back to article Breach disclosure laws have 'no effect' on identity theft

Widespread information security breach laws in the US have failed to do much to reduce identity theft. The finding, by researchers at Carnegie Mellon University, comes as calls are growing in Europe to enact laws that would oblige organisations to notify customers in cases where their personal details become exposed. The …

COMMENTS

This topic is closed for new posts.
  1. kain preacher

    how to stop it

    Simple every time the have a data breach make them pay $1000 to every persons that had their data exposed. If the people become a victim of identity theft they company has to pay. If they don't pay up with in 30 days its a $1000 a day fine. The companies would be automatically responsible for the first two years. No proof needed it. The companies would have a liability for a total of ten years after the breach.

    Repeated offense would see the fine double.

  2. Anonymous Coward
    Anonymous Coward

    Is this a surprise?

    These laws are intended to protect consumers by alerting them to watch their accounts (and/or change their cards, etc.) The only way this would reduce the number of instances would be if companies were shamed into better security by the fear of having to go public like this. If anything the effect is the opposite, as the peers of companies that get pwned this way notice that the ground rarely opens them up and swallows them - exceptions like Choicepoint prove the rule. And shame is a weak motivator for beancounters and boards, compared with hefty fines of the loss of major amounts of custom. Strangely it's B2B companies that are more vulnerable to this, as they are more dependent on large customers, whilst Joe and Jane Public happily carry on shopping at TJX and, er, oh you know, that other company... the other day... the name escapes me... (Go on, name three companies that made such an announcement last year, without use of Google.)

  3. Anonymous Coward
    Thumb Down

    Yeah, OK

    Breach laws don't stop hackers, but people ought to know if they've been compromised! That the breachees don't think this information ought to be let out smacks of CYA.

  4. Herby

    Maybe not, but...

    The breach disclosure laws probably have an effect on the breaches themselves. If those who DO have data security breaches are forced to pay some $$$ for the act, I would assume (silly me?) that it is those companies best interests NOT to have said breaches in the first place.

    Fewer breaches makes for better security. This is a "good thing"

    "Identity theft" is another matter. Some people are just plain stupid when it comes to their OWN data.

  5. Andy Bright

    hahahahahahahahaha

    Or 'lolz' and 'roflmao' in todaze yoof speek.

    Yes, stunning conclusion. Telling people that their identities have been stolen and they're about to face years of hell trying to clean up their credit, is not stopping identity theft.

    Tell me, who actually thought just making a few businesses do nothing but admit they're shit at security was going to stop id theft?

    Hmm.. my bank tells me they've signed me up for a free alert every time the person who stole my identity rips me off. But only for the first year. After that I'll still be ripped off, but blissfully ignorant of the fact. Because nothing of actual use has been done.

    The only, and I mean only way to secure data that these companies are allowed to store is to make them bare the full financial consequences of losing it due to incompetent security or the use of inadequate software. If they don't have the tools to protect the data they're storing, after making them pay in full to clean up the credit of every customer affected, they should then be banned permanently from storing personal data. Again the punishment for failure to comply must be hard. Jail time for CEOs, who should bare the full responsibility for going cheap on IT. Quite happy to rake in the dollars selling personal data to marketing companies I'm sure, but maybe not so much if doing so means they lose everything.

    There should be no legitimate defense, no 'but it was the company I outsourced my data collection and storage that done it', no 'my minimum wage employee lost his unencrypted laptop' and no 'the user checked the box that said (under a mountain of legalese) it was ok to hold his data on an insecure database for the purpose of marketing when he bought xyz from us'.

    And it should not stop there. Cleaning credit won't give back the dollars/pounds you lose when you credit card interest rates skyrocket in the months your credit was shite. It won't pay back the dollars/pounds you lose when you're forced into a 'mortgage for the homeless @ 20% interest rates' in order to buy a home. It won't even pay back the dollars/pounds you lose when your insurance rates go up.

    So either those services and loans should be provided by the criminals in charge of the companies that lose this data or adequate compensation paid if they can't.. Does anyone else wonder about how often these are credit card companies.. makes you wonder if shafting your credit one week, and then raising your interest rate the next isn't.. well.. you figure it out.

  6. Anonymous Coward
    Anonymous Coward

    New words...

    Alas no, not new, but yet another word lost to the illiterate....

    "STAUNCH", I suppose there's some come back because of words like "stanchion", but really..

    Do Americans pronounce "STANCH" with a hard 'A' as they spell it, or as if it were "stornch" or even staunch, coming from French after all?

    More blood spilt in the aluminium war, was standardised spelling for nought?

  7. Chris C

    Illogical survey

    The survey says there doesn't seem to be any evidence that the laws reduce identity theft. How do they know? Life is not a computer simulation. We cannot hit the reset button, go back to a known position, change the parameters, and restart. We also connect predict the future. As such, it is literally impossible to compare the current state to a future state that did not occur. But enough pedantry. I would, however, like to point out that at least some companies are (or at least appear to be) somewhat less than truthful about the extent of a breach. TJX comes to mind. Was it 15 million cards? 45 million? 85 million?

    Having said that, am I the only one who finds this survey illogical? Why would anyone think that reporting a data breach could somehow prevent identity theft? The way to prevent identity theft (in these cases) is to *PREVENT* the data breach. The purpose of reporting a breach is to alert people so they can keep an eye on their credit card statements, credit report, etc. Thankfully, I've never been a victim of identity theft, but it stands to reason that it's easier to dispute issues (credit card charges, fraudulent applications/loans, etc) when you have proof that your information was illegally obtained (as opposed to you saying you don't know who authorized the charges, applications/loans, etc).

