Sunday, September 12, 2010

100 Years of Credit Monitoring

[steps on soapbox]

I don't know if you've noticed, and you probably have, but there have been a lot of data breaches lately.  Every single silly one of them works just like this:

  1. Company is negligent* with customers' data
  2. Company gets breached
  3. Company tries to sweep the incident under the rug
  4. Company gets caught/noticed/outed
  5. Company send "Sorry" letters and 1 years' worth of credit monitoring to customers
Now, if you have gotten one of these "We're [not really] sorry" letters you probably have found comfort in the fact that the company who just lost your data to an attacker who will use it against you is going to pay for credit monitoring for you.


Probably not though, since you already have gotten 4-5 other letters like this in the past year or so and you've already got all the credit monitoring you can possibly need, want or even stand.  See, there is a key here that is lost on most people who happily accept this resolution and move on.  The attacker who just took your data will use it for their own financial gain.  Period. End of story.  Full stop.  These bad people don't raid databases and mass-compromise millions of machines because it's fun (although admittedly it can be- not that I would know) but because your pain is their gain.  I hope that's crystal clear.

So this leads me to the next question my mind logically jumps to ...what if you sustain monetary or personal damages from one of these many data breaches.  Obviously it's next to impossible (usually) to prove which one of the many, many breaches your data was a part of but even if you do ...what then?

Well, there are a few options you have:

  1. Hope you've bought identity theft insurance and you can get your life on track
  2. Hope your bank gives back all the money that was stolen (unless you're a business this is actually still fairly likely)
  3. Cry
  4. Sue someone
  5. Be like 99% of the victims and do nothing...
So then.  We've got a bit of a problem.  Namely - you the consumer are screwed.


Here are several sad facts we're facing in the immediate future (if you've not already experienced these):

  1. You will get several "We're [not really] sorry" letters from organizations who have your private data; many of which you shouldn't have given it to
  2. You will have your identity compromised, and receive bills or collections notices for items you never actually purchased (well "you" did, but not you...you know what I mean)
  3. These same organizations will not improve their overall security, many of whom see data breaches as a calculated financial risk and are willing to just deal with them
  4. The same organizations will continue to be industry-regulation compliant (*cough* PCI DSS *cough*) and hide behind that when you try and legislate against them
So then... you have 100 concurrent years of credit monitoring, no one to pay for the actual damages poor security of your data causes you -leaving you stuck with the bill (this is the criminal's money now), and nothing changes.

I really wish someone would legislate a bill that would make the victim (interesting word to call the organization which just made you the victim) of a data breach financially and legally responsible for how that affects each and every single person in their compromised pool.  Of course there are the difficulties proving that your difficulties came from any specific breach, etc, etc, etc - but at least this type of action would start to put the fear of God into these irresponsible organizations...and then I woke up, right?

[steps off soapbox]

1 comment:

Bruce Inman said...

nice post Rafal -- there is progress being made with both state and federal laws, but we have a long way to go -- the overall situation would improve if people would just take personal responsibility for their pre-breach protection by doing their own monitoring and putting a restoration ID service in place (not the "assistance" type plans)use promo code DPBI792D10 for a 10% discount at http://ID247.com

Google+