Just got another letter from a company where someone got into their system and downloaded my personal information. Their solution for my name and SSN being on the Dark Web now? A year on credit monitoring. Just to be clear, my credit card and bank both give me credit monitoring and now three companies (one of which is my employer) have given me more credit monitoring that I don’t need. I think part of the problem is companies don’t give a F because there are really no consequences. Remember the Equifax breach? That’s the only one I can recall where the company had to go to court and the Government (you know, the ones supposed to be on our side) actively worked to limit their liability. Have you cashed your $7.23 check yet? Or did you miss one of the numerous emails and so you didn’t even get that and got (wait for it) credit monitoring instead?
I say that at the very least with any data breach the company must pay you what it costs for your credit monitoring if you opt for it. But honestly I don’t think that should be enough. I think by law if there is a data breach and your data is stolen that it is a statutory $500 or $1000 per person for each breach and that those people are the first to be paid if the company files bankruptcy. The way it should work is I open up the envelope and read we had a breach and here is your check. If a company tries to hide it, then triple damages AND go to court for fines on top of that.
Maybe then companies will take data security seriously.
Could you please explain to a foreigner what “credit monitoring” means?
And I agree: A statutory $500 or $1000 per person for each breach would be a great idea. Specially if the persons included non US citizen too. I don’t believe it is ever going to happen.
You know what? I honestly don’t know.
Do I get a letter when someone applies for a loan or a credit card? Well I got a new credit card after that and got a HELOC, none of which I was notified about in case it wasn’t me.
Congress won’t do it, but big business would all in favor (behind the scenes that is). Every company suffers data breaches. Google or Facebook can afford to pay for that. Small companies can’t. Such a rule would effectively eliminate any competition in the US.
OR maybe a small company starts taking data security seriously instead. And maybe they don’t report it or we just work with large companies more or hackers target large companies more or whatever but all of my data breaches have been with large companies, not small ones.
I recently received a letter from one of my investments reporting a possible data breach, and offering me a free account with a credit monitoring service (whose name escapes me at the moment),
This thing is, I currently have a free lifetime account with MyIDCare as a result of a possible credit breach at my federal employment/pension records. I get occasional notices from them of possibly questionable activity on my credit record, as well as reports of registered sex offenders in my area.
According to this website, credit monitoring services do the below:
So, such a service could potentially help someone whose personal data has been stolen or compromised to know if they’ve become a victim of identity theft/fraud.
This is a very simplistic view. Securing a computer system against intrusion is a VERY VERY hard problem, bordering on impossible. Very few companies, certainly no small ones, can afford to have an NSA-level security team working to ensure that their systems are secure. And even if they did, they would still get compromised, by zero-day attacks and things like that. The only way to guarantee that a system is secure is to keep it offline, but that’s not feasible for many situations. And the reason big companies get targeted more than smaller companies is because their data is more valuable, not because they are more lax with security.
I emphatically disagree with the OP, for reasons I will now explain.
A social security number is a simple identifier. It is not a private passcode, it is not personal financial information, it is not, up until the last 30-40 years, something that was ever intended or even needed to be kept secret.
That is, until banks started giving out loans to anyone who could present them a valid social security number. In IT security, this is the equivalent of someone finding out your email address and using it to buy a car in your name. It is insane. Lots and lots of companies and organizations might need your SSN to report financial information to the IRS, and this is absolutely fine. The burden should not be on them to safeguard a public identifier to the degree that everyone has to now safeguard it.
The crime here is that our politicians have not put the burden where it belongs, which is forcing financial institutions to actually verify someone’s identity and not just taking someone’s SSN at face value. Yes, it is very convenient for consumers to be able to get credit nearly instantly. It should not be, nor should financial institutions be able make absolutely bonkers profits on this completely insecure system of offering fast credit to anyone who knows 9 digits and a DOB.
Everything in this scenario is backwards, and this is a hill I will die on.
The main result of such a silly law would be that companies would no longer report any data breaches. And they would tighten all non-disclosure clauses in employment contracts, to make it very hard for employees to report any breaches.
So data breaches would still happen, but we (and the authorities) would seldom hear about them. How would that be better?
Also, big companies would separate out their IT departments into a different corporation, so any such fines would be owed by that corporation (which would promptly file bankruptcy). That’s a common legal tactic already.
What would the difference be if they didn’t report it? As it is now you get a letter saying
"We had a data breach and F you. Here more worthless data monitoring to add to the pile of data monitoring you already have.
Amen to all of this. “Identity theft” is just a polite way of saying that the bank stole your money. We entrust the banks to hold onto our money for us, but instead, they’re giving it away to someone else without verifying that those folks are us.
What about keeping passwords/other info in plaintext and not even hashing them.
Or my district where a person got a phishing email so decided to share their password.
I suspect very few of these security breaches are due to Anonymous/Nation-level hacking attempts. Most are probably dumbasses or companies not even willing to do the basics of data security.
We have frozen all our credit reports: Equifax, Experian, Transunion, Innovis, and ChexSystems. Yes, it is a bit of a pain when I need a credit report but that happens so infrequently that it is better to have peace of mind. In the couple years we’ve had our credit reports frozen, I have needed one of them opened once when we opened a debit account for our minor nephew. We’ll never get another line of credit so that may be the only time. For those that get new credit cards all the time to game the system, well, you’re on your own
“Resolved: blah blah blah whatever” is simply the traditional way to introduce a topic for formal debate. It explicitly means the topic is to be debated, not that it has been decided.
Yeah it’s dumb terminology, or at least terminology very unlike normal use of the same words. It comes from the idea that a specific actionable resolution has been introduced into a voting body e.g. under Robert’s Rules of Order, and it’s now up to the members to argue pro and con about it. And if this was real, to eventually vote the resolution up or down.
IOW, it’s waving the green flag to open debate. Not waving the checkered flag to signal a winner.
