Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror

Data Theft and Corporate Irresponsibility? 352

Posted by Cliff
from the they-lose-we-pay dept.
cjsnell asks: "Today, I received a letter from a student loan provider notifying me that my name and social security number had been stolen along with a contractor's computer. This makes -four- agencies that have lost my personal information, in the last year. Today's letter was the most disappointing yet: the company, Texas Guaranteed, did not offer any credit report monitoring like the previous three had. Their advice? Send a letter to the credit bureaus. Gee, thanks. Clearly, mass identity theft is completely out of hand and there doesn't seem to be any government regulation for handling these situations, nor does there seem to be any punitive action against businesses that lose customers' data. Do we, as consumers, have any recourse against these businesses?"
This discussion has been archived. No new comments can be posted.

Data Theft and Corporate Irresponsibility?

Comments Filter:
  • Recourse (Score:4, Funny)

    by alshithead (981606) on Monday June 19, 2006 @10:26PM (#15566387)
    Forward all of your bills to them.
    • by Travoltus (110240) on Tuesday June 20, 2006 @01:38AM (#15567043) Journal
      In the name of the Libertarian Party, I would like to speak on this issue.

      I'm appalled by all the anticapitalist rhetoric that is being spewed on Slashdot regarding the corporate use of your personal information and the occasional leak of your SSN into the wrong hands.

      You people talk like you want absolute ownership over your personal information. Like you want a corporation - an entity that only exists for the purpose of maximizing net profit - to take responsibility for handling your personal information. Then you'll be holding them liable for mishandling your info. Do you realize what damage this will do to corporate profits?

      That utterly reeks of communism. What's next? Treating your personal information as your own property to be handled on your terms and not theirs? Heck, if we follow that line of reasoning, the Government will have to intrude even further into our lives and implement a law to treat personal information brokers like Choicepoint and Unicru as potential data pirates. I can see it now: the Digital Millenium Privacy Act.

      Corporations made America, and now you pink commies are about to create a kleptocracy in the name of your overzealous attack on public access to personal information. Sheesh.

      [...end Right wing parody]
    • Re:Recourse (Score:5, Informative)

      by Choco-man (256940) on Tuesday June 20, 2006 @08:29AM (#15568529)
      I've had this happen to me 4x in the last 2 months. I urge you all to write your congress-person and state attorney general (not email, write the letter folks) - here's what i am sending:

      Senator Specter,

      I am writing to voice my concern over the lack of control many corporations have over my personal information - and just as importantly, the lack of recourse I have as a citizen should those corporations abuse my information. Over the course of the past 60 days, I've received 4 notices that a given corporation - two of which I don't even do business with, nor have I ever - have had my personal information compromised. Two of them were kind enough to provide suggestions as to what steps I should take to monitor this, one of them simply stated that they'd allowed my information to be compromised, and the final one actually sent me an empty envelope. I contacted them based on their return address to make an inquiry, and obtained confirmation that that too had compromised my information.

      All this within a two-month period. And these are the ones that have voluntarily divulged that my information has been compromised - I'm assuming there have been other incidents that have not been disclosed.

      It's absurdly obvious to me that, at minimum, there needs to be minimum standards of data protection, and recourse for the individual in the event that one suffers personal loss as a result of a corporation not adhering to those minimum standards of protection. In the day of high speed data transmission and very powerful encryption techniques, it's ludicrous that they are transporting these types of sensitive information around on unencrypted computers and on non-secured servers or portable drives.

      I do not want to wait until something detrimental occurs to me before I take action. Identify theft has become so common place that it's become background noise, and we as a society have accepted it as a part of life in the modern world - this can not be the solution. Until there are ramifications for corporations that mistreat personal data that results in personal harm, there is no incentive for them to alter their behavior.

      I certainly do not have the answer, nor would I presume to tell you what should be done to rectify this. I would, however, ask that you expend some resources to find and implement a solution to the issue. I am quite confident that were the tables turned, and I were to disclose damaging information that affected the fiscal health of those companies, that the repercussions I would face as a result from them would be quite serious.

      Thank you for your time.

      Regards,
  • Simple... (Score:5, Funny)

    by Cheapy (809643) on Monday June 19, 2006 @10:29PM (#15566398)
    Tell them that if you don't get your credit card watched, you're going to burn the place down. Burn it to the ground, and then take a vacation in some far off tropical place.
    • by Ruff_ilb (769396) on Monday June 19, 2006 @10:36PM (#15566432) Homepage
      Tell them that if you don't get your credit card watched, you're going to burn the place down. Burn it to the ground, and then take a vacation in some far off tropical place.
      Like Nigeria? I hear there are lots of... lucrative... investment opportunities over there.

      Just Email me with your Name, Address, Social Security number, and Credit Card information and I'll take care of it all.
      • by fatman22 (574039)
        All of that information is now available just about anywhere, which makes it pretty much useless for you because it gives me plausible deniability for any transaction.
    • by Eccles (932) on Monday June 19, 2006 @10:53PM (#15566502) Journal
      Tell them that if you don't get your credit card watched, you're going to burn the place down.

      They stole my identity, not my stapler.
    • Re:Simple... (Score:4, Insightful)

      by frisket (149522) <peterNO@SPAMsilmaril.ie> on Tuesday June 20, 2006 @05:01AM (#15567639) Homepage
      > Do we, as consumers, have any recourse against these businesses?

      Nope.

      If you choose to live in a country where the government is pro-corporation instead of pro-people, you've got to accept that you're powerless. If you don't like the heat, get out of the kitchen -- or do something about the chef :-)

      • Re:Simple... (Score:3, Insightful)

        by qwijibo (101731)
        It depends on the type of consumer you are. If you're a net-debtor, you have to bow down before them and accept your role as a peon. However, if you live within your means, you always have the option of telling them to stuff it. You can't do anything about the companies who amass and lose your data, unless you can afford to sue all of them.

