Thursday, February 23, 2006

Strict Privacy Liability in Financial Data Breaches

Strict liability for data breaches?
This excellent piece by SecurityFocus' Mark Rasch reviews a court case in which a half million people were exposed to identity theft, credit ruination and financial humiliation due to the theft of a single laptop computer from the home of a financial analyst working as a consultant to a financial institution. (Court case here) The court found that no harm had been done.

As is the case in so many computer theft cases, no proof that any personal or financial information has actually been used is immediately available. Although the information is at risk for abuse only if the burglar is sophisticated enough to realize the value of the data on that computer and finds a way to sell it to sophisticated identity theft rings, there is simply no proof that any harm has been done.

Possibilities for serious crime are numerous, some more likely than others to be true and some, although far-fetched, are entirely realistic. The financial analyst, in one scenario, could be tired of crunching numbers and might prefer a tropical beach hut to his suburban Maryland home.

He might have come in contact with the head of a sophisticated identity theft ring, who offers him large sums of money to leave his laptop containing detailed personal and financial records of 550,000 people unlocked, unencrypted and available on his home office desk when he leaves home at a specified time and date.

He'd just have to file a police report for the burglary, book a flight to Tahiti and take a vacation. He could return to work tanned, relaxed and happy in a couple of months.

This scenario is a remote possibility for dozens of number crunchers and others in the finance industry, but it will NEVER be proven in court. The computers may be burgled by ignorant dimwits in need of a few items to fence to cover their next drug buy. They're happy with their haul in the burglary and are loaded and flying high on their dope before the machine is checked by a bit smarter crook working in the back room of the pawn shop where the laptop ended up.

It may go through the hands of a half dozen bad guys before it ends up, hard drive removed and copied, in the hands of a very savvy computer criminal hacker who then cracks the login information for the financial network (from that data on the stolen laptop) before the financial institution realized this and has the opportunity to change access codes used by the consultant to access even more financial data on thousands more people.

At issue here is the clear fact that the financial institution who hires consultants working from their homes on laptops, must be held strictly liable for all data breaches, thefts and resulting losses. Period.

There is no way the endless stream of losses will ever be damned and the seriousness of the duty to protect that data will ever be understood unless and until those holding personal financial information are held strictly liable for ALL losses suffered for abuse of data they once held. Gramm Leach Bliley Act requires all regulated by it to ...

establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards - (1) to insure the security and confidentiality of customer records and information; (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and (3) to protect against unauthorised access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
Yet when data is breached (or in this case innocently lost to burglary) there are no consequences to the financial institution or the careless consultant who left unencrypted financial data for a half million people sitting on his desk in a highly portable laptop instead of a remote secured data center, encrypted and guarded.

The GLBA growls menacingly, but is a toothless old dog incapable of harming the crooks or the careless corporations handling, moving or transmitting that data - short of making them file loads of paperwork as a slap on the wrist.

Carelessness in handling financial data will never change until there is a bigger threat of loss to the industry treating that information in such a cavalier manner as to allow that data to even exist anywhere but Fort Knox-like, remote & secured data centers. Until the financial industry and all its minions face threat of substantial financial harm, there will be endless and ever-flowing data breaches leaking from hundreds of unsecured sources.

Save To    Digg! Digg This!
posted by RealitySEO at 8:18 AM


Post a Comment

<< Home