Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Personal Data Exposed! Can Legislation Fix It?

ScuttleMonkey posted more than 7 years ago | from the ask-and-ye-shall-receive dept.

Privacy 154

rabblerouzer writes "Millions have had their personal information stolen because of lax security and may not even know it because of the patchwork of state laws that fail to mandate timely notification of victims. Boston-based law firm Mintz Levin is seeking feedback on what you would like to see included in draft legislation."

cancel ×

154 comments

Sorry! There are no comments related to the filter you selected.

More laws are the key ... to EVERYTHING (5, Insightful)

Kohath (38547) | more than 7 years ago | (#18842279)

I know we're just one law short. With one more law, nothing will ever go wrong and everyone will live forever. Just one more law.

I'm sure this is the one. No one will accidentally release anyone's private details when it's illegal.

Why haven't they made getting in a car accident illegal?

Re:More laws are the key ... to EVERYTHING (0, Flamebait)

Lovedumplingx (245300) | more than 7 years ago | (#18842317)

Totally. I thought I was the only one who thought like this. This is just the law that we need to live in peace and harmony for all time.

Everyone knows that if there's a problem the creation of a law is the appropriate solution.

Re:More laws are the key ... to EVERYTHING (1)

PPH (736903) | more than 7 years ago | (#18842427)

How about one to prohibit shooting people on college campuses?

Re:More laws are the key ... to EVERYTHING (2, Insightful)

Opportunist (166417) | more than 7 years ago | (#18842569)

Why not go all the way and outlaw murder?

Oh... wait, I think there's been something like that already. Anyone know whether it worked?

Re:More laws are the key ... to EVERYTHING (3, Insightful)

KiahZero (610862) | more than 7 years ago | (#18842509)

Laws are just codified rules. The question is, what rules would you want people to follow, and what penalties should exist for breaking those rules?

Re:More laws are the key ... to EVERYTHING (0)

Kohath (38547) | more than 7 years ago | (#18842719)

Laws are just codified rules.

Laws are legislators substituting their choices for yours and mine (because we can't be trusted to make the right choices on our own, but legislators can). Law are backed by threat of violence or force. They are not "just codified rules".

Re:More laws are the key ... to EVERYTHING (3, Insightful)

Qzukk (229616) | more than 7 years ago | (#18843143)

because we can't be trusted to make the right choices on our own, but legislators can

None of the credit agencies seem to be willing to lift a finger to do "the right thing". I guess we're going to have to start suing the credit agencies for defamation or something whenever they associate our identity and credit with a criminal in order for them to take notice, if we're not going to be allowed to make laws to tell the credit agencies to get their act together.

Re:More laws are the key ... to EVERYTHING (1)

OnlineAlias (828288) | more than 7 years ago | (#18844005)


Indiana has a very robust law on notification and data disclosure. The law came into effect last year in July, and it hasn't changed a damn thing about infosec in the state. In fact, few people know anything about it. If I had to write the legislation for another state, I would probably skip it and go do something else, as it is a complete waste of time...

Do you have a mohawk and wear safety pins? (1)

spun (1352) | more than 7 years ago | (#18844485)

Let me ask you then, do you think that societies should have rules? Should there be consequences for breaking those rules? How should those rules be decided upon?

You can't just throw away one of the most basic tenets of civilization of the past 5,000 years without some explanation of why this most universal and ancient system should be demolished, and what it should be replaced with. I mean, sure, you could do what you just did, and apparently there are even a few people with mod points willing to reward you for your stance, but I think you'll find the vast majority of people are not so willing to give up the rule of law based solely on your very sparse critique.

Even most anarchists still believe in codified rules with enforced consequences. What's your alternative?

Without more analysis and explanation on your part, you come across as one of those street punk anarchists with the mohawk and pins, all anger and no theory, shouting "Nyah nyah nyah, you're not the boss of me!"

Re:More laws are the key ... to EVERYTHING (2, Interesting)

TubeSteak (669689) | more than 7 years ago | (#18843611)

Laws are just codified rules.
And look who is writing a draft of those rules: A law firm.

Unfortunately, that's how a lot of laws get written. Law firms, think tanks & lobbying organizations write up their wish list and then sweet talk Congressmen or Senators into submitting it.

This happens at both the Federal and State levels.

Maybe the public representatives (in reality, their staff) should be writing up the rules.

"Oh, but we like this set of rules!"
My response: think of all those laws you didn't like.

Re:More laws are the key ... to EVERYTHING (1)

icedcool (446975) | more than 7 years ago | (#18844171)

The point of the law is not to punish crime, its to prevent it.

Re:More laws are the key ... to EVERYTHING (2, Insightful)

CastrTroy (595695) | more than 7 years ago | (#18842679)

It's not about making it illegal to lose the information, it's about letting the people who when it inevitably happens.

Re:More laws are the key ... to EVERYTHING (1)

Moofie (22272) | more than 7 years ago | (#18842713)

"it's about letting the people who when it inevitably happens"

Er, what?

Re:More laws are the key ... to EVERYTHING (1)

CastrTroy (595695) | more than 7 years ago | (#18842743)

Sorry, That should be

"it's about letting the people who are affected know when it inevitably happens"

Re:More laws are the key ... to EVERYTHING (1)

Moofie (22272) | more than 7 years ago | (#18842841)

Verbs are cool.

Re:More laws are the key ... to EVERYTHING (1)

sconeu (64226) | more than 7 years ago | (#18843009)

Verbing weirds words.

Re:More laws are the key ... to EVERYTHING (2, Interesting)

technicalandsocial (940581) | more than 7 years ago | (#18843491)

In Canada, we have PIPEDA http://www.privcom.gc.ca/legislation/02_06_01_01_e .asp [privcom.gc.ca] , as well as provincial and industry related privacy legislation that is useful. If you have a violation, you can submit it to the privacy commissioner, as well as http://www.cippic.ca./ [www.cippic.ca]

Re:More laws are the key ... to EVERYTHING (1)

Goaway (82658) | more than 7 years ago | (#18843621)

I thought it was mostly teenager who thought it was clever to substitute cynicism for insight, but judging from your user ID, you're probably not one. So what gives?

Re:More laws are the key ... to EVERYTHING (1)

Kohath (38547) | more than 7 years ago | (#18844019)

So suggesting that new laws aren't the answer to every problem is "cynicism"?

Re:More laws are the key ... to EVERYTHING (1)

treeves (963993) | more than 7 years ago | (#18843903)

I completely agree with the gist of what you're saying: that it's stupid to think that just passing another law will solve the problem, but you err in saying they want to make it illegal to release the data. What the law is for is to require that those whose data were released must be notified that it happened. Mind you, that's not going to solve everything either, but it is different from what you suggest.

Re:More laws are the key ... to EVERYTHING (5, Insightful)

hey! (33014) | more than 7 years ago | (#18844131)

True, laws cannot prevent bad things from happening to you. But they can deter unreasonable things from being done to you. And they can also compel people who willfully do such acts to make the damage good.

