A Chronology of Data Breaches → Time to hold these companies/agencies responsible

ANY company or agency that has ANY data breach must be punished to the fullest extent of the law. I'm talking about 1000.00 per record stolen fines. I'm talking about holding the executives of the megacorps responsible. I'm talking about holding govt workers responsible and firing them. Too often companies hire incompetents, don't pay them enough or train them enough. Too often companies outsource to 3rd world countries, where your personal information is sold by corrupt local people. This has to stop, and stop today. It's time to put the CEO's of these companies through the ringer, sieze all their personal assets, and send them to jail for a long, long time. Until we jail the corrupt executives of these megacorps, the theft of personal information will never be stopped.

While I agree with you on some level, that is not really fair. Just look at the list on that site. Many of those issues could have happened to even the most 'secure' machine. If a /real/ hacker wants to get this information, he is going to get it. The only way you can be 100% secure (Even then someone could steal the Hard drives off of the server) with this stuff would be by having it completely removed from any network which touches the outside world. Which.. would send productivity through the drain if you were a company that needed to access this stuff all the time.

Security is not an "on/off" switch. Plenty of these incidents could have been made less likely to occur with better security measures in place. For example, look at the number of stolen/lost laptop and backup media. There would have been less of an issue in all of those cases had the data been stored encrypted.

This is really just an issue of poor management.

I fully agree with you: Hit them where they understand - the bottom line.
Corporation should be required to have and implement an IT Security Policy.
They need to train the computer dumb on how to protect laptops that contain customer account info. & that info should never be sitting in plain text on a HDD.
Then we have the University of Ohio - looks like someone had a field day on their servers - now they've mandated 5.5-8 million dollars to correct that mess.

Seems someone finally authorized my initial post Gezzz

Actually that is a very common misconception, and is incorrect. Some government agencies in NYC tried to do this in the late 1990's and found that it didnt work at all. The real problem is that when it comes to risk management (which is what this is all about), the real weak point is the people not the network. At the end of the day people are the ones who take laptops home, leave passwords on their PC monitor written on a post-it, or talk about confidential information in public. Removing internet access simply makes things slower and more bureaucratic, and does NOT in any way make things safer or lower risk.

Goto europe you commie

How do you fine an Indian clearing house for bank cards when they break the law.??

An investigative piece in Aus. showed very explicit video of some help desk mongrel in Bombay selling bank card details right down to names, addresses and all security numbers and passwords and doing it bulk for a few dollars per card.

In Aus. mainland the problem is bad enough---outsourcing to another country and good night privacy of any sort.

Answer, if your bank outsources its transactions, run away!!!!

The Honorable Richard C. Shelby
United States Senate
110 Hart Senate Office Building
Washington, D.C. 20510-0103
DC Phone: 202-224-5744
DC Fax: 202-224-3416

Senator Shelby,

I am writing to you because you are identified as being the chairman for the
Senate Committee on Banking, Housing, and Urban Affairs from the following web site:
»banking.senate.gov/index ··· ion.Home

I received a written communication from Chase Bank, dated September 18, 2006 from Chase Bank and signed by:

Harry F. DiSimone
Executive Vice President
Chase Bank USA, N.A.

A copy of all written communication as I received it is included in the fax data for your reference.

Please permit me to identify a few disturbing points from the letter and draw them to your attention. When I close the letter I will articulate what I consider minimum legislation which should be promptly considered and enacted when these kinds security breaches are encountered of issues occur.

The letter from Chase Bank begins (paragraph 1), “Chase takes very seriously its responsibility to handle consumer information with confidentiality and discretion at all times. Unfortunately, we recently discovered that computer tapes that contained personal information about you such as your name, Circuit City credit card account number and Social Security number were mistakenly identified as trash and thrown out.”

The letter went on to say ( in paragraph 2), “There is no indication that any of the data stored on these tapes has been used inappropriately as a result of this incident. We deeply regret that this has occurred and apologize, and we want to take a prudent approach in safeguarding your personal information by letting you know of this issue and the steps you may take to protect yourself.”

The letter further states (in paragraph 3), “With the assistance of federal law enforcement authorities, we have conducted a thorough and extensive investigation of this incident and a search for the tapes. Although we have been unable to locate the tapes, we believe they were compacted, destroyed, and taken to a landfill where they were buried. There is no indication that anyone accessed or used your personal information as a result of this issue and our continuing review of your account has not revealed any suspicious activity connected to this incident. You may continue to use your account as you normally would.”

The letter continues with (in paragraph 4), “To be extra cautious in protecting your personal information from any future, unauthorized activity, we will continue to monitor your account. We will contact you if we detect any suspicious activity. Of course, you are never responsible for unauthorized charges that are made to your account. We also want you to know that we have reinforced our procedures and training to ensure the proper handling of information.”