        What I don't understand is why people spend unlimited time negotiating with companies they have no legitimate association with. If a company is reporting that I owe t
  • by carsonc (792247) * on Monday June 19, 2006 @10:31PM (#15566413)
    For most things, organizations don't need much if any of your information. The want it to mine... there is no down side for them. For the companies that do need data, I believe that every field in a credit report should have a complete audit history and companies should have to pay up and fix their mistakes. If legislation also made them accountable for data theft then you would see a lot less information collected. That would be a good thing.
    • Yep... (Score:5, Interesting)

      by msauve (701917) on Monday June 19, 2006 @10:49PM (#15566487)
      unless they're making payments to my Social Security "account," (i.e. paying me on a W2) they don't get my SSN. Unless they're [i]required[/i] by law to report tax info, they don't get my Federal Taxpayer ID (which happens to be the same as an SSN). I even went after my employer for violation of their own "Employee Privacy Policy," for giving my SSN to a third party health care provider and forced issuance of an insurance card with a non-SSN assigned number.

      You [b]can[/b] do it, but it can also be a hassle, since you have to educate people (especially health care people, who seem to be clueless as a whole).

      • Health Care (Score:3, Interesting)

        by skogs (628589)
        I second the healthcare problem as top on my list.

        My data has been lost 3 times in as many years...all by the wonderful work of healthcare related companies. Seriously...how hard is it. Just don't lose it. Better yet...don't store it in the first place.

        I've had to put watches on 'my accounts' with the credit reporting agencies myself for each one too. You know how irritating it is that I have to take a couple of hours out of my day to fix some other nimrod's stupidity induced problem? Makes me want to
      • Re:Yep... (Score:3, Informative)

        by gumbi west (610122)
        The medical industry has $250,000 fines for breaches of medical data combined with a get out of jail free card from the administration [infoworld.com]. Examples include doctors just throwing out medical records. The sad thing about that is how many people had to know about that, and nobody said anything.
      • Re:Yep... (Score:3, Interesting)

        by autophile (640621)
        What was that story someone here told about a hospital that wanted an SSN in order to provide services? The government doesn't require a hospital to collect an SSN. But a hospital is also not required to provide services without one.

        It's the Golden Rule in operation. He who has the gold makes the rules.

        Not that I'm pro-information-abuse.

        --Rob

        • by msauve (701917) on Tuesday June 20, 2006 @09:44AM (#15569175)
          what they're really asking for is your health insurance account number. The vast majority of insurance plans use the SSN as an identifier, although that is slowly changing. If you have a non-SSN account number, they're typically also 9 digits. When they ask for your SSN, just give them that 9 digit number. If you try to explain or argue, they get confused.
    • For most things, organizations don't need much if any of your information. The want it to mine... there is no down side for them.

      And, in general, you need their services more than they need your business. And it's not like you can count on competition to solve the problem: they're all like this, and it's likely there's a "gentleman's agreement" in place to keep things as they are. After all, nobody (except the customer) really benefits if someone steps up to the plate with a smaller information requi

  • by hackwrench (573697) <hackwrench@hotmail.com> on Monday June 19, 2006 @10:32PM (#15566415) Homepage Journal
    There is a growing and growing group of things that seem completely out of hand once it happens to you. I'm not sure who "we" are, but we need to get together either as a nation or a planet or just some concerned human beings and take a serious look at where we are and where we want to go from here.
    • by plover (150551) * on Monday June 19, 2006 @11:17PM (#15566612) Homepage Journal
      In this particular case I think the credit reporting agencies have way too much power. Their information is used for everything from cell phone contracts to insurance rates to employment background checks. And they've done it without oversight, without honesty and without ethics. They will collect, report and do anything to sell someone another peek at your Fair Isaac score. And every company wanting to sell anything at all gets to use this automated system of discrimination ("hey, it's not a race/ethnic thing, it's just your computer score and the computer is color blind." As if having an address in The Projects would be anybody's choice, yet it all factors into your score.)

      We've evolved our own Big Brother via capitalism.

      Somewhere, Karl Marx and George Orwell are sharing a laugh from beyond the grave.

      • by gEvil (beta) (945888) on Tuesday June 20, 2006 @06:19AM (#15567843)
        I'd tell people to mod you up, but you can't go any farther. As I've often said in the past (and will continue to say), the credit reporting agencies don't give a shit about you. They have no reason to care about whether the information they have on file for you is accurate. YOU ARE NOT THEIR CUSTOMER. Their customers are the ones they're selling your information to. When you contact them to complain about inaccurate information, they consider it a nuisance that *might* need to be dealt with. And the simple reason is because YOU ARE NOT THEIR CUSTOMER.
        • by jimicus (737525)
          The UK (and, I believe, most of the EU), has a Data Protection Act.

          Briefly, this states that data must be:

          * fairly and lawfully processed;
          * processed for limited purposes;
          * adequate, relevant and not excessive;
          * accurate and up to date;
          * not kept longer than necessary;
          * processed in accordance with the individual's rights;
      • I think you are probably right in some respect - but I disagree that economic discrimination is bad. I mean, what incentive would you have to manage your finances if there was no repercussions to doing it poorly? Why should the credit card companies not be allowed to share data for their own protection? Why should a car dealer give you a 0% loan when you've never paid your credit card bill and you're already behind on a mortgage?