These are the kinds of laws that a rational person can support. It's laws that are meant to protect us from ourselves we have to many of.

In fact, we do not so much need new laws, but clarifications of how existing legal principles apply.

If I park my car and do not set the brake, and it rolls down the hill into your house, the law says I have to pay for the damages to your house. Not you. You get an estimate of, say $2000, and I have to pay that plus a certain amount to compensate your for your inconvenience.

That isn't paternalism, it's common sense.

Now suppose I negligently release private information about you, and that results in your identity being stolen. The damage I've done to you is incalculable. And therein lies the rub. I am not responsible for the criminal misdeeds of others, but I have caused you far more than $2000 of trouble by my negligence. It is the inability to put a dollar amount on that damage that keeps me immune from being sued by you.

If Congress set a standard $1000 damage level for negligent disclosure of private financial data, you could sue me. But you wouldn't have to. If I managed a database of a thousand people, I'd be looking at a cool million in direct liability. It would alter my calculations. I wouldn't be sending your private data home on an unsecured laptop so a temp I've done no background checks on can do a little data entry.

That's the common theme we've seen in "shocking" cases of data mismanagement. It's not shocking at all, it's inevitable. If the cost of mishandled data is zero, then I'll risk exposing you to identity theft for a penny on an account, multiplied by enough accounts and that's real money.

It isn't hard to secure data to the point that the risk of disclosure is negligible. But it's impossible if the cost of disclosure is zero.

Current Liability Causes Indifference (4, Insightful)

SRA8 (859587) | more than 7 years ago | (#18842285)

Currently, vendors losing data typically offer 3 months of identity detection, as if that does anything. Criminals can simply wait 3 months and begin stealing identities freely, as most people cannot afford to purchase these costly (and largely useless) services. Unless vendors are presented with liability, as are most other businesses, data will continue to be lost all the time. There is virtually no cost to losing data.

What constitues acceptable security (0)

Anonymous Coward | more than 7 years ago | (#18843649)

I think the punishment should be inversely proportional to the level of effort required to steal that data. If a laptop with a million unencrypted SSNs gets stolen on a train then that's sheer negligence. If someone breaks into a secure data center and physically removes a server then it's certainly unfortunate but the company in question is a lot less responsible since they took due care.

A lot of these issues could be solved if you people handling confidential data would secure their networks and particuarly their laptops. People working with the data should only have what they need to do their job and once they are done working with it, their local copy should be securely deleted.

VPNs should be tightly controlled using certificates on both ends. Any machines that exist outside of a secure environment should be using disk encryption and decent passwords and passphrases.

There should be a clear standard on how this type of data should be handled, then the laws can be updated to have gradiented punishments based on the level of negligence.

Re:What constitues acceptable security (1)

qwijibo (101731) | more than 7 years ago | (#18844073)

I'm sure there is no way to implement your idea into law, but I do like the idea of being inversely proportional to the protection provided. Companies don't spend money on making the data or systems secure because it's simply not cost effective. Putting some senior management in jail and finding the company for this kind of carelessness would be nice, but there's just no way it would work.

The best a law can do is create a new market for people claiming to sell solutions. If a company goes with a system backed by another large company with a lot of clients, they can say they were diligent. There is really no good way to determine who is going through the motions, who is genuinely trying (but still sucks) and who is doing a good job, except through failure. And if two companies lose your data and someone commits fraud, both have plausible deniability for the damage caused.

What *I* Would Like to See in Legislation? (5, Funny)

lbmouse (473316) | more than 7 years ago | (#18842287)

Televised ritualistic testicular hangings as punishment. Two strikes and you're sterile.

Re:What *I* Would Like to See in Legislation? (3, Insightful)

symes (835608) | more than 7 years ago | (#18842437)

Televised ritualistic testicular hangings as punishment. Two strikes and you're sterile.

News just in:- Female IT workers around the world have breathed a collective sigh of relief.

Seriously though, accountability seems to be the key. It feels like (hands up, I'm no expert in this area) that people can get away with some of the shoddiest practices when it comes to safeguarding other peoples' personal data. I don't think it is enough to expect the market (in that serious breach of security and loss of data will cost that organisation customers) to regulate itself. It's like shutting the gate after the horse has bolted. There needs to be something up front - focusing organisations' minds on making sure this does not happen in the first place. I would say that an organisation that handles, for example, credit card data should be made accountable for any losses directly attributable to mishandling that data plus some compensation in lieu of the time required to close the account, order new cards, etc..

Re:What *I* Would Like to See in Legislation? (2, Funny)

Aadain2001 (684036) | more than 7 years ago | (#18843361)

News just in:- Female IT workers around the world have breathed a collective sigh of relief.

All three of them...

Re:What *I* Would Like to See in Legislation? (2, Funny)

morgan_greywolf (835522) | more than 7 years ago | (#18842447)

Televised ritualistic testicular hangings as punishment. Two strikes and you're sterile.


But the Legislation would never impose this penalty on themselves!

Oh, you mean for the criminals...

That's no problem (2, Insightful)

Opportunist (166417) | more than 7 years ago | (#18842599)

When you consider how lobbyists twist them around their little finger, I'd wager politicians don't have any balls anyway.

I felt a great disturbance in the Force... (1)

UnanimousCoward (9841) | more than 7 years ago | (#18842935)

...as if millions of voices suddenly cried out in terror and don't even know why.

Jail the CEO (1)

EmbeddedJanitor (597831) | more than 7 years ago | (#18844335)

Hanging jail time in front of the CEO tends to get some focus in the organisation.

Old saying: a fish rots from the head. If the CEO isn't onboard, then the CIO etc won't give this priority.

Given that SSI just released SS numbers (1)

WillAffleckUW (858324) | more than 7 years ago | (#18842293)

I suggest that having the same agency, especially a Red Bushie one, be the watchdog, is akin to outsourcing the farmers security to the wolves, asking them to guard the henhouse.

What would I like in draft legislation? (2, Funny)

eln (21727) | more than 7 years ago | (#18842303)

I'd like legislation protecting my right as an American to slap the shit out of my elected representatives whenever I choose. I think this could greatly improve their sense of accountability to the electorate. Also, sales of ice packs in Washington would skyrocket.

Or were you looking for legislation more specific to the whole identity theft issue?

Re:What would I like in draft legislation? (1)

RetroGeek (206522) | more than 7 years ago | (#18843501)

I'd like legislation protecting my right as an American to slap the shit out of my elected representatives whenever I choose.

Already there. Every four years, need it or not.

Simple (0, Troll)

isotope23 (210590) | more than 7 years ago | (#18842307)

If a company exposes customer information, then the personal information of all Management and
Board of Directors is to be posted in major newspapers across the US for 1 week.

Re:Simple (1)

joshier (957448) | more than 7 years ago | (#18842501)

Yeah, I was actually thinking this, then I scrolled down and someone had already mentioned it.

