I don't know if you've noticed, and you probably have, but there have been a lot of data breaches lately. Every single silly one of them works just like this:
- Company is negligent* with customers' data
- Company gets breached
- Company tries to sweep the incident under the rug
- Company gets caught/noticed/outed
- Company send "Sorry" letters and 1 years' worth of credit monitoring to customers
Probably not though, since you already have gotten 4-5 other letters like this in the past year or so and you've already got all the credit monitoring you can possibly need, want or even stand. See, there is a key here that is lost on most people who happily accept this resolution and move on. The attacker who just took your data will use it for their own financial gain. Period. End of story. Full stop. These bad people don't raid databases and mass-compromise millions of machines because it's fun (although admittedly it can be- not that I would know) but because your pain is their gain. I hope that's crystal clear.
So this leads me to the next question my mind logically jumps to ...what if you sustain monetary or personal damages from one of these many data breaches. Obviously it's next to impossible (usually) to prove which one of the many, many breaches your data was a part of but even if you do ...what then?
Well, there are a few options you have:
- Hope you've bought identity theft insurance and you can get your life on track
- Hope your bank gives back all the money that was stolen (unless you're a business this is actually still fairly likely)
- Sue someone
- Be like 99% of the victims and do nothing...
Here are several sad facts we're facing in the immediate future (if you've not already experienced these):
- You will get several "We're [not really] sorry" letters from organizations who have your private data; many of which you shouldn't have given it to
- You will have your identity compromised, and receive bills or collections notices for items you never actually purchased (well "you" did, but not you...you know what I mean)
- These same organizations will not improve their overall security, many of whom see data breaches as a calculated financial risk and are willing to just deal with them
- The same organizations will continue to be industry-regulation compliant (*cough* PCI DSS *cough*) and hide behind that when you try and legislate against them
I really wish someone would legislate a bill that would make the victim (interesting word to call the organization which just made you the victim) of a data breach financially and legally responsible for how that affects each and every single person in their compromised pool. Of course there are the difficulties proving that your difficulties came from any specific breach, etc, etc, etc - but at least this type of action would start to put the fear of God into these irresponsible organizations...and then I woke up, right?
[steps off soapbox]