        You can keep them from getting any of your information right now if you don't t

  • starting over (Score:5, Insightful)

    by silentscope (908971) on Monday June 19, 2006 @10:32PM (#15566417)
    Start over with a fresh identitiy.
  • by electroniceric (468976) on Monday June 19, 2006 @10:33PM (#15566420)
    There are two simple prescriptions for this:

    1) Create and enforce real liability for loss of personal data. After that it may make sense to introduce "safe harbor" general privacy regulation (unlike domain-specific regulation like HIPAA) where if you comply with the regs, you get relief from liability in the event of a genuine mistake or contingency.

    2) Create and enforce real responsibility of credit providers and credit bureaus. Allow consumers to immediately suspend any line of credit, and require true checks before issuing credit (no more instant credit). No more endless paper battles to get credit ratings fixed, charges rescinded, etc. [These previous two were cribbed from Kevin Drum at WashingtonMonthly.com. He expouns on this subject quite regularly]. Liability for failing to properly check that credit is properly issued or used, which is supposed to be the reason why vendors and buyers pay exorbitant credit card rates in the first place.

    Get the liability in order and regulation will the preferable alternative.
    • by bmwm3nut (556681) on Monday June 19, 2006 @10:58PM (#15566531)
      I don't like the idea of a "safe harbor" or anything like that. If I give my money to a bank and they lose it, even through a "genuine mistake", I get it back. Likewise, I expect that if I give information to a company, and they lose it, they are liable for any harm that comes from that loss. The trouble is that when the governemnt gets involved, then the lawyers at the companies will get involved and they'll look for loopholes and such. There have been a couple of laws passed in the last couple of years that give protection to the companies (Why do you think the submitter was notified of the data loss? Not because the company cares about the submitter, but they get legal protection if they notify of the loss), what we need is to not have those laws and let it up to people to bring civil cases against the companies that lose the data. Yes it will be expensive, but after a few precidents are set, then it'll be easier for the little guy to go after the big companies that lose the info.
    • by rcw-home (122017) on Monday June 19, 2006 @11:44PM (#15566708)
      2) Create and enforce real responsibility of credit providers and credit bureaus.

      Easy. Just make libelous statements on a credit report... libel. You lost your earnest money because you couldn't get a home loan because you allegedly signed up for a credit card, maxed it out, and never repaid it? You get passed up for a job because a car purchased in your name got repossessed? You prove it, you sue the credit bureaus, you win treble damages.

      Suddenly, credit bureaus would require a lot more proof before dinging your credit score, and they'd promptly correct their mistakes.

    • Ask yourself this.

      Who would benefit from such laws, who would have to spend more money.

      Then ask.

      Who gives money to politicians.

      Then ask.

      What percent of eligable voters voted last election.

      By now I think you would get the point. It will never happen. Not till americans are pissed off enough to vote. The only thing I can think of that would piss them off is the superbowl being cancelled or a blackout on american idol or something. They don't care about anything else (except the fags getting married of course)
  • by Anonymous Coward on Monday June 19, 2006 @10:33PM (#15566422)
    Yeah, go to another company and steal their computers.
  • by bsartist (550317) on Monday June 19, 2006 @10:34PM (#15566425) Homepage
    Mine came from the Dept. of Veterans Affairs. You might have seen the story about the stolen laptop on the news. If the most well-funded military in the world can't keep a lid on our personal data, who can?
    • by Anonymous Brave Guy (457657) on Monday June 19, 2006 @10:37PM (#15566441)
      If the most well-funded military in the world can't keep a lid on our personal data, who can?

      Someone who never has the data to lose in the first place.

    • Mine came from the Dept. of Veterans Affairs. You might have seen the story about the stolen laptop on the news. If the most well-funded military in the world can't keep a lid on our personal data, who can?

      I got mine from the VA [va.gov], too. The VA is not the Department of Defense [dod.gov], though.

      -h-
      • by MillionthMonkey (240664) on Monday June 19, 2006 @11:28PM (#15566662)
        One of these days some government employee is going to run an errand with a laptop in his car and a lucky car thief will drive off with every single name and Social Security number in the country. You could fit them all on a USB thumb drive. And they could be all over the Internet within hours. It would be game over for Social Security numbers and the rickety infrastructure that has been built on top of them. It's only a matter of time before this happens. It might not be in a single theft as I described, but smaller thefts will eventually add up to the point where everyone's SSN has been compromised, and someone is going to compile them and make them widely available.

        That would be the most bitchin' thumb drive, wouldn't it? You could show it to all your friends and taunt them. I'd better not lose my keys or you're all screwed!
        • Pseudocode:
          for A = 0 to 999
            for B = 0 to 99
              for C = 0 to 9999
                print AAA-BB-CCCC
              next
            next
          next
          The names part is left as an exercise for the reader.
        • I agree (Score:3, Interesting)

          by Ogemaniac (841129)
          Either the cat is all the way out of the bag, or it is close to being so already. I just operate under the assumption that someone with the desire to can find such information about me and use it to his or her advantage.

          People need to quit worrying about stuffing genies back into bottles and learn to adapt. Government, businesses, and credit agencies need to learn to adapt, as well.

          Yes, you lazy schumcks, this means you actually have to read your bills and check your credit report occasionally.
        • You could fit them all on a USB thumb drive.

          Nice USB disk. Not to diminish your post, but let's do the math so people can see EXACTLY how much info would be there. 4 bytes (SSN) + 14 bytes (avg) for a name + null byte = 19 bytes each. 262 million US citizens * 19 bytes is 4.64GiB. If you keep the optimal binary format, and want to add DOB, add another 4 bytes per record for a total of 5.6GiB. First and last names are seldom unique in the US, so assume it could be compressed by 50% for a backup.