Finally the letter concludes with (from paragraph 5), “Also, to further protect you, we are offering you the opportunity to enroll in Chase Credit Alert for one year at no cost to you. This service provides an extra level of security to you by offering:

• Daily notification from TransUnion of new accounts opened in your name, or certain derogatory information about you reported to TransUnion.
• Quarterly notifications when no changes to your credit bureau have taken place.
• $10,000 in identity theft insurance.

To entroll, please complete and return the enclosed Enrollment Form no later than November 1,2006.

Again, we apologize for any inconvenience this has caused you and want to assure you that we are here to help you. We have no greater asset than your trust. Please do not hesitate to contact us if you have any questions regarding this matter. We can be reached, toll-free, at 1-8xx-yyy-zzzz from 7 a.m. to 12 a.m. (EST) seven days a week.

Sincerely,

Harry F. DiSimone
Executive Vice President
Chase Bank USA, N.A.”

Response to Paragraph 1 from letter (above).

Using sophisticated document processing software almost anyone can create documentation masquerading as official communication from any company including letterhead; signatures and mail them to consumers. Consumers cannot with any confidence verify the authenticity of the communication from the communication alone. The only guarantee a consumer has is they received written correspondence that may or may not be fictitious. While it’s nice to see some organizations are taking the necessary steps to customers which represent the organizations commitment to protecting the consumer, numerous aspects are woefully inadequate.

Included with the letter should have been a new credit card account requiring activation. If nothing else, the customer would have a real sense the correspondence legitimate and the company is directly taking every possible step to safeguard the consumer. This should be a mandated “must complete activity” in any federal legislation.

Response to Paragraph 2 from letter (above).

This is a nice sentiment to the consumer, yet, it can not be confirmed. The web site: »www.privacyrights.org/ar ··· ches.htm indicates the data loss was made public on or about September 7, 2006 with up to some 2.6 million potential accounts / individuals. It is understandable companies loosing individuals private and sensitive data would prefer to not expose the exact date of the loss, exposing the reporting date and a subsequent letter informing the consumer with only 9 chronological days does not provide any statistical basis supporting the claim articulated in the communication. Its likely these accounts could be abused at any point in the future. Again, having legislation mandating new cards be distributed along with the notification would take that extra step towards protecting the consumer and should be included into any legislation pertaining to losses of personal data as was identified in this communication.

Response to Paragraph 3 from letter (above).

This paragraph clearly identifies federal law enforcement authorities were notified personally sensitive data had been lost. The communication includes the following statement:

“Although we have been unable to locate the tapes, we believe they were compacted, destroyed, and taken to a landfill where they were buried.”

While it is commendable to disclose what is believed to have occurred; “compacted; destroyed and taken to a landfill for burial” this sentence because of its formulation implies these sequences “Compaction; Destroyed and taken to a landfill and burial” would an otherwise normally acceptable practice.

While the language in the communication made perfect sense to the initial authors and perhaps the legal council for the company; the information is completely inadequate when attempting to place any fears the consumer has at rest. The communication does not contain any reference to if or how the data on the tape as being encrypted. The conclusion a consumer should draw is the information on the tape is in the clear and consumers should be very concerned if the tape ever surfaced. Federal legislation should be enacted mandating companies shall report to consumers conditions where sensitive private personal data has been compromised if the data was encrypted with industry accepted encryption technologies or not. This would certainly set a level of expectation for the consumer who’s data was compromised.

Response to Paragraph 4 from letter (above).

Should a consumer be damaged because of a data loss like this, if the financial loss the only statement of pertaining to financial and perhaps credit status restitution is the consumer would not be responsible for unauthorized charges to that credit card account. Recall, when the communication was distributed initially, a new credit card was not distributed requiring authorization. Federal legislation needs to be implemented such that should other accounts be opened, or other information pertaining to other accounts are fraudulently charged, the organization responsible for the loss will solely bear the full legal responsibility to make whole the consumer.

The sentence in this paragraph that is truly ominous is, “We also want you to know that we have reinforced our procedures and training to ensure the proper handling of information.” It implies procedures were / are not stringent enough so as this problem should have never happened. The above sentence tends to further support the likelihood the compaction and physical destruction of tape media was not performed prior the tape being placed into the landfill. Thus, some possibility the physical tape exists in it’s entirety to this day. While errors are likely to always occur whenever humans are involved it appears on the surface that no federal legislation exists which mandates all data tapes shall be physically destroyed prior being thrown out or otherwise discarded when any potential exists where private sensitive information may have been placed on any tape media.

Response to Paragraph 5 from letter (above).

Chase has reiterated time and time again their commitment to ensuring adequate protection mechanisms are in place to protect the private, sensitive customer information. Then they go on to “offer” consumers an “opportunity” to enroll in a “Chase Credit Alert” program at no cost. Then comes the following sentence, “To entroll, please complete and return the enclosed Enrollment Form no later than November 1,2006.”