Quite simply, it's instant karma... If a company does accidentally leak some data, then those who managed it, be it managers and/or the boss of that establishment, will have their private details (phone, company details etc) exposed... they would not only be punished, but they would know how it feels, which gives them knowledge for a better company. Kind of like, forceful learning..

Re:Simple (0)

Anonymous Coward | more than 7 years ago | (#18842655)

If a company exposes customer information, then the personal information of all Management and
Board of Directors is to be posted in major newspapers across the US for 1 week.

The same should go for Gov and University officials.

It still kills me the colleges still insist on using SSNs for student numbers AND they send school correspondence with the SSNs in nice big letters. That also includes everything from the stupid ass Dept. of Education! MORONS!!!

Criminal Identity Theft (4, Interesting)

G27 Radio (78394) | more than 7 years ago | (#18842345)

I've been writing a bit about my personal experiences with Criminal Identity Theft. It's something quite a bit different than your typical identity theft. I'm wouldn't hold my breath waiting for the states to do much about theft of personal data on their own. They didn't even bother to notify me when they found out some jerk had been using my names to commit crimes. I've come to the conclusion that the government just doesn't give a rats ass about these things.

I'll be writing something to these guys. If you're interested in what I've been dealing with, my story starts here:

http://g27radio.blogspot.com/2007/04/think-youre-s afe.html [blogspot.com]

Who Am I This Week? (1)

netrarc (1083207) | more than 7 years ago | (#18843823)

some jerk had been using my names...
Most of us try to stick with just one name. That whole 'multiple personalities' thing almost always leads to trouble.

Re:Who Am I This Week? (1)

G27 Radio (78394) | more than 7 years ago | (#18844023)

Yeah, I noticed it right after I submitted it. I'm trying to get back to just one on my record at this point!

Ouch! (0)

Anonymous Coward | more than 7 years ago | (#18844101)

Man, that is a really messed-up situation!

I hope you're able to get them to finally help you, and salvage what's left of your life.

Accountability (4, Interesting)

AK Marc (707885) | more than 7 years ago | (#18842387)

There is only one thing that companies are accountable to, and that's the shareholders. If you can save $200 with crappy security and screw over 100,000 people with a breach, a company is under pressure to save the $200. If you place huge fines on exposed data, companies will be able to compare the cost of the security measures to the cost of a breach and make a financial decision that will (hopefully) work out best for both the company and the customers/clients/etc. Fine them up to $1000 per person exposed. Oh, lose the data of 100,000 people on an encrypted laptop left in an airport lounge? That'll be $100,000,000. Also, make concealing a breach (as opposed to reporting it) a jail-able offense. Yes, that may make losing a laptop and hiding that fact get someone more time in jail than a murderer, but we need to drop the "what would a rapist get" dogma. Yes, raping someone is bad. But what about a little loss multiplied by 100,000? Wouldn't screwing up thousands of people's lives (even if the inconvenience isn't really that large) really be in the same league as messing up one person's life really badly?

Recap:

Required disclosure
Jail for those that purposefully avoid disclosure
Large fines for breaches

Re:Accountability (1)

HangingChad (677530) | more than 7 years ago | (#18843117)

If you place huge fines on exposed data, companies will be able to compare the cost of the security measures to the cost of a breach and make a financial decision that will (hopefully) work out best for both the company and the customers/clients/etc.

One can hope, but it would be unwise to hold your breath waiting for big fines. Even if Congressed passed big fines for losing Privacy Act data, it's quite possible most companies would not pay them, even if they were grossly negligent. In response to a big fine from a government agency most companies will appeal. If they lose that, they'll litigate. All the while employing a professional lobbyist and PR firm to lean on elected officials for clemency. Even if the government hangs tough the courts will frequently give them a break and reduce or eliminate the fines and sometimes, even if they lose all that, they just won't pay period. Then the government has to try and launch a costly collection action, which stands the chance of bankrupting some smaller companies.

It varies between agencies how effective they are collecting fines. The IRS...better than most and they still settle sometimes. One favorite line companies use goes something along the lines of, "We could be using the money we pay in fines to fix the problem." If corrective action is necessary they can start playing the "Is This Good Enough" game. They propose a plan to fix it that they know won't do the job. Then offer to do what they should have been doing all along in exchange for dropping the punitive fines and not admitting they did anything wrong. Most companies are pretty cynical about it, too. We'll fix it when we get caught. If we get fined we'll negotiate. If it's really bad we'll litigate.

Re:Accountability (2, Interesting)

walt-sjc (145127) | more than 7 years ago | (#18843169)

The problem is that perfect security is IMPOSSIBLE, especially since the data "needs" to be available to a large portion of the company in order for work to be done.. We can certainly be better though. Forbid the storage of personal data on laptops with jail time for anyone that transfers such data to a laptop or other portable media (with the exception of backup media.)

How about restricting the collection and storage of personal information in the first place? How many companies REALLY need your SSN? How about schools? Do THEY need it? Really? Can we ban the use of SSN's as primary identifiers? How about a federal registry where collectors would have to register that they have personal information about someone, and allow the person to request that the info be removed (obviously need exceptions to this...) How about requiring written approval for businesses wanting to share your data with others? The honest truth is that most businesses have no need to store all that data in the first place. How many web sites want your birth date? Do any of them really need it? with VERY few exceptions, the answer is a definitive NO.

Don't legislate ! (5, Insightful)

cyberianpan (975767) | more than 7 years ago | (#18842417)

Why you shouldn't force notifications to customers

-Zero day exploits: crooks will rush to do zero day exploits as an official confirmation will prove they've got good data (so more sophisticated gangs will buy it from them, most fraud happens in the first 24 hours)
-Honeytrap: When identity theft occurs law enforcement agencies may wish to honeytrap the thieves by letting them use the say credit card details & thus tracking them.
-White Noise Defense: smart companies ought have "white noise" dud systems, easily hacked containing white noise data with honeytrap triggers (eg a valid credit card number but one that belongs to say FBI) in it !
- and so on.

But they should be forced to notifiy law enforcement agencies.

Re:Don't legislate ! (1)

Forseti (192792) | more than 7 years ago | (#18843561)

Not that I'm all for over-legislating everything, but...

-Zero day exploits

If this was an efficient method of defrauding people, they would already be doing it. If they're not, it's because it's less efficient. If we force them to move to less efficient methods, we gain ground.

-Honeytrap

So, we should let valid customer data circulate and be misused, just so we can track the perpetrators? You believe there is a very limited set of people doing this, so that tracking them will solve the problem permanently? Who bares the cost to the economy of letting these followup crimes occur?

-White Noise Defense

I don't see how companies being forced to disclose customer data theft to those customers precludes them from having a honeypot with false information. You realize that they wouldn't be required to disclose false information being leaked! Who would they disclose that to?

FUD-vertisement! (0, Offtopic)

EveryNickIsTaken (1054794) | more than 7 years ago | (#18842489)

Tune in to the FOX 5 News at 10 as we discuss this developing story!~

Re:FUD-vertisement! (2, Insightful)

ExileOnHoth (53325) | more than 7 years ago | (#18843613)

Enjoy your sheltered life. I thought it was hype too, till it happened to me. now I hear myself ranting about "identity theft" and sometimes I stop and think, "when did I become this crackpot?"

