sometimes expensive inconvenience when you're on a trip, don't get the notice, and suddenly your credit card stops working. Or the hours spent changing over all of your automatic bill payments. Considering I make around $70/hour when it's all said and done, my time cleaning up their mess is not cheap, and I expect to be able to bill them for it.

2) If the credit card companies were smart, they'd levy serious increases in the fees they change to process cards from any processor or retailer that causes a breach. Or, better yet, cut them off entirely from processing until they passed a rigorous security screening. The idea of losing potentially weeks of business due to your payment processing being cut off would definitely motivate better security.

Basically, I don't see the need to bring in the slow, grinding wheels of the criminal justice system. A few adjustments to laws governing civil liability and disclosure requirements would very quickly make the industry adapt to much greater security.

maybe the blame is a different corp (1)

fred fleenblat (463628) | more than 5 years ago | (#24742199)

What's a crime is that companies which issue credit cards, auto loans, mortgages, etc will accept your name, ssn, and mother's maiden name, as proof of identity.

These items just aren't secrets anymore so there's no reason for banks (etc) to go on thinking that only the "real" john smith would know them.

Banks that lend out money in my name should be forced to absorb resultant losses themselves. Equifax and trans union should be targets for libel lawsuits when they ding your credit rating because of ID theft.

Blame the companies (1)

dave562 (969951) | more than 5 years ago | (#24742217)

The blame should be shifted to the companies who lose the data. Hopefully doing that will get them to question their procedures of collecting the data in the first place. What really needs to happen is a serious reform in the way credit is issued. It's one thing to have a data breach. The real problem comes in when that data is then used to open accounts. The financial institutions need to do a better job of identifying the people who are asking for credit. If a company wants to give me $10,000 worth of credit, they should pay the expense of having someone come to my address on file and have me sign something saying that I really want the credit.

End Result (1)

MozeeToby (1163751) | more than 5 years ago | (#24742221)

Better than fining companies for security breaches, why not require a certain amount of security based on the type of data the business is collecting. Allow for periodic and random inspections and issue fines if the company isn't up to the required level. If theft occurs, a more detailed inspection is conducted until the cause of the theft is identified and fines can be issued if the theft should have been avoided by following the required security measures.

This is essetially what would happen if you allowed fines and class action lawsuits with the current system. The difference is, the 'fines' would be replaced by insurance premiums. It workers or departments would have insurance the same way doctors and investment advisors have malpractice insurance. The end result is the same, premuims would go down if you improved security or held less data. They would go up if your security was found lacking or you begin tracking unnecissary information.

Actually, the blame is on the Directors, not IT... (1)

GuyverDH (232921) | more than 5 years ago | (#24742233)

As all decisions end up being their responsibility in the long run.

Crap may run downhill, but legal responsibility runs uphill.

At least in a world set in reality, that's how it should be...
Of course, they'd claim "we didn't know" and try to weasel their way out of it....

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?