  8. Dan
    Unhappy

    @kain preacher

    Hmmm, nice idea for an automatic fine, but then what happens to the disclosure itself? The culprits merely work harder at denying the breach ever existed, and hey presto, it's the same effect as never having the disclosure law in the first place, surely? Happy to be corrected if I'm mistaken...

  9. John
    Stop

    Duh that's because the laws aren't supposed to!

    "There doesn't seem to be any evidence that the laws actually reduce identity theft"

    Well it's a logical fallacy, namely absence of evidence is not evidence of absence (of efficacy), however let's assume they're correct ...

    The breach disclosure laws were designed to promote two objectives

    1) Tactical - Alert potential victims to be on their guard, more than usual.

    2) Operational - Threaten the branding of a company to encourage them (and others) to invest in prevention solutions.

    Arguably a reduction in ID theft could be considered strategic objective, but the enemy is not static and will adapt.

  10. Nigel
    Thumb Down

    Making laws won't help, period.

    Once your personal data is in a database, it'll get out. This is as much a truism as saying that a flat roof will, sooner or later, leak. Laws telling database owners that they must work in accordance with best practice wil only slow down the inevitable (and probably not by much).

    Suppose you could prevent every instance of non-encrypted backups or reports going astray. Prevent every instance of external hackers getting into a server. Prevent every theft of the database hardware itself. The data will still be vulnerable to a corrupt employee authorised to access the data. If it's worth £x to a criminal, it's worth £x/2 to bribe him. Of course, blackmail probably works even better, and organised crime has very good sources of info about things people don't want their partners or employers to know.

    Once your data is out, there's no way to put the toothpaste back in the tube.

    Think very hard about what you tell people. If a retailer asks for too much and you can't just leave the fields blank, tell them that their intrusiveness lost them a sale. But the worst offender by far is the government. National ID database. Everything a criminal could concievably want to know about everyone, all in one place, with tens or hundreds of thousands of corruptible civil servants having access.

    Be paranoid. Be afraid. Be very afraid.

  11. Writebaby

    Car theft and ID Theft

    For an article on identity theft for the US, I once did my own brief survey of information on crime rates on a state by state in the US and there was a significant correlation with the % of car theft, basically, it seems, for the same reasons i.e. the younger richer generation had more and better cars and therefore was more likely to be a victim of car theft, ditto credit cards and bank accounts. The correlation also carried across the growth rates.

    To carry thorugh the analogy, being informed of data breaches probably has the same effect as a notice saying, "Be aware, car thieves are working in your area".

    Moreover, there is a failure to distinguish identity theft and credit card fraud i.e. there is a difference between someone knowing a set of plausible (not necessarily completely accurate) biographical details about you in order to establish an identity to use to set up fraudulent accounts and someone having a genuine knowledge of your bank or credit card details and carrying out fraudulent transactions on your account.

    The real prevention against ID theft is some kind of two factor/two channel authentication on setting up any account or loan i.e. you are registered with an independent company to whom you pay some kind of fee to maintain a check on your credit records on your behalf and they have carried out (in so far as they can) a set of strong identity checks on you and given you in return something like an RSA token and a pin. Then whenever you set up a loan etc you give the name of the company and your customer ID. The credit checking company checks back with you and you give the pin and one time code from the smart token to validate you did indeed take out the loan etc for that amount. While not unspoofable, it is enough to raise the level of difficulty to make most id thieves start to look elsewhere.

    P.S the words "self selecting sample" instantly say "bad science" - I should know, if I gave my PhD supervisor a self selected sample he would send round gentlemen of Sicilian extraction to explain why this is a bad idea - although apparently the Russians will do a bargain basement job of this

  12. Slaine
    Paris Hilton

    and in other news...

    Owning a cat doesn't change the weather.

  13. mbridge

    security knowledge gap

    The issue may be that the average consumer does not know what to do when their personal data is stolen. Getting a letter in the mail about a data breach may raise their level of concern, but not necessarily to the point of them doing anything about it. Even if they wanted to be safe they may not know the proper steps to take.

    Even some of the most well know "counter-measures" out there fall well short of the mark.

    We would expect the Government to step forward with a better identify theft campaign aimed at educating consumers. Instead people have to rely on Citibank ads telling them how secure their credit-cards are.

    www.mbridge.com

    http://www.mbridge.com

  14. Anonymous Coward
    Paris Hilton

    CounterMeasures...

    ... are, unfortunately, illegal. See half the rest of this forum, particularly the ones about encryption, passwords, phorm, BT, VM, filesharing, consumer rights, data protection, politics, police, CCTV, NASA, NRA, FIAA, EULA, Banking, Credit, online fraud, copyright, and anything with "m1cr0$h4ft" in the title.

    Icon, in honour of the way she measures her encounters.

  15. Writebaby
    Black Helicopters

    Countermeasures

    How are these countermeasures a) illegal and b) effective?

    Countermeasures from a consumer pov are procedural ie.

    a. check your bank and credit card transactions carefully and

    b. check your credit status on a regular basis and instantly query any services/accounts not requested by yourself

    Geeks and their technical countermeasures - this is the real world, not the matrix!!!!

  16. Anonymous Coward
    Black Helicopters

    blue pill taker...

    > it is an offense to deliberately withhold your password for encrypted data on your computer...

    > it is an offense to congregate in numbers greater than 5 to object...

    Banking transactions are NOT countermeasures taken by the consumer, they are coding within the webpage, acted out by the browser and the only information the consumer is supplied with is a pathertic little icon hidden out of the way that implies yoou are on a [secure] site.

    work the rest out yourself - I'm too busy shooting sentinals.

This topic is closed for new posts.

Other stories you might like