Like anything, like war, cancer or flooding, the whole problem seems silly and irrelevant when it happens to other people. Then one day it happens to you.

I'm not comparing this to war or cancer -- but I don't think you've thought through the seriousness of this problem. Ask yourself this: What's your time worth?

What if you had to spend a hundred hours to fix this? Three hundred hours? What is 300 hours of your time worth?

What's it worth to you? to the economy at large? to your wife and family?

It's not Fox news, dude, it's real. Bury your head and feel lucky. That's the privilege of youth.

If you want data, be responsible OR ELSE (1)

Opportunist (166417) | more than 7 years ago | (#18842535)

Here's what I'd like to see in a law:

If you store personal data, you're responsible for everything that happens if this data gets stolen. Everything. No matter if you're in any way responsible or whether it has been deemed "correctly" stored. You lose my data, you stand up for all the damage done.

Yes, that includes governmental organisations.

Don't want to be held responsible for losing my data? Don't store it.

Wait a Minute.... (1)

asphaltjesus (978804) | more than 7 years ago | (#18842563)

I've got a few questions:

1. How is it that this law firm gets paid for the privilege of drafting our laws? Before anyone hits the reply button, what makes you think this is some kind of pro-bono cause for the law firm? The likelihood this is some kind of charitable effort is miniscule. What makes you think citizens preferences will win over the corporate interests?

This story encapsulates what's wrong with our democracy.
-The Law has been abstracted and complicated to such a degree that the above-average (slashdotters are certainly capable) is not qualified or considered capable of writing one.

-Citizens are not diving into this problem, organizing themselves and working the system we have by voting in blocks or even altering the system to make it "better."

Okay, so I'm proxying my preferences to this law firm who, for reasons unknown is drafting this bill.

Data compromise is the CEO's responsibility. Fail in your duties? Fine, it's a _minimal_ felony prosecution with manditory federal prison sentence. This is not after a determination of liability. This is after the data set has been compromised. The other piece of the puzzle is a kind of GAAP for data at rest. Is there such a thing now?

Specialisation is the problem ! (1)

cyberianpan (975767) | more than 7 years ago | (#18842807)

The Law has been abstracted and complicated to such a degree that the above-average (slashdotters are certainly capable) is not qualified or considered capable of writing one.
Society is getting increasingly specialised & thus complex - this is a good thing as generally we have more than say the average person of a 100 years back. Specialisation is what floated the Industrial Revolution & thus gave individuals more freedom (removed us from the Land shackle). When the concept of a Western liberal democracy was founded specialistion wasn't as rife. Perhaps a sample of 10 different professionals would have been able to describe all knowledge. Now even 100 would be hard pressed. Unfortunately we have to stick to our own areas of ability & interest regards law writing, even the average slashdotter wouldn't have much to add to say a change in law surrounding fire codes of new skyscrapers. We've to rely on others to oversee & complain on these issues.

Re:Wait a Minute.... (1)

heinousjay (683506) | more than 7 years ago | (#18843111)

So you not only propose suspending the criminal justice system, you would also like to impose penalties on people who, by job title, would likely never be directly responsible. Brilliant. You have my vote. I assume you're running under the flag of the "Batshit Insane" party, so I'll just vote a straight ticket.

Re:Wait a Minute.... (1)

asphaltjesus (978804) | more than 7 years ago | (#18843447)

Your alternative leads one down the blind path of non-accountability and no transparency whatsoever.

You propose the fall guy remains way-way down the chain of authority and the executive class retains authority, and the salary to reflect that, but no liability.

Instead of name-calling, how about a viable alternative where the chain of authority is clearly defined? Maybe it's just easier to shout-down ideas than it is to come up with some constructive alternatives?

Re:Wait a Minute.... (1)

Artifakt (700173) | more than 7 years ago | (#18843521)

I see your first point, but how in the hell did you get the idea that a CEO could be "never directly responsible"? That's a marvelously narrow definition of the word directly, it stands utterly opposed to the way that phrase is used in all the body of both corporate law and US criminal law, and if it's your real logical position, then you should be equally opposed to holding the getaway car driver responsible for a homicide resulting from a bank robbery, since he too is not directly responsible. Are you sure you want to fling around terms such as "batshit insane"?

Re:Wait a Minute.... (1)

BadMrMojo (767184) | more than 7 years ago | (#18843913)

1. How is it that this law firm gets paid for the privilege of drafting our laws? Before anyone hits the reply button, what makes you think this is some kind of pro-bono cause for the law firm? The likelihood this is some kind of charitable effort is miniscule. What makes you think citizens preferences will win over the corporate interests?


Mintz Levin is the same firm that made a boatload on a huge class-action suit against big tobacco a few years back. This is most certainly not charitable work. Not that it should be an absolute criteria of whether you agree with their approach or not, but they are doing this as a part of their business. That's what they do.

-The Law has been abstracted and complicated to such a degree that the above-average (slashdotters are certainly capable) is not qualified or considered capable of writing one.

I have this argument with my ex (who is about to graduate from Law School) all the time. I'm perpetually astounded that the average citizen (not to mention those below average) is responsible for adhering to a set of laws which is so convoluted that even our best and brightest have to train diligently and dramatically alter the very way in which they think just to be capable of arguing either side of an issue.

How the Hell is an average person ever expected to understand whether any action they take is lawful when its legality can only be determined after the fact, in court and based upon innumerable external variables up to and including the transitory whims of the judge? It's really completely insane.

Change the cost/benefit to discourage hoarding (2, Interesting)

Urban Garlic (447282) | more than 7 years ago | (#18842573)

My fantasy strategy is to punish the owners of inaccurate personal information.

Legislation that provided a penalty for holding inaccurate personal data about someone would strongly discourage people from grabbing personal info just because they can. If bit-rot in personal-info databases had legal consequences, people would be more careful about what they collected, and would take the trouble to verify its integrity. It'd be harder to sell a database like that, too, since the buyer would want the means to keep it up to date. Also, you can bet that every personal-info-storing website would switch to an "opt-in" model about as fast as their lawyers could say "liability risk".

The major downside would be that it would disproportionately hurt small organizations. Sadly, I don't have a solution for that.

Everybody's being funny damn it (0)

Anonymous Coward | more than 7 years ago | (#18842593)

That's my line!

Ok, I guess I need to be serious if everyone's joking about it. Of course, there's the Anarchist who thinks he's a libertarian saying all laws are bad, and another (please mod the guy up, he's actually funny) suggesting that Bush should appoint someone for a new Fedaral agency who is either a) totally incompetent (Brown, Gonzales) or is an industry shill, like the oil company and timber guys he appoints to Land Management (sigh). Bush makes the anarchists jobs SO easy...

