Should Allowing A Massive Data Breach Be A Criminal Offense?

from the might-be-a-bit-extreme dept

Thu, Jan 3rd 2008 6:57am — Mike Masnick

Following some massive data leaks in the UK, some politicians there are considering a plan to make it a criminal offense to "recklessly or repeatedly mishandle personal information." Contrast this to the US, where courts have noted that there can be no finding of negligence if the data leak is never found to have been used by identity thieves (even if exposing the data was done through negligence or recklessness). Of course, this is a fine balancing act. Certainly, one of the biggest problems leading to these data leaks is that the companies that leak data generally just get wrist slaps as punishment -- meaning that it's more cost effective to be weak in security than to properly protect it. Adding the potential of criminal charges could increase the cost enough that people take security of private info a lot more seriously. On the flipside, however, it could also cause other problems. No matter what, some ingenious criminal somewhere will figure out how to get access to a dataset or some unimaginable combination of events will occur to lead to lost data -- and it seems unfair to throw someone in jail for that. If anything, it may scare off some very smart folks from taking jobs securing that kind of data, as the personal liability might become too high. In the end, making the punishment for companies screwing up makes sense, but potentially putting individuals in jail without it being clear and egregious acts of negligence seems like a bad idea.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: criminal offense, data leaks, security, uk

21 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

James Riley, Jr., 3 Jan 2008 @ 7:23am

Not a good idea...
I don't think it's a good idea to tack on criminal charges to something like this, because here's what would happen: the government would do what it always does and start regulating "how" secure systems need to be, setting a low bar for companies, allowing them to skirt around this further. Those that can't afford it would face closure/bankruptcy.
[ link to this | view in thread ]
Jack Sombra, 3 Jan 2008 @ 7:26am

Simple
Make it either the the head of the IT department at the very least or best the head of of the company who would have to face the charges if it is found that that the company was negligent at protecting the data if it is a case that either the company had no decent data protection policies in place and/or did not make sure said policies were enforced to a reasonable degree, not the poor sod on the ground who was just doing things the way he was originally told.

After the recent fiascos I know quite a few IT department heads who sent out emails/memos about securing data and nothing more, KNOWING not only that the emails would be ignored but that there were many operations within their organisations that were conducted in a stupidly unsafe manner because as far as they were concerned the emails were enough to cover their ass's
[ link to this | view in thread ]
that our shit is safe here, 3 Jan 2008 @ 7:31am

I pray every day
A disaster waiting to happen... It makes me wonder how stuff is at other places...
[ link to this | view in thread ]
Nick, 3 Jan 2008 @ 7:38am

Well, without such laws what are the incentives for companies and governments to look after data properly?

Seems to me that of someone takes my credit card data and stores it with inadequate safeguards it is deeply unfair for me to be liable for the consequences when it is completely outside my control. Particularly if it is a goivernment department - I can't take my business elsewhere, and it is often a criminal offence tnot to provide what they want!

While I accept that a skilled and determined attack might get thorough, I think I am entitled to be proteected from the crass incompetance seen here in the uk where unencrypted data is sent though the post with millions of credit cards on!

I work in a bank and there are plenty of procedures there to prevent accidental or unnessesary exposure of customer data, and to track and audit the necessary access.

This is not rocket science.
[ link to this | view in thread ]
Hoeppner, 3 Jan 2008 @ 7:41am

If we don't tell anyone, who would know. likely a companies exact thought. companies can go a few months even after a few users find out about before the news system would care to put it somewhere(IE. someother news output decides to finally put it up on their end).

there are very few ways to police the policy unless companies or a whistle blower opens their mouth.
[ link to this | view in thread ]
David, 3 Jan 2008 @ 7:59am

Wouldn't a clear and egregious act of negligence be comprised of "recklessly or repeatedly mishandl(ing) personal data"? It's not just incompetence, it seems that the wording of the proposal includes the requirement of wanton negligence.
[ link to this | view in thread ]
Anonymous Coward, 3 Jan 2008 @ 8:02am

Those at the highest levels should be the ones held liable/responsible for the security of the data. As a gut response criminal liability is appealing but, as been pointed out above, there are drawbacks.