          If it

    • by horatio (127595) on Monday June 19, 2006 @11:07PM (#15566568)
      What I can't figure out for the life of me, is why the hell all this information is being stored on portable (laptop) systems, and not on the servers behind locked doors and firewalls where it belongs....how do you get millions of SSNs stored locally on a damn laptop and not consider the consequences?

      Then again, hiring agencies like usajobs.gov want you to email your SSN as part of your application materials, and if you complain, they fire back some bullshit from their privacy policy...this is what they told me:

      Within the Federal job application process, Social Security Number is a unique identifier. Applicants must provide their Social Security Number (SSN) to identify their records because other people may have the same name and birth date and the Federal Government is legally authorized to require this information. This authority is provided under Public Law 104-134. While job applications may occasionally be accepted in a system without the Social Security Number, your applications will likely not be accepted/processed if they do not give the hiring agency the information requested. Please know that the personal and private information you provide is encrypted during transmission and encrypted in our databases. Please also know that all personnel with access to sensitive data are legally bound to use the information only for its intended purposes. Please see our Privacy Statement: http://www.usajobs.opm.gov/privacy.asp [opm.gov] for additional information.


      * emphasis mine to illustrate the absurdity

      I never once argued about whether they could or should be asking for. I was only asking for alternative methods besides frickin e-mail on how to provide it.
    • My VA letter commented that info on family members might be there too. Great- now you have my wife's info too...
  • by mattr (78516) <mattr@telebod[ ]om ['y.c' in gap]> on Monday June 19, 2006 @10:35PM (#15566428) Homepage Journal
    Japan has a strong law and companies must follow certain procedures for storage of over 500 names, which has a major effect on business. It hasn't increased security per se, considering the thefts in the news, but if you could show they did not follow the law they would be liable I think. As for the U.S. my guess (IANAL) would be that you'd have to get info about how they stored your data and what happened, and then prove their negligence, and who knows if there is even a precedent (groklaw?)
  • It is a bit off tangent, but I believe Ice Cube said it best: Laugh now, cry later. It is the way both the House and Senate view the problem of ID theft. They aren't doing much to protect the consumers, and allow individuals to consume personal data through public records. They may laugh now while the votes are coming, but eventually we all are going to cry later when our personal information will be the gold nuggets of the Digital Western Frontier.

    • by R2.0 (532027) on Monday June 19, 2006 @10:53PM (#15566501)
      Congress will care about it when a laptop full of THEIR personal data gets stolen.

      Just like the Jefferson fiasco - FBI busts down a citizen's door, it's strong justice; bust down a Congresscritter's door and it's a CONSTITUTIONAL CRISIS!!!!omgwtfbbq
      • Congress will care about it when a laptop full of THEIR personal data gets stolen.

        BS. In 2000, Republican aides hacked into the Windows server shares of Democratic members of congress due to an error in how the share permissions were set up (aides from both sides were "administrators" and so were able to take ownership). Strategy memos were stolen and given to Republican congressional leadership.

        *NOBODY* did a damn thing. Nobody was punished. Just "tough" politics.
        These are our representatives. These a

      • Just like the Jefferson fiasco - FBI busts down a citizen's door, it's strong justice; bust down a Congresscritter's door and it's a CONSTITUTIONAL CRISIS!!!!omgwtfbbq


        Well, to be fair, it is somewhat disconcerting to see the Executive Branch (FBI) busting down the door of the legislature (Congress) because of the implications on the balance of powers. An overly strong executive branch can be a scary thing.
        • Well, to be fair, it is somewhat disconcerting to see the Executive Branch (FBI) busting down the door of the legislature (Congress) because of the implications on the balance of powers. An overly strong executive branch can be a scary thing.

          And who exactly is supposed to be policing congress anyway? This really isn't about seperation of powers in the end. Think about it. All Law enforcement comes down from the Executive Branch, so who is supposed to police congress?

          Put another way. Who is in charge
        • Bzzt!

          They had a warrant.

          So it was the Executive plus the Judiciary taking on the Legislative.

          That's exactly how it's supposed to work.
  • "Do we, as consumers, have any recourse against these businesses?"

    There's always the solution from Fight Club. [imdb.com]

    Oops. I'm not supposed to talk about that. Forget I said anything, will ya?
  • by spycker (812466) on Monday June 19, 2006 @10:38PM (#15566444)
    Why don't you set up a website that collects information about those who have been actually hurt by identity theft and trace it back to its source company if possible. Then give that information to a land shark for a fee. You could make $200-300 thousand.
  • Me too (twice even)! (Score:5, Interesting)

    by RootsLINUX (854452) <rootslinux.gmail@com> on Monday June 19, 2006 @10:43PM (#15566461) Homepage
    I've had my identity stolen twice. Once for UC Berkeley's "snatched laptop" that made the news a while back, and more recently a desktop from Georgia Tech. I applied to both schools (UC in 2003, GT in 1999) but attended neither. But they still held on to my personal information for their own convenience. Furthermore, I wasn't informed of the theft by either school until weeks after it had taken place (so in the mean time while I was unaware, my credit could have been destroyed). A few weeks ago, someone hacked into the UT Austin business school computers and snatched information from current and former faculty, staff, and students. A professor I am currently taking an intellectual property course with was talking about it and how he has all his info on fraud alert right now. The school negotiated with an identity protection service to offer him a major (66%) discount, but he's still paying something like $20 or $70 a year for this (I forget what amount he said exactly).

    Anyway to answer your question: IMO (and IANAL), the court would not force the 3rd party who's information was stolen to compensate your ID theft protection service, should you take it to a small claims court. However, if your credit record was destroyed as a result, I think you would have a better chance at winning some financial compensation for your case. So the best short-term answer I guess would be: put ID fraud alert on ASAP and unless you have spare time and a thirst for absolute justice, don't take it to court (although you could ask them nicely to compensate you, at least partially if not fully).