But the fact is, there really should be a law. It should say that when your private data is breached, you should be able to collect three times any actual damages you incur from any company or agency that breaches said data. Furthermore, any government agency or company should be made to hold this money in escrow for every possible victim, just in case.

Breaches should subject the board of directors and CEO of the company or agency entrusted with the breached data, as well as the idiot who actually loses said data, to hard time in prison. Not a "white collar" prison. Put 'em in tith the murderers, thieves, muggers, rapists, and child molesters. I almost said "drug criminals" but most of our jails and prisons are filled with those, anyway.

A credit reporting agency who gets a report that your credit is stolen should be subject to a slander suit if they report bad credit after finding that it's the thieves, not you.

But the US is a one party system, even if that one party does have two arms. Neither the Democrat nor Republican arm of the Corporate Party gives a damn about you, or about anything EXCEPT the corporations. Any credit fraud law passed will benefit the corporations at the expense of the citizenry, like every other God damned law passed in that last quarter century.

So, uh, I guess I have to agree with the anarchy dude. Don't pass any more damned laws, we have too many already. Unless you've got some plan to wrest control of the US government back from the Japanese (Sony), the French (Universal), the Germans (Crysler), the Mexicans (Zenith), the British (BP), the Dutch (Shell)...

-mcgrew

Ain't gonna work ... (1)

WrongSizeGlass (838941) | more than 7 years ago | (#18842595)

... without extremely severe punitive damages imposed upon those who expose the data. Until it costs them less to secure it than it does to expose it we'll never stop companies from acting irresponsibly.

SSIA (Sig Says It All) (1)

Geekfather (1012353) | more than 7 years ago | (#18842597)

|
|
V

My vet can do that! (1)

EmbeddedJanitor (597831) | more than 7 years ago | (#18844407)

You have not been "fixed" yet? Just stand in line with the tom cats.

Here's what we need, and it'll never happen (2, Insightful)

MikeRT (947531) | more than 7 years ago | (#18842629)

An amendment to the Civil Service Act that makes willfull negligence an automatic firing offense. Stop, don't pass go. If you take thousands of tax records or veterans' data home with you without strong encryption, you're fired, lose your pension, everything. It'll never happen because the government doesn't want to admit that if we took the government out of the equation, that the system would look a whole lot less broken than it really is.

Secrets are the problem (1, Insightful)

Anonymous Coward | more than 7 years ago | (#18842635)

The whole system is backwards which causes a good percentage of grief and problems with personal data in the world.

We need systems that are more like paypal or your online banking account where you *send* payments to the people you want to send money to rather than having those people *take* the money from you.

Implementing it in a way that that is as easy to use and prevelent as credit cards is unfortunately a major undertaking and I'm not sure exactly how it would even be done but its the only way to stop the continuous drum beat of many of these sorts of issues. With the penetration of cell phones and instant network access everywhere its an idea that is getting easier and easier to implement every day.

There are separate issues with SSN..etc that are not addressable in this way but perhaps a central government system which uses a kind of kerberos Ticket-Granting-Ticket scheme could allow third party verification of credentials and storage of tickets without their actual knowledge of what those credentials are. It seems a little spooky though :)

The next best approach I see is a deterministic hash like algorithms that still allow SSNs to be used between systems and as keys for storage in applications but prevent their outright knowledge.

As far as legislation ... I like notification. If I worked for an orgization responsible for huge amounts of personal data as a matter of basic ethical conduct I would seek to provide notification if our systems were breached by bad actors.

I don't think legislation which prescribes solutions or requrements in terms of security is useful. Market pressures which come from notification requirements can do a lot in this regard and IMHO should be the focus for government involvement.

The problem is even seemingly obvious requirements such as "use firewalls" may not have any real actual effect on the security properties of a system or do anything to stop insider threats. Technology is too complex and changes too fast for our elected officials and their self appointed experts to reasonably understand and more importantly *predict*.

cause damages? pay them all (1)

swschrad (312009) | more than 7 years ago | (#18842699)

and that means lifetime. if BigCo has enough data in their files to mess up somebody's credit, they pay for all damages, correcting the files, and for the life of the person, for every instance where impaired credit causes harm, pay for it.

some weasel steals your ID and you lose the house you're trying to buy? BigCo buys you a house, free and clear.

can't get that zero-percent car loan? BigCo pays for the car in cash and hands you the keys.

then and only then will companies get serious about how much stuff they keep on customers, and how they tie it down safely.

Can legislation fix it? (3, Insightful)

hackstraw (262471) | more than 7 years ago | (#18842745)


The summary and the FA were short on information, but here is my stab at this.

How about we just keep our private information private? The increase in the amount of personal data that is attempted to be acquired by private companies is increasing, and remind me how my giving of my personal data to Pets-R-Us is going to benefit me?

I paid cash for a car, and the people wanted my social security number. Why?

A health club near me wants my social security number to lift weights and stuff. Why?

Oh, and don't get me started with those so-called "Privacy Agreements" that some of these comanies give out to you. All of those end with the clause "we can change our mind at any time w/o notifying you", so how is this any kind of agreement? By signing one of those I am agreeing to nothing.

So, I think that the laws should say that there are 2 kinds of personal information. One kind is something that can clearly identify me. My address, phone number, ssn, name, etc. And none of that should be shared with anyone. Abstract data for marketing reasons is OK. My age, sex, or whatever they can get from me that does not directly tie the information to me is OK.

Re:Can legislation fix it? (1)

Red Flayer (890720) | more than 7 years ago | (#18843655)

I paid cash for a car, and the people wanted my social security number. Why?
So the cash transaction can be reported to the IRS, as required by law (depending on the amount). This is supposedly to help detect money-laundering and drug trafficking.

A health club near me wants my social security number to lift weights and stuff. Why?
For a credit check, to make sure that you'll be likely to make the monthly installment payments on that annual membership, and probably to see if you're a high risk for stealing equipment.

At any rate, I think we've passed the point where we can hope that our private data will remain private. Realistically, we've got to take steps to prevent stolen data from being used for identity theft. This means tighter regulations on lenders, so it isn't going to happen, IMO, but it's the only option left from a systemic perspective.

I'll agree that there are two levels of personal information, and one should be sacrosanct. The problem, though, is that if the data is collected, it is vulnerable. The law won't stop malicious attempts to get your personal information, nor will it stop some idiot from accidentally making the data available. So what do we do once our data is out there?

Personally, I just accept the fact that I need to check my credit report every month. What I'd like to see is better free access to one's own credit report, so that the various credit bureaus don't make out like bandits from the justified fears of individuals. One free credit report a year (as mandated by law in most states) is almost useless, given the speed with which an identity thief can ruin your credit and make your life a living hell for years. One a month would be much better.

Corporal punishment (1)

ewg (158266) | more than 7 years ago | (#18842771)

I favor more laws, especially if backed up with the threat of corporal punishment [wikipedia.org] .