Who should be held liable? It was suggested that the IT head be held responsible. Sounds reasonable as long as he has the actual resources available to effectivly secure things. I've worked in companies where the IT head DIDN'T have any real ability to affect, other than to request, what his budget really was. This wasn't just a small company either. There's a danger here of companies setting up what is essentially a scapegoat, all the responsibilities/liabilities but none of the authority.

Where should be the bar be set as to what is considered adequatly secured? If the government sets it it's likely to be an inadequate mismash of things that benefit special interests but is either ineffective from the start or will quickly become so.

Should the "secure enough" bar be set at 0 data loss? Sounds tempting, forcing companies to stay up with their security and the latest technologies. Problem with this is disgruntled employees who want to "strke back" at their bosses. Who should be liable in cases like this? How about the company who implements every available countermeasure but those current countermeasures aren't adequate to stop dedicated/advanced hackers?

As much as I'd love to be able to hold many of these companies responsible for their inactions in this area I'd need to see a lot more of how it would be implemented before I'd agree that blanket criminal charges are a good idea.
[ link to this | view in thread ]
Tom, 3 Jan 2008 @ 8:23am

Companies should absolutely be held responsible for mishandling my data. Things like having personal information on a non secured laptop that was then stolen.
And the government should definately set up regulations for it. Why? Because given the chance, every corporation *will* err not on the side of caution, but on the side of cost- the cheapest cost.
And who should be held accountable? Everyone who has a hand in the data.
Personal data should have the same restrictions as HIPAA does.
I am fed up with companies treating me, and my personal information, like I don't matter. So if they mess up, fire them.
[ link to this | view in thread ]
Elepski, 3 Jan 2008 @ 8:28am

The Japanese do...
I work for a company owned by the Japanese... the laws in japan hold the parent company at fault for any data leak and that trickle downs to all of it children companies... including its U.S. based companies.
[ link to this | view in thread ]
Sam, 3 Jan 2008 @ 8:30am

Maybe
But go to the core of the problem. Don't just follow the populist wave and always blame the visionaries at the top who give the company its value. Be willing to point to an incompetent employee at ANY level, even entry-level, and hold them accountable for their actions.

Too often, only those with a title are held accountable for their actions, while the rank-and-file stumble through and kill the company by a thousand cuts.
[ link to this | view in thread ]
william, 3 Jan 2008 @ 8:30am

yadda yadda yadda
Things are always much clearer in hindsight. No data leak, were doing great. Massive data leak, find someone to blame quick. Could acting negligently earn you a criminal record even if no data was lost? A law like this would only result in innocent people who were only doing their job getting railroaded. Of course people should be held accountable and protecting the personal information of customers should be held in the highest regard. But legislating it is not the appropriate response.
[ link to this | view in thread ]
Anonymous Coward, 3 Jan 2008 @ 8:37am

Security responsibility has to reside in the C suite. If it doesn't, then the company really won't take security serious. Policies have to be in place and enforced. If the top sales guy can get away with installing whatever he or she wants without facing discipline or termination, if the company isn't willing to fire top performers, then security will always be a joke.

The ultimate responsibility has to reside with senior leadership, otherwise the company will not invest the resources needed.

Adding criminal charges to security is nothing new, HIPAA did this quite a while ago.
[ link to this | view in thread ]
Rick O, 3 Jan 2008 @ 8:40am

Re: The Japanese do...
I kind of like that idea ... Corporate responsibility!
[ link to this | view in thread ]
Kevin, 3 Jan 2008 @ 8:51am

At this point...
I would be happy if companies were required to disclose how the info is used and whether it is stored. Twice in the past week I have discovered companies where I had used my credit card to purchase something online have stored my credit card details with no way of deleting that information.

First was Papa John's Pizza. I paid by CC once, and now every time I log in it allows me to charge my order to the CC that I entered on that one occasion without having to re-enter the number. I never saw anything about them storing credit card numbers of things were processed, and at the very least they should let me delete it.