    The long-term solution here people, is to get a god damn law passed. This is absolutely ridiuclous how much this occurs, and its usually because of poor/inadequate/incompetent security on the fault of the 3rd party containing the info. I am actually very interested in proposing such a bill to our legislative branch, but I'm an engineer and a grad student, and I have little time to spare right now. If someone is interested in moving this forward, let me know about it because I would like to do what I can to be involved. I believe such a bill should cover:

    1. The circumstances under which a company/school/whatever may contain your personal information
    2. The length of time under which they may retain that information (with mandatory and permanent removal after a given period of time)
    3. A definition of the minimum necessary security measures a party must take when retaining another's personal information
    4. Explicitly stating to the person when they will retain their information, for how long, and what security measures they will take to protect it
    5. In the case of theft, if parts 1-4 are not satisfied, the party owes full monetary compensation for providing ID theft protection, and also granting the person the right to choose what ID protection service and what level of protection they want
    6. In the case of theft, if parts 1-4 are satisfied, the party owes a minimal monetary compensation for ID theft protection that meets certain stated requirements.


    How's that for a start?
    • by RootsLINUX (854452) <rootslinux.gmail@com> on Monday June 19, 2006 @10:50PM (#15566489) Homepage
      Damn, just after I posted this I realized I forgot to mention another part (which parts 5 and 6 are also dependent on in the same way they are dependent on parts 1-4)

      7. In the case of theft, any and all persons that may have had their information stolen in the theft must be informed within a 48 hour period upon discovery of the theft. No party may with hold or keep secret the theft any longer, or they are subject to further financial obligation to the victims.

      Of course "48 hours" is something I pulled out on a whim right now, and "all persons that may be effected" can be intentionally misinterpreted by a party. In reality, if one person's information was stolen, there is a non-zero chance that everyone else had the possibility of having that information stolen.
    • How's that for a start?

      It's a great start. All you're missing is about a billion dollars or so in cold, hard cash. That being roughly the amount of money you'd need to toss around Capitol Hill in order to buy enough politicians to ever have a shot at passing something when every financial institution, insurance company, and data-mining outfit in the country would be fighting it tooth-and-nail.

      Come to think of it, I doubt a billion bucks would be enough.

      I think this is going to be another area where the corp

      • by Tensor (102132)
        Easy ! lets steal all Senators and Congressmen info's and post it somewhere anonymously. Then i'd bet they start to care !
        • by Kadin2048 (468275) <slashdot.kadin@x[ ].net ['oxy' in gap]> on Tuesday June 20, 2006 @08:20AM (#15568439) Homepage Journal
          In all honesty, there's something to that idea.

          A while back when it first came out that you could call up certain companies and for less than $100 get basically anyone's cell phone records, I remember that somebody did it to the Canadian Privacy Minister (or someone to that effect, I forget their actual title) and mailed the results to them.

          Short of actually tossing tons of money at them, that's probably one of the more effective means of influencing politicians on privacy issues: make them care by putting their privacy into question along with everyone else's.

          I wouldn't ever advocate anything illegal per se, but a lot of good could potentially come from a massive data theft of every member of Congress' credit histories and banking records (besides just finding out who's really on the take).
    • > A few weeks ago, someone hacked into the UT Austin business school computers and snatched information from current and former faculty, staff, and students. A professor I am currently taking an intellectual property course with was talking about it and how he has all his info on fraud alert right now. The school negotiated with an identity protection service to offer him a major (66%) discount, but he's still paying something like $20 or $70 a year for this (I forget what amount he said exactly).

      So how
  • by mr_stinky_britches (926212) on Monday June 19, 2006 @10:45PM (#15566470) Homepage Journal
    Generally, it has been my experience that people are completely willing to give up very private information whenver demanded by a company or similar seemingly legitimate and authoritative entity. I encourage everyone to be more wary and careful about who they give their SSN to. Identity theft has become a rampant problem for many people all over the world. We have to wise up and Just Say No.
    --
    http://wi-fizzle.com [wi-fizzle.com]
  • Sue them (Score:3, Informative)

    by WindBourne (631190) on Monday June 19, 2006 @10:45PM (#15566473) Journal
    Look; Go after the company for negligence. If they used Windows, then show that their useage of windows was irresponsible (it is). If they allowed an employee/contractor to take data that had your information on it, then sue them for not locking down the box or allowing it out in the first place. Sadly, congress is trying to pass laws that make these suits disappear. But if we go after them now, then as suits are won, the companies will actually start caring about the information that they so carelessly allow out. It would be nice if the CIO's could be held legally accountable for choices that they make without consideration to security.
    • If a credit reporting agency falsely claims that a person has gone into massive unpaid debt when actually they are the victim of criminal theft, the credit reporting agency should be liable for damages (denied loans, higher interest rates, pain and suffering) due to their libel. I think even the threat of a class action lawsuit based on these grounds would significantly clean up the big credit reporting agencies' act.
    • Look; Go after the company for negligence.

      Their "cyberliability" insurance would probably cover that. The end result is their premium goes up. At what point does the expense of insurance outweigh taking the proper safeguards to protect consumer data in the first place? Either the protection (insurance) needs to cost a whole lot more or the punishment for negligence more severe. Perhaps if we start with the latter by declaring the proper criminal repurcussions we'll end up with higher (hopefully, much so

  • But they got A's... (Score:2, Interesting)

    by Anonymous Coward
    Notice, they did get A's for Reporting and Notification and Information Dissemination. So they can't be doing all bad.

    I would have given them an F for Loosing the F'ing Data in the First Place. But what do I know.