New SSN (4, Informative)

Alchemar (720449) | more than 7 years ago | (#18842787)

One of the biggest problems with identity theft is that SSN were not intened to be used for identification purposes. My Social Security card clearly states that it is for Tax and social security purposes only - not for identification. Yet every organization out there wants to use your SSN for an ID. It use to be my student number, my health care number, and I can't recall the last time I needed to access banking information that I wasn't asked for the last 4 digit to "VERIFY MY ID" The people that set up Social security numbers knew that using it for ID would be bad. Try refusing to give your SSN. Unless you are independently wealthy, that means no job, no bank account, no phone, no Drviers license, no house, no car, and no insurance. What I want is for them to enforce the laws that we have. If we must have a new law, make it a criminal offense to ask someone for their social security number unless they must file a tax in that person's name, and also make it a criminal offense to use the social security number for any purpose other than filing that tax form. The main problem is that since the Social security office doesn't recognize that a social security number is an ID, having your ID stolen is not a valid reason to get a new number. The social security office recomends that you move to a new country and start over, and other countries actually have fleeing the US for identity theft as one of the reasons to seek relocation into their country

If they absolutly need a national means of identifying people, then it needs to be in a secure manor. My suggestion is to issue everyone an electronic ID card. With all the extra "security" that goes into an id they can afford a small dedicated computer the size of a credit card calculator that only gives a secure ID number. When someone needs to verify your ID, they must request a key from the goverment, similar to a tax ID, but it is the public key for an encryption. They give you their public key, you enter it into your computer wich has your private key, it generates a number, the company sends that number to a goverment computer, it returns the critical information for the person involved. Name and Birthday. If they require more information, they must fill out the goverment forms explaining what information they need, and why; which becomes public record. Set it up so that your computer tells you what the company is, and what information they will be given. Now they have a secure means of identifing you, and you can verify who is requesting the information, and the ID number you give them is only good for that company. They can't use the data to request a new credit card, because the credit card company would be given a different number based on their public key. Set a password on the computer so that it can't be used if stolen, and set provisions where someone can request a new card and private key if it is compromised.

Re:New SSN (0)

Anonymous Coward | more than 7 years ago | (#18843065)

So what happens when this little computer of yours crashes beyond repair? Is cracked? etc?

I agree with you and other posters here though that SSN shouldn't be used but for taxes if it must be used at all.

Re:New SSN (1)

Alchemar (720449) | more than 7 years ago | (#18843859)

That is what I meant by "and set provisions where someone can request a new card and private key if it is compromised." What do you do if you lose your drivers license ... you go get a new one. Just make sure that people are issued a new private key if the old one is lost or compromised.

Re:New SSN (1)

Archangel Michael (180766) | more than 7 years ago | (#18843327)

"If they absolutly need a national means of identifying people, then it needs to be in a secure manor. My suggestion is to issue everyone an electronic ID card."

Yeah, just tie this new number to a SSN so that all the old legacy systems can use either!

All kidding aside, why do we need numbers at all. How about using photographs? How about Fingerprints? How about anything other than something that is EASY clone? Whether or not it is SSN or some other numeric based ID, the problem with the system is the same. This is idiocy of the "we need a new number" crowd. The problem isn't using SSN, it is using ANY number as a SOLE means of ID. A new number isn't going to fix the problem. Really it isn't.

It shouldn't be trivial to pretend to be someone else. It should be all but impossible.

Re:New SSN (1)

Alchemar (720449) | more than 7 years ago | (#18843829)

One of my points was to make it an ID number NOT a tracking number. Enforce the existing laws so that they can't use the SSN by linking back to it. Part of making the plan work is that you have a different number for each company, so that they can't create a central database, which makes the data less valuable to people that would consider stealing it.

Re:New SSN (1)

RetroGeek (206522) | more than 7 years ago | (#18843647)

My Social Security card clearly states that it is for Tax and social security purposes only - not for identification. Yet every organization out there wants to use your SSN for an ID.

In Canada we have more-or-less the same wording for our Social Insurance Number (SIN). And the law has teeth. It is illegal to use the SIN for primary identification. The military had to re-vamp its own internal systems, as they started out using the SIN as a soldier's ID number. Now they generate some random number.

I refuse to give out my SIN to anyone who cannot prove to me they actually need it. If they say they will not give me a (membership | account | whatever) I simply leave.

YOUR data is YOUR IP (1)

zogger (617870) | more than 7 years ago | (#18842791)

There isn't a whole lot more needed other than enforcing copyrights one might think. If it really is "your" data, then these various companies and agencies can make you an offer to license to use it. Right now they just assume and act like it automagically becomes THEIR "IP" to use, sell, trade, store, datamine, and etc.. Nuts.

$$ attached to each piece of information (1)

str8 (28028) | more than 7 years ago | (#18842801)

IMHO, if a company or agency treats our personal information like they do cash, they would be much more careful with it. I would suggest a dollar amount on each piece of information.
Name: $5
Birthdate: $5
Address: $5
SSN: $50
etc.

If they disclose that information accidentally or without permission it's just like they lost $5 of your money and they have to send you a check.

I think this would also help cut down on the information that organizations would keep on people to a minimum since each field would be treated as a liability (as it should be).

No SIG for you! Come back, one year!

Legislation has never fixed anything. (2, Interesting)

pair-a-noyd (594371) | more than 7 years ago | (#18842863)

There are millions of laws and all of them are ignored by the criminals.
Honest people obey them but criminals do not.

What it will take is to enact a DEATH PENALTY for computer crimes / identity theft.
That's right, strap the bastards down in Ol' Sparky and televise it to the world.

Two or three public executions and the problem will pretty much go away over night.
Do it from another country you say? No problem. Send a Special Forces hit team to kill them in the dark of night.

Seriously though, one day someone is going to get really, really pissed off and they'll go get a pound of flesh from the companies that allowed the data breach to happen. It's only a matter of time.
There are a lot of unhinged people on the edge as it is now.

This has gone on way too long. Enough with the useless laws, let's start up public executions.

Target the credit bureaus (3, Insightful)

Daffy Duck (17350) | more than 7 years ago | (#18842867)

I doubt the solution is to make sure that all of the dozens of companies that hold your SSN must have perfect security inside and out for all eternity.

I'd rather outlaw the use of your SSN as both username and password. Why are the credit bureaus allowed to let anyone who knows those nine irrevocable digits mess with your credit report?

Re:Target the credit bureaus (1)

Lithdren (605362) | more than 7 years ago | (#18843121)

Agreed! A SSN is not, in any way, meant to identify you. Its for tax reasons only, to link up info for taxes for the goverment.

You use SSN now for EVERTYHING, from getting hired, to getting credit cards, to buying a house, to getting pulled over for speeding, to requesting tax forms. everything.

Whats worse, if you have an SSN, name, and DOB, a company will believe its really you, and not the guy stealing your identity. Its a large problem.

We either need to create something to replace the SSn that can be used like this (only with actual security) or find another way all togeather. The current system is not working, at all.