The other was Trend Micro. I bought antivirus software from them a couple years ago. Then last year I renewed my subscription to their signature updates they apparently saved my credit card info. I got an email last week "reminding" me that my subscription would automatically renew in 7 days and it would be charged to the credit card that I had used previously. This was the first I had ever heard of it, and it did let me opt out of the auto-renew. But as far as I know there is no way to delete my CC# from their records.

Looks like I need to switch to a card that gives me one-time use CC#s.
[ link to this | view in thread ]
nipseyrussell, 3 Jan 2008 @ 8:54am

Re: yadda yadda yadda
"A law like this would only result in innocent people who were only doing their job getting railroaded."
BS - there are lots of things that people do in the course of their jobs that if done illegally would result in criminal charges. this shouldnt be any different.
[ link to this | view in thread ]
FAS, 3 Jan 2008 @ 9:36am

I think the government should at least say what kind of security to have at minimum. I like the idea of having some one accountable, if the actions were stupid. leaving unsecured data on laptops is stupid. One needs a decrypting program (AT MINIMUM)
[ link to this | view in thread ]
Just Me, 3 Jan 2008 @ 9:45am

Balance
There definitely needs to be some serious balance here. Yes there ought to be accountability but a knee-jerk reaction to security after-the-fact would not be the best course of action.
Thankfully the company I am in doesn't handle CC info or terribly personal data but if such a thing became law here I would probably start looking for a new job - I'm no idiot. If the s*t hits the fan and we were looking at charges you can be damn sure it would *not* be the CEO or even CIO that would take the fall (despite having little (read no) security).

It only becomes policy after it's a problem and if it were a matter of charges it would be pinned on the low man on the totem pole.

The only way I would be at all comfortable with this sort of law would be an extreme emphasis on the "repeated" and some method for allowing policy makers be held responsible for lack of security policy.
[ link to this | view in thread ]
Rich Kulawiec, 3 Jan 2008 @ 9:52am

As long as it targets Cxx's
The policy decisions to collect and retain data come from the top -- so it is those individuals who should be held criminally liable. I really don't have any problem with the concept, for example, of throwing every single C-level officer at TJX into a maximum-security prison for a few years. I'd be quite happy to toss out any number of low-level drug offenders to make room for them.
I don't think it would take too many object lessons before even the dimmest Cxx began to realize that the very best way to reduce the risk of data disclosure is not to collect and retain the data. After all, you can't lose what you don't have. This might do something to reverse the current trend, which is collect everything you can by every possible means including spyware (hello Sears), keep it forever, mine it, use it, sell it, lie about it, and if it ever leaks, issue a press release stating how seriously you take this issue.
[ link to this | view in thread ]
Michael, 3 Jan 2008 @ 12:07pm

Hold the CEO's accountable
We don't want to hold anyone but the HEAD of the company responsible, because it would be retarded to hold techs, with no control over purse strings and therefore less control over quality of security. Threaten some rich folk and things will get secure.
[ link to this | view in thread ]
ehrichweiss, 3 Jan 2008 @ 12:15pm

Re: Not a good idea...
You think this is bad because...??

Any company handling private information is already going to have the cashflow to afford to hire a security tech and purchase a few licenses for some encryption software. If they don't, they don't need to be in the business.

Health-related companies are already bound by HIPAA and that can be something as small as a single doctor, one-person billing agency, etc. but they all have to comply fully with HIPAA or face the same issues you describe.

The thing is, if they hire an incompetent security tech, they can pass off the blame onto the tech and then the tech has to deal with all the criminal/civil charges. If they simply neglected to hire a tech then they deserve the harshest punishment allowed(Balls, meet Mr. Vise).
[ link to this | view in thread ]
ehrichweiss, 3 Jan 2008 @ 12:18pm

Re:
Exactly!! If we treated financial data with the same respect as we now are "forced" to treat medical data(thanks to HIPAA here in the US), none of this would be an issue.
[ link to this | view in thread ]