    The problem is outsourcing. And it doesn't matter to whom or where you outsource. Now Texas Guaranteed can say, "We followed out procedures, it's not our fault." I work with a couple people who want to outsource almost every function. Why, because you have someone else to blame when there
  • by tlambert (566799) on Monday June 19, 2006 @10:48PM (#15566486)
    You can place a fraud alert on your credit report. An initial alert does not require a police report, and lasts for 90 days. During this time, you may end up having to jump through additional hoops to obtain new credit.

    The easiest way to put an alert is to use the online form at Experian; alternately, you can call any of the credit reporting agencies to also set up an alert, if you want to do it by phone, instead.

    The direct link for the Experian site to do this is:

    https://www.experian.com/consumer/cac/InvalidateSe ssion.do?code=SECURITYALERT [experian.com]

    More advice available here for identity theft victims:

    http://www.consumer.gov/idtheft/con_steps.htm [consumer.gov]

    Hopefully, you will not need it.

    -- Terry
  • What I've done (Score:5, Insightful)

    by cimmer (809369) on Monday June 19, 2006 @10:53PM (#15566505)
    I've stopped worrying about whether or not my information is out there. Having been involved in IT security in the financial services industry for some time now, I know how haphazardly our personal information can be treated. Many company executives don't want to spend the money to turn already functional and profitable systems into secure data stores or the money to hire enough skilled security personnel as they are cost centers, not revenue producers.

    Instead I've gone on the defensive and assumed that my identity is already compromised. I coughed up $130 for 3 in 1 credit monitoring services (one of the big three credit bureaus has a two for one going if you call them. got a spouse?). I also keep close tabs on my credit and debit card activities, which doesn't require all that much effort since I cancelled all but 2 credit cards and my debit card. It means some money and time spent up front, but it's not too intrusive and it gives me a reasonable degree of confidence.

    As long was we maintain some degree of privacy, identity theft is here for the forseeable future. I'm not saying don't hold companies responsible. I am saying realize that many companies in control of your information will be irresponsible regardless of what they can be held accountable for and that it's a good idea to take some personal responsibility for protecting yourself.
    • I'm sorry, but this is exactly the wrong approach. Your action acknowledges that it is your responsibility to police the actions of other parties as it relates to information that you do not control either the content of or access to. The more people that take this approach, the more it will become the established practice.

      Use the lawyers against these guys instead. Go for a class-action lawsuit against the bureaus, the credit issuer, and anybody that leaked data. The problem won't be solved until the c
  • Our company does a lot of data processing on job applicants and up to about three years ago, saying that the collection of SSN's was mandatory wasn't even second guessed. Within the last nine months, two of our customers demanded that not only do we stop collecting the applicants SSN's, but that we also purge our entire DB of previous applicant SSN. This is all due to the growing trend of corporate policy of collecting data that could be linked to identity theft. It's a liability thing for them.

    Not to say t
  • by bunions (970377) on Monday June 19, 2006 @11:05PM (#15566561)
    This sort of thing is exactly why class action lawsuits exist. Find a lawyer, start one. Companies will do whatever is most cost-effective, so you simply need to make losing your private data expensive.
  • Recourse? (Score:3, Insightful)

    by mfago (514801) on Monday June 19, 2006 @11:15PM (#15566601)
    No, not unless the american people elect a congress that gives a damn about something other than big corporate sponsors. That's the only reason I can think of why the US doesn't have a law that makes businesses responsible for safeguarding personal information. According to "free market" forces your SSN and credit history is only another product, much less something to be protected.

    I've been hit three times myself in the last 4 months. What am I supposed to do, sue three $50B corporations?

    Oh, and don't believe the neanderthals that tell you the free market lets you "vote with your business" -- not when everyone seems to be involved.
  • Here is a link to two proposed bills on identity protection. [loc.gov]

    One is dated July 14th 2005, while the second version is dated December 8th 2005. Get off your ass and call up your senator and tell them that you feel this bill should be passed into law to protect you as either a former victim, or possible future victim. Cite some recent examples of identity theft from the news. Tell them that this is more important to you as a citizen that they are supposed to represent, compared to whatever other "important agenda" they are talking about right now in the Senate (gay marriage, starting MORE wars with countries in the name of "freedom", etc). Don't just whine and complain because no one is going to want to listen to you. Instead, push and shove so that they will be forced to do something about it!

    (Cue Braveheart moment) - FFFFFRRRRREEEEEEEDDDDDDOOOOOOMMMMMM!!!!!

    Oh yeah, and don't forget to buy LOTS of stock in identity theft protect companies! Citizens will win, and irresponsible parties will lose!
  • Not only have two (or three? I lose track) different businesses lost my information, but I just got a letter from the Veteran's Administration that military records of tens of thousands of former servicemen and women, including me, have been lost. They were found again, and the VA doesn't *think* that the data was ever in malicious hands, but they can't really be sure.

    Who can keep my records safe? No one. The only reasonable answer is that organizations, public or private, should simply not keep any i

    • > Who can keep my records safe? No one.

      Which suggests working on a back-end solution as well. Half the problem is that people can get your identity info too easily; the other half is that it's too easy for them to exploit it.

      I saw a news story about some people who had their houses sold out from under them by identity crooks. It's preposterous that that could happen, no matter how much info about you someone has.
  • If our legal system had not been corrupted by the loan sharking ( consumer banking/credit cards) industry you would have the right to sue for damages based on whatever this loss of your information cost you plus some measure of punitive damages for their failure to handle your information securely. Until the liability is placed squarely where it belongs identity theft will not be stopped because it doesn't hurt the bottom line.

    One of my proposals.