Public Information Exchange (0)

Anonymous Coward | more than 7 years ago | (#18842869)

The internet is well suited for the exchange of public information. It really should suprise no one that anything private connected to the internet has a strong chance of not remaining private. Though many of you make your living and/or do business on the internet its still a bad idea. The more complicated you make the system will just make it easier to break, review your reliability formulae if you doubt this statement. Frankly, I think the worst is yet to come. Even though huge amounts of money has been lost by banks, corporations and individuals to date, it apparently hasn't hurt profits or savings enough yet.

Corporations and small business have shown repeatedly that they can't be trusted with our private info even off of the internet, being on it just makes it infinately worse for potential harm. When the transaction is complete, all data with any personally identfying information should be dropped.

Banking online? Sure, it is convenient, but the word is that only a small portion of money stolen online from banks is even reported. The government even fears an organized attack on banks that could drain them enormously, but don't worry, that money is issured by someone who can print money, the overly in debt US government. At least the banks in the US are, haven't a clue how the rest of the world's banks would handle such losses.

IMO the internet should just go back to being a public information exchange medium and keep the private business off of it so it has a better chance of staying private. Cash and carry is still the best way of doing business, outside of barter.

This is not to say that businesses shouldn't use the internet to list prices, location, phone numbers etc, but it would be far better if they kept it to that. I may well get modded flamebait on this but history will in the end be the judge and in this case I wouldn't mind being wrong.

As far as legislation fixing anything, it can only do so by removing other legislation cause legislation never stopped anything from happening in much the same way that a locked door only keeps the honest people out, same for a "secured server".

More exclamation marks? (1)

Cctoide (923843) | more than 7 years ago | (#18842969)

I don't know! Can it!? Is it like outlawing death makes less people die!? I don't know! Maybe if we add more exclamation marks, it'll work!

Restrict the Creditors (1)

scruffy (29773) | more than 7 years ago | (#18843039)

We need to make bad creditors pay for identity theft. It is their lax identification/authentication procedures that cause much of the problem.

1) Make creditors pay you triple damages when your identity is stolen.

2) Put an upper limit on interest rates so that creditors can't gouge the honest debtors to pay for the dishonest ones.

The problem isn't disclosure (1)

gillbates (106458) | more than 7 years ago | (#18843085)

It is how banks and other institutions carry out identification. Typically, your name, address, and SSN are all that is needed for a criminal to commit fraud.

And typically, the worst you'll have to put up with should your identity be "stolen" is signing an affidavit to that effect. I'm not aware of any case in which someone whose identity was stolen ended up with out of pocket expenses. Typically, the merchant eats the fraud.

The banks, merchants, etc... are the real losers. However, if it was a serious problem, banks and merchants would be doing something about it. When you think about it, someone unwilling to do something as small as changing their identification process can't be too concerned about the problem. Yes, they'll pay lip service to it, but in the end, it just isn't large enough a problem to do something about.

Now, I haven't had personal experience with this, but I am not aware of anyone who has been defrauded (i.e. cleaned out their bank account) and have not received their money back from the bank.

Re:The problem isn't disclosure (1)

twbecker (315312) | more than 7 years ago | (#18843623)

And typically, the worst you'll have to put up with should your identity be "stolen" is signing an affidavit to that effect. I'm not aware of any case in which someone whose identity was stolen ended up with out of pocket expenses

I guess you don't consider your time and effort an out of pocket expense. Time is money. While I thankfully don't have any first-hand experience with ID theft, from what I've heard recovering from it can involve many many hours of correspondance with financial institutions, credit reporting agencies, etc, etc. I don't know about you, but I have better things to do with my time. Sure merchants have to eat a lot of the cost, but to insinuate that consumers have it easy is just ridiculous.

Re:The problem isn't disclosure (2, Informative)

CantStopDancing (1036410) | more than 7 years ago | (#18843769)

The banks, merchants, etc... are the real losers. However, if it was a serious problem, banks and merchants would be doing something about it.


and the reason they're not is because, and this is the important bit, they pass the costs on to their customers. That's right, banks and merchants don't lose one red cent over identity theft. They simply raise rates or add extra fees or apply previously non-existent charges, when it happens too often. *every* instance of identity theft is subsised by *every* customer of that organisation, without exception.

Re:The problem isn't disclosure (0)

Anonymous Coward | more than 7 years ago | (#18844139)

My girlfriend's sister had a 'friend' who learned how to sign her name and then withdrew a large sum from her bank account. The bank never refunded the money, and the person had already spent it by the time the police caught her, so the money was never recovered. My girlfriend's sister never saw the money again, on top of having to file police reports, etc.

Had the bank been financially liable for their lackluster security (visual comparison of two signatures), I bet they'd have stepped it up a bit. If nothing else, the victim would have been compensated.

As mentioned elsewhere in the thread, the bank has insurance, which the customers pay for with fees and bad interest rates. I wouldn't be too surprised if the bank filed a claim with their insurance provider for "damaged credibility" and got reimbursed for the 'potential' they lost from the ordeal. Why not pass some of that back to the poor girl who lost her savings because they failed to keep it safe (which is their primary purpose)?

--Posted AC because I can't seem to remember my password right now...

A simple fix I'd like to see ... (2, Interesting)

timholman (71886) | more than 7 years ago | (#18843297)

There is one very reasonable change I'd like to see enacted. I want to have the option of putting my credit file on permanent Fraud Alert with the major credit reporting agencies. Currently consumers have the right to make a phone call to an automated line which places a Fraud Alert on their credit files (I call Equifax at 800-525-6285, who then shares the alert with the other agencies). This alert prevents identity thieves from opening a new line of credit in your name without the agency contacting you first.

The only problem is that the alert must be renewed every 90 days. To get a permanent Fraud Alert, you must prove you've already been a victim of identity theft - essentially closing the barn door after the horse has gotten out.

Consumers need to have the right to request a permanent alert without question, and for any reason. I am long past the point in my life where I need instant credit. I can afford to wait long enough for the credit agency to call me if I need to open a new account. Of course, the credit agencies will fight any such measure tooth and nail (the 90 day alert had to be forced upon them by law), but unlike some proposals I've read so far, this one is actually doable with a realistic amount of effort on everyone's part.

Easy answer (1)

Marxist Hacker 42 (638312) | more than 7 years ago | (#18843325)

The problem isn't a lack of privacy- the problem is too much privacy. I say, the new law should be an utter *lack* of privacy in financial matters- an open records law. Then we can simply hire government auditors to watch for fraud patterns and punish only the criminals.

"patchwork of state laws"??? (3, Insightful)

Russ Nelson (33911) | more than 7 years ago | (#18843333)

"patchwork of state laws"??? You morons, that's exactly HOW the United States is *supposed* to work. Look at the name: United States. We're not a single country, we're a union of independent states, each of which has its own government, and its own set of laws. The "patchwork of state laws" is our guarantee against a tyrranical central government. The different state laws allows people to pick and choose between the laws that protect them most and oppress them least. It's a feature, not a bug! [russnelson.com] .

