Should Allowing A Massive Data Breach Be A Criminal Offense?
from the might-be-a-bit-extreme dept
Following some massive data leaks in the UK, some politicians there are considering a plan to make it a criminal offense to "recklessly or repeatedly mishandle personal information." Contrast this to the US, where courts have noted that there can be no finding of negligence if the data leak is never found to have been used by identity thieves (even if exposing the data was done through negligence or recklessness). Of course, this is a fine balancing act. Certainly, one of the biggest problems leading to these data leaks is that the companies that leak data generally just get wrist slaps as punishment -- meaning that it's more cost effective to be weak in security than to properly protect it. Adding the potential of criminal charges could increase the cost enough that people take security of private info a lot more seriously. On the flipside, however, it could also cause other problems. No matter what, some ingenious criminal somewhere will figure out how to get access to a dataset or some unimaginable combination of events will occur to lead to lost data -- and it seems unfair to throw someone in jail for that. If anything, it may scare off some very smart folks from taking jobs securing that kind of data, as the personal liability might become too high. In the end, making the punishment for companies screwing up makes sense, but potentially putting individuals in jail without it being clear and egregious acts of negligence seems like a bad idea.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: criminal offense, data leaks, security, uk
Reader Comments
Subscribe: RSS
View by: Time | Thread
Not a good idea...
[ link to this | view in chronology ]
Re: Not a good idea...
Any company handling private information is already going to have the cashflow to afford to hire a security tech and purchase a few licenses for some encryption software. If they don't, they don't need to be in the business.
Health-related companies are already bound by HIPAA and that can be something as small as a single doctor, one-person billing agency, etc. but they all have to comply fully with HIPAA or face the same issues you describe.
The thing is, if they hire an incompetent security tech, they can pass off the blame onto the tech and then the tech has to deal with all the criminal/civil charges. If they simply neglected to hire a tech then they deserve the harshest punishment allowed(Balls, meet Mr. Vise).
[ link to this | view in chronology ]
Simple
After the recent fiascos I know quite a few IT department heads who sent out emails/memos about securing data and nothing more, KNOWING not only that the emails would be ignored but that there were many operations within their organisations that were conducted in a stupidly unsafe manner because as far as they were concerned the emails were enough to cover their ass's
[ link to this | view in chronology ]
I pray every day
[ link to this | view in chronology ]
Seems to me that of someone takes my credit card data and stores it with inadequate safeguards it is deeply unfair for me to be liable for the consequences when it is completely outside my control. Particularly if it is a goivernment department - I can't take my business elsewhere, and it is often a criminal offence tnot to provide what they want!
While I accept that a skilled and determined attack might get thorough, I think I am entitled to be proteected from the crass incompetance seen here in the uk where unencrypted data is sent though the post with millions of credit cards on!
I work in a bank and there are plenty of procedures there to prevent accidental or unnessesary exposure of customer data, and to track and audit the necessary access.
This is not rocket science.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
there are very few ways to police the policy unless companies or a whistle blower opens their mouth.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Who should be held liable? It was suggested that the IT head be held responsible. Sounds reasonable as long as he has the actual resources available to effectivly secure things. I've worked in companies where the IT head DIDN'T have any real ability to affect, other than to request, what his budget really was. This wasn't just a small company either. There's a danger here of companies setting up what is essentially a scapegoat, all the responsibilities/liabilities but none of the authority.
Where should be the bar be set as to what is considered adequatly secured? If the government sets it it's likely to be an inadequate mismash of things that benefit special interests but is either ineffective from the start or will quickly become so.
Should the "secure enough" bar be set at 0 data loss? Sounds tempting, forcing companies to stay up with their security and the latest technologies. Problem with this is disgruntled employees who want to "strke back" at their bosses. Who should be liable in cases like this? How about the company who implements every available countermeasure but those current countermeasures aren't adequate to stop dedicated/advanced hackers?
As much as I'd love to be able to hold many of these companies responsible for their inactions in this area I'd need to see a lot more of how it would be implemented before I'd agree that blanket criminal charges are a good idea.
[ link to this | view in chronology ]
And the government should definately set up regulations for it. Why? Because given the chance, every corporation *will* err not on the side of caution, but on the side of cost- the cheapest cost.
And who should be held accountable? Everyone who has a hand in the data.
Personal data should have the same restrictions as HIPAA does.
I am fed up with companies treating me, and my personal information, like I don't matter. So if they mess up, fire them.
[ link to this | view in chronology ]
The Japanese do...
[ link to this | view in chronology ]
Re: The Japanese do...
[ link to this | view in chronology ]
Maybe
Too often, only those with a title are held accountable for their actions, while the rank-and-file stumble through and kill the company by a thousand cuts.
[ link to this | view in chronology ]
yadda yadda yadda
[ link to this | view in chronology ]
Re: yadda yadda yadda
BS - there are lots of things that people do in the course of their jobs that if done illegally would result in criminal charges. this shouldnt be any different.
[ link to this | view in chronology ]
The ultimate responsibility has to reside with senior leadership, otherwise the company will not invest the resources needed.
Adding criminal charges to security is nothing new, HIPAA did this quite a while ago.
[ link to this | view in chronology ]
At this point...
First was Papa John's Pizza. I paid by CC once, and now every time I log in it allows me to charge my order to the CC that I entered on that one occasion without having to re-enter the number. I never saw anything about them storing credit card numbers of things were processed, and at the very least they should let me delete it.
The other was Trend Micro. I bought antivirus software from them a couple years ago. Then last year I renewed my subscription to their signature updates they apparently saved my credit card info. I got an email last week "reminding" me that my subscription would automatically renew in 7 days and it would be charged to the credit card that I had used previously. This was the first I had ever heard of it, and it did let me opt out of the auto-renew. But as far as I know there is no way to delete my CC# from their records.
Looks like I need to switch to a card that gives me one-time use CC#s.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Balance
Thankfully the company I am in doesn't handle CC info or terribly personal data but if such a thing became law here I would probably start looking for a new job - I'm no idiot. If the s*t hits the fan and we were looking at charges you can be damn sure it would *not* be the CEO or even CIO that would take the fall (despite having little (read no) security).
It only becomes policy after it's a problem and if it were a matter of charges it would be pinned on the low man on the totem pole.
The only way I would be at all comfortable with this sort of law would be an extreme emphasis on the "repeated" and some method for allowing policy makers be held responsible for lack of security policy.
[ link to this | view in chronology ]
As long as it targets Cxx's
The policy decisions to collect and retain data come from the top -- so it is those individuals who should be held criminally liable. I really don't have any problem with the concept, for example, of throwing every single C-level officer at TJX into a maximum-security prison for a few years. I'd be quite happy to toss out any number of low-level drug offenders to make room for them.
I don't think it would take too many object lessons before even the dimmest Cxx began to realize that the very best way to reduce the risk of data disclosure is not to collect and retain the data. After all, you can't lose what you don't have. This might do something to reverse the current trend, which is collect everything you can by every possible means including spyware (hello Sears), keep it forever, mine it, use it, sell it, lie about it, and if it ever leaks, issue a press release stating how seriously you take this issue.
[ link to this | view in chronology ]
Hold the CEO's accountable
[ link to this | view in chronology ]