    Section 1: No sensitive information is to be stored on a Lapt
  • by xkr (786629) on Monday June 19, 2006 @11:34PM (#15566677)
    Under the law, it's not your data, it's theirs. Yup. Absolutely 100% true. Whoever collects data, owns the data. There is no legal basis whatsoever that information about you is owned by you, but for two exceptions: (1) Conversations with your lawyer are privileged, and (2) medical information. So, except for the lawyer and doctor lobby, you are hosed.

    Would this be a good time to put in a plug for a constitutional amendment that extends personal property rights to personal data?

    • Just like it is in Europe, my personal information is mine and I can request removal from the database (except for some special cases) and the maintainer of the database will have to comply with a written statement within two days, and can only charge a reasonable amount (iirc less than 10Euro) for it. Can you imagine the upset Europeans feel for the fact that almost every tiny bit of information has to be send to the government of the United States when we enter the country. (especially with the 'proven t
  • Vote for Congressmembers who will amend the Constitution to reiterate our 4th Amendment right to security in our "homes, papers and effects" as our "right to privacy", just as the Bill of Rights reiterated our rights for those who'd pretend the Constitution doesn't require the government to protect them.
  • As long as congress is owned by the corporations. The name of the game is avoidance of responsibility. No legislation that threatens to even slightly reduce their precious profits will probably pass. In addition, our ability to file class actionn law suits is also being gutted. Once again to protect the large corps.

    Welcome to America.
  • by greeneggs2000 (739337) on Tuesday June 20, 2006 @12:13AM (#15566810)
    Don't worry, Congress is on the case. Republicans are trying to overturn state laws protecting against identity theft. Overriding the California law is particularly important, even to people who don't live in California -- it is the California law which has forced companies to disclose identity thefts in the first place (they have to disclose thefts involving Californians, but that's most of them).

    Credit Freeze Under Fire [sfgate.com]

    'The so-called Financial Data Protection Act of 2006 (HR3997) would also weaken state laws requiring disclosure of security breaches. In California, businesses must notify people if their personal info "was, or is reasonably believed to have been, acquired by an unauthorized person."

    'Under the proposed federal legislation, such disclosure would have to be made only if a company determines that a security breach "is reasonably likely to result in harm or inconvenience" to individual consumers.

    '"Basically, the company would have to know that you're a victim of identity theft before it needs to tell you that you could be a victim of identity theft," said Ed Mierzwinski, director of the U.S. Public Interest Group's consumer program in Washington.'

    • Another critic of that proposed law is Consumer advocate Clark Howard. His article is here:

      Contact your reps over credit freezes [clarkhoward.com]

      According to his article, 23 states now have credit freeze protection laws. The proposed law in congress would essentially invalidate all of these state laws. After reading both the article you mention and his, it sounds to me like congressmen LaTourette and others are more concerned about the wishes of large financial institutions than protecting average consumers. The a

  • *RANT ON*
    Nothing will change until the "important" people get their personal information outted -- and on a regular basis.

    The government (Congress, President) don't really care about folks like the veterans beyond paying lipservice to the data thefts.

    Now if we'd see where all the personal information of people in the Executive and Legislative branches was stolen and published we might see some action.

    I'm surprised nobody regularly publishes the information of the upper management teams of the major credit r
  • by Dark Coder (66759) on Tuesday June 20, 2006 @12:45AM (#15566901)
    Make the Social Security Number public to EVERYONE.

    That's right, cat's out of the bag. Can of worm has been opened. Too late.

    Ban use of Social Security Number as an identifier, except for Social Security, like it was supposed to be in the first place.

    Each business entities must use their OWN issued numbers.

    Wide-reaching Identity Theft Containment problem limited to just the affected business.

    Now, it is time to look into three-way public keys to ensure that consumer data is not misused:

          1. Merchant/Business/Corporation
          2. End-user/User/
          3. Arbitrator/Government

    With keys signed by each other in 3-ways, secured identification and security of data compartmentilization has been greatly enhanced.

    Each and every transaction is signed, sealed and delivered by all 3 parties.

    Now, let's get an infrastructure going on this...

    Even Bruce Schneier [schneier.com] agrees to this.
    • Ban use of Social Security Number as an identifier

      It's not really the use as a password that's the problem. It's that organizations use it as a freaking password!

      While Spafford has demonstrated that regular password changes add nothing to security, to use a fixed unrevocable number as a password is beyound stupidity. You have to be able to tell the world, "my password has been compromised, please re-authenticate."

      Most companies use your name as an identifer, even though it's non-unique. They'l
  • by tres3 (594716) on Tuesday June 20, 2006 @03:56AM (#15567467) Homepage
    That's right, when a card is fradulently used they charge the purchase back to the retailer. That way they get a transaction fee on the original sale and then a bonus transaction fee when they carge the retailer for the fraud that they allowed to happen. The trick to wiping it out overnight is make the fraud cost the credit-card company money. As it stands now they have absolutely no insentive to do much about it. Did they not issue the fradulent card to someone other than you after your identity is stolen? Do they have no responsibility to verify the information they receive? Do they not have a responsibility to the retailer to honor debts that they authorize? (Well not really, that's what the merchant agreement is for. You don't like it? Don't accept credit cards.) It is no wonder that the most profitable industry last year was the banking/finance industry. It is also no wonder that they contribute the most to the politicians. On one side they change the bankruptsy laws so you can't get out of debit and start over and on the other they are pushing off the responsibility to the merchants as much as possible too. More reading:

    http://www.smithfam.com/news2/july02a.html [smithfam.com]
    http://www.answers.com/topic/credit-card-fraud [answers.com]
    One of the two (answers/wikipedia) plagerized the other. ;-)
    http://en.wikipedia.org/wiki/Credit_card_fraud [wikipedia.org]

    Make the credit card companies take responsibility. Make it them that has to pay for fraud and the situation will rememdy itself overnight!