I know - let's pass a law to help the victims... (1)

GuyverDH (232921) | more than 7 years ago | (#18843463)

If any number of client's data is exposed, lost, stolen then the following action will be taken. #1 All assets of the company that lost the data will be frozen. #2 Corporate officers will be held liable, and serve a prison term no less than 5 years. #3 The victims will be provided with identity theft insurance for the rest of their lives, paid for by #4. #4 All assets of the company will be sold, and said money will be distributed evenly to the victims, after subtracting the cost of lifetime identity theft coverage. Yes, there are all kinds of bad things that could happen (like mass unenployment, etc..), however, if the officers of the companies are held responsible by law, they will more than likely want to cover their asses, and force the companies to do what they should have done already.

Free the victims from any consequences (1)

gelfling (6534) | more than 7 years ago | (#18843469)

We assume that there is no security and no privacy therefore the only sane thing to do is force anyone to prove it is you who is you in order to collect moneys, rights or some other thing from you.

a few things... (1)

BenSchuarmer (922752) | more than 7 years ago | (#18843529)

DO NOT preempt state laws.
Allow people to freeze their credit reports. You can do this now AFTER you find out that you are a victim, but that's way too late. Why not give people the abilty to decide whether they want to get a little more security by giving up quick credit?

We're all victims (1)

Curmudgeon420 (1092149) | more than 7 years ago | (#18843809)

My credit union sent me notification that their Visa card accounts may have been exposed, and my two cards would be replaced. It took me over an hour to mail, phone, and login to accounts to change my CC number. 100,000 numbers compromised? 100,000 hours lost. Make the blighters pay.

Won't really matter (1)

Deagol (323173) | more than 7 years ago | (#18843941)

To quote the duck: "Consequences, shmonsequences...as long as I'm rich."

I don't really see how this will help. As it takes a big legal team to fight these big corporations, we'll mostly see results like most other big lawsuits. The laywers will settle for a huge amount, get most of it, and business will go on as normal. Even if it's not a class-action and comes down to a single plaintiff actually winning a substantial judgement, it won't be enough to curb the abuses. It never does.

What we really need is a legal foundation that puts the out-gunned individual on even ground with corporations. If being sued into the ground by a corp can ruin a person, the reverse should be true. If convicted of major wrong-doing, a company's bank roll, officers, and board should suffer losses and hardship. Enron-like convictions should be the rule, not the exception.

As if that will ever happen, though....

To answer the headline: (1)

frdmfghtr (603968) | more than 7 years ago | (#18844013)

No. Legislation cannot fix this; that's like making bugs in code illegal.

Legislation can only make mistakes like this painful, but it cannot prevent them.

Along the same line of thought; traffic laws don't prevent accidents, they just assign blame for them.

No federal solution (1)

Thunderstruck (210399) | more than 7 years ago | (#18844035)

The desire to fix things with a single, federal, solution is part of problem. As many of the above posts already note, identity theft is possible in large part due to the existence of single national identifiers. Further, a federal-law solution would be constitutionally limited, and could only regulate those organizations engaged in (interstate) commercial activity. Data collections created for governmental, political, religious, or research purposes would probably be above federal authority and subject only to state law.

As a practical matter, the governance of personal information is something best handled by the individual states, based on their individual needs and values. A (large) state that values convenience and automation can adopt a "uniform information code" much like the present UCC. A (small) state that prefers privacy and control can adopt more stringent regulations. In the end, an individual has a lot more control over the laws of his state, (and thus the laws governing his personal information,) than he does over federal laws.

Eliminate the problem at the source (1)

gsarnold (52800) | more than 7 years ago | (#18844133)

Follow the money!

The root of this whole mess is the fact that credit is soooo easy to get. Lenders ask for little more than a name and SSN to look up a credit report before they will write loans and issue credit cards. Anyone could provide that, which is what makes this information so valuable.

You want to fix the problem? Regulate the credit industry to create friction in this process and de-value the information used to identify individuals to credit reports. This certainly would mean requiring more than Name and SSN to identify an individual on a credit report, but may also mean burdening the creditor with additional requirements like direct contact with applicant to confirm confirm request, etc.

If you make it harder for creditors to issue fraudulent credit, the reason for stealing the information in the first place will evaporate.

BTW, why is the SSN even used as a credit ID? Ain't that supposed to be illegal?

Fix Fair Credit Reporting Act (1)

zentec (204030) | more than 7 years ago | (#18844259)

The problem lies in the fact that you do not own your personal information, it's considered an asset of the corporation holding it. The Fair Credit Reporting Act still puts the burden of monitoring and repairing credit profile on the individual. The free credit report legislated in the past couple years does nothing to stop identity theft, and the FCRA continues to be decidedly anti-consumer.

The Fair Credit Reporting Act should allow me full and unfettered access to the information about me whenever I deem it necessary. NO ONE should be able to gain access to my report without my consent, and no one should be able to open credit under my profile without some form of verification that I permitted it. While they're at it, I should have free access to my FICO score without having to sign-up for trials or scam services. If you're going to use my personal information to create a benchmark of my credit worthiness, then I should have free access to both. They both affect my interest and insurance rates.

As others have said, laws making something illegal or "extra illegal" are not going to stop criminals. What will slow this problem is forcing information brokers and providers to clean up their act under the threat of dire financial losses. And while the lawmakers are at it, they need to make sure that consumers have easy and ample access to their credit profiles in order to stop the damage from the inevitable theft of someone's identity. In this day and age where you can get a $30,000 car loan in 2 minutes, it is infurirating that you can't check your credit profile for free on the credit reporting agencies but once per year.

I'll make it really, really simple. (1)

hey! (33014) | more than 7 years ago | (#18844403)

Simply adopt the EU Data Privacy Directive [wikipedia.org] , lock stock and barrel.

It isn't just that this is the most well thought out approach to data privacy there is, although having the advantage of hindsight it probably is. It shows some family resemblance to the 1972 US HEW recommendations on "Records Computers and the Rights of Citizens", but with the benefit of two more decades of legal, technical and business experience.

It has actually been implemented. European society, and more importantly European commerce did not collapse. While it protects individual rights much more robustly than US law, it has not resulted in the destruction of the informatics or financial services sector. Nor has it hamstrung Europe's law enforcement agencies, since it provides for reasonable exceptions in criminal investigations and national intelligence.

What is more it is US commerce as a whole that is at risk from US privacy policies.

Strictly speaking, no company in the EU should ever send personal data to a US company, because you can't get around EU privacy laws by shipping data overseas to some legally backward country (meaning us). We have strong armed the EU into a safe harbor agreement, but it's politically unpopular oer there, and the first really bad privacy screw up involving EU citizens and the agreement is out the window. You may have noticed that the US government is not popular over there.

However, if we adopt the EU directive, Americans will finally enjoy the same privacy rights as Europeans, and there will be no complicated legal barriers to doing business withe Europe, or any other part of the world that adopts the same standards and is politically stable.

Law Firm? (1)

cybermage (112274) | more than 7 years ago | (#18844503)

I'd like to see fewer laws drafted by lobbyists. Can they include that?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?