  • by stuartg (983688) on Tuesday June 20, 2006 @04:04AM (#15567489)

    I don't hate the stupid companies who loose SSN numbers, instead, I'm bothered on how we as a country got into this mess into the first place.

    I helped my parents this last week with a garage sale. During the sale, my mom noticed that an old table for sale had her SSN engraved in the wood! Why? Because back in the late '70s early '80s, the local police department told citizens to put a SSN on your assets in case they were stolen (Ironic, Eh?). She spent 20 minutes frantically trying to rub out her ID, she was visibly shaken.

    OK, I understand the need to pass SSN/Taxpayer ID information between the Social Security Administration, IRS, Banks/Credit Unions, and your Employers.

    The real problem is that there are so many other business segments who need to validate your identity, that they have piggy backed usage of the SSN as the de facto form or Identity verification. This is the real segment that needs to change their behavior!

    • Companies like Comcast who insist on the last four digits of my SSN to call the help desk?!?!
    • Universities who use the SSN as a student ID number.
    • and most importantly, Credit reporting agencies [wikipedia.org] who base consumer credit scores on unverified [wikipedia.org] data.

    I mean, how hard is it to go into the local Car-Toys, order a bitchin' stereo on zero money down, and forge the credit application with a stolen SSN and other personal info? And the problem is not just limited to your SSN! Your credit card number(s) have the same problem. If you know the number, expiration date, and Security code on the card, that's all it takes for many purchases over the phone or internet.

    The real problem in our modern society is identity verification. Anyone who has ever forgotten a password to a website (what is up with all the different password complexity rules?), everyone who has ever wondered if that waitress is taking so long is because she is ordering a new dress from Victoria's Secret on your card, and everyone who wondered why their bank insists on a utility bill to verify your place of residence due to a clause in the "Patriot Act". You know what I'm talking about.

    IMHO, what we really need in this country is not a credit score, but an identity score for identity(ies) that are independent from our SSN/Taxpayer ID (not government controlled, sorry). If I purchase a candy bar with a credit card, the level of identity verification required is low, if I purchase a new car with a loan, then I suspect the level of identity verification would be much higher! The credit score should be weighted against the integrity of the identity given too. If someone fills out a credit application with just a name, address, and SSN, then the chance for fraud is high, and the integrity of the information is low. If the person supplies a trusted smart card certificate, with a complex PIN, along with some other kind of biometric data, then the integrity is much higher.

    <Sigh...>

  • WTF! (Score:3, Insightful)

    by Chanc_Gorkon (94133) <gorkon&gmail,com> on Tuesday June 20, 2006 @05:38AM (#15567735)
    WTF are people thinking?? I have a corporate laptop myself and there is NOTHING on it. No files with hundreds of names and SSN's on it. NOTHING. I could totally SCREW my hard drive and would loose nothing of value to the company. I could have my laptop stolen and there would be NO data of value to anyone on it(go ahead....take my pictures, I don't care). Anytime I need to work, I remote desktop to my desktop which, other then non secure departmental info, has NO COMPANY RECORDS ON IT! Granted, we have no policy that specifies what is ok and what is not ok. The problem is usually NOT the computer guys in this situation....it's clueless users trying to do a little work at home and WHUPS.....the laptop gets ganked....

    Few things....

    1. Treat the laptop like it's your own. Make sure it's always in a safe place. If you have to park in a shady area, take it with you.

    2. If you absolutely MUST have data on the laptop, it should be corporate policy that the file is encrypted and passworded. The compny needs ot invest in security software. Maybe something that trashes the file once the password has been entered incorrectly more then 3 times.

  • Don't give it. (Score:3, Informative)

    by nuggz (69912) on Tuesday June 20, 2006 @06:19AM (#15567841) Homepage
    In many cases the organization doesn't need the information, so don't give it.
    Make it illegal for them to ask.
    FYI it isn't clearly illegal to ask for a SIN in Canada. But organizations can't collect information unless they have a legitimate reason to use it.

    http://www.privcom.gc.ca/cf-dc/2001/cf-dc_011105_0 2_e.asp [privcom.gc.ca]
    http://laws.justice.gc.ca/en/p-8.6/258076.html [justice.gc.ca] see 4.4.1

    That same law has a series on data protection, and your right to see the information they hold. A little vague, but I think the intent is clear. It would be interesting to see how many cases have proceeded.

    I would like to see them add a notification requirement.
  • by Feebleminded_Genius (950911) on Tuesday June 20, 2006 @10:10AM (#15569397)
    [shameless showoff plug] I work for an insurance company that handles large ammounts of personal data who, contrary to the current trend actually cares about data security on our laptops. I am absolutely an advocate of holding companies responsible for data theft, particularly given the options available to safeguard against it. We recently implemented hard drive encryptions software, and the implementation start to finsh took less than 2 months. It was a rediculously easy step to add a solid layer of security in the event that a laptop is stolen. The fact that this is not more widely adopted points to laziness and indifference on the part of corporate America. [/shameless showoff plug] What disturbs me as much as the frequency in which this "data loss" happens is the growing attitude that people should react to this merely by putting a hold on their credit and waiting it out. For the love of God people, when this happens to you STOP DOING BUSINESS WITH THESE INSTITUTIONS. By simply waiting it out, you are sending the message that security of personal data really isn't that important. Where's the benefit for profit-churning corporations to change their security model if loss of data does hurt them in any way? Now, if people started fleeing from companies that lost their data, then the message to rich execs would change to "Hey, if you customer data gets stolen, you will lose market share." That is guaranteed to produce a reaction. Pass the laws, avoid companies that don't secure their data, and we may actually be able to change something here.

Line Printer paper is strongest at the perforations.

Working...