What does the enrolment form contain? (copy included in fax packet), that’s right, they want the consumer to enter their SSN; Name; Address and signature all in the clear. Then use a business reply envelope to return the form, once again placing the consumer in a position where their personal and sensitive data could be compromised. If the mail is not delivered on time the consumer looses the offered protection. If the mail is lost and subsequently obtained by someone with illegal activities in mind, then the consumer has given the data out unwittingly. There is no assurance how this piece of data will be handled once the company receives the data. Some potential exists this information could simply end up in a garbage receptacle. This single action is inconsistent with the stated goals of taking every possible action to protect the consumers’ information.

Finally, a 1-8xx-yyy-zzzz phone number is presented for consumers to contact Chase with questions. The problem here of course is, if the document is not legitimate then there is some likelihood the 1-8xx-yyy-zzzz phone number is equally illegitimate and should be treated as suspect. It is paramount when communications like this are sent to consumers they are presented with a (area-code) – phone number where the consumers can call information in that area code and validate the phone number prior contacting the organization. Anyone can set up a 1-8xx-yyy-zzzz phone number, thus, a potential exists where a consumer could unwittingly be duped.

Thus, federal legislation needs to be enacted that when consumers are contacted with communications about exposure of sensitive data; these organizations are obligated to automatically enroll the consumer into these protection plans with no necessary action being taken by the consumer. If the organization requires a signature, then, put codes on the form which can be resolved by electronic means without the necessity for sensitive data being exposed in the clear again.

In closing; these are the modifications to federal legislation which are believed to be necessary:

• Included with any communication pertaining to potential data loss regarding any bank check card; credit card or other commercial instrument used in the process of financial transactions, the communication letter shall have been a new bank card; credit card other commercial instrument used in the process of financial transactions account requiring activation. This should be a mandated “must complete activity” in any federal legislation.

• Federal legislation must be enacted mandating organizations shall report to consumers conditions where sensitive private personal data has been compromised if the compromised data was encrypted with industry accepted encryption technologies or not.

• Federal legislation must be enacted mandating that all data storage devices shall be physically destroyed prior being thrown out or otherwise discarded when any potential exists that private sensitive information may have been placed on any storage media.

• Federal legislation must be enacted mandating when consumers are contacted with communications about exposure of sensitive data; these organizations are obligated to automatically enroll the consumer into these protection plans with no necessary action being taken by the consumer.

• Federal legislation must be enacted mandating organizations responsible (negligent or accidental) are solely liable for restoring consumers’ credit status and any financial obligations presented to consumers.

• Federal legislation must be enacted mandating organizations have verifiable processes which can be reviewed to satisfy compliance of correct destruction of all data media.

• Federal legislation must be enacted that imposes sever penalties when any personally sensitive data is lost, illegally obtained from or misplaced or stolen from organizations regardless of the information on storage media; software process; telecommunications process; written communications or documents. These penalties must start in the $500 million dollar range and increased by a minimum of $500 million dollars for each subsequent occurrence.

• Federal legislation must be enacted imposing on (Chairman; CEO; Director in the case of government agency) felony charges as well as no less than 5 consecutive years imprisonment at federal “Super Max” instutions.

• Federal Each individual affected is afforded the right to hold accountable all businesses legally and financially accountable for any damage to the individual, as well as being able to collect monitory damages at no less than the hourly wage of the person at the top running the organization; (Chairman; CEO; Director in the case of government agency) for each full hour or partial hour the individual affected can document they were involved with the organization attempting to resolve any issues as a result of being harmed.

After reading much of the legislation (enacted or pending) it appears none of the above requirements are included in any legislation. The root problem in my opinion is businesses and government organizations believe they have the right to demand and use this information in any way they choose with no enforceable penalties to the leaders of the organization. It is the leaders of these organizations whom are responsible for making and setting business decisions pertaining to any loss of personally sensitive data.

Please feel free to contact me for additional discussion.

The Privacy Rights Clearinghouse Chronology page says "Most of the breaches summarized on this page have been obtained from the Dataloss list-serve which in turn provides links to news stories about breaches." They go on to say that Attrition.org (owners of the Dataloss list-serv) and PogoWasRight.org are now collaberating to provide this up-to-date information about security breaches, but Privacy Rights Clearinghouse rarely if ever mentions Attrition.org and PogoWasRight.org in their published interviews.

quote:

---

if your bank outsources its transactions

---

Seize the entire assets of said bank after a security breach. Then from the banks profits or bottom line deduct the restitution + interest to affected customer(s, in addition to $$$billions in fines. Followed by a year or so probationary period monitoring security upgrades and weekly security analysis, to be paid at banks expense not the customers. Apply this to all companies that handle financial or sensitive information.

Life isn't black and white like that. There are many causes, and many faults. There are potentially situations where a company may have a security breach which was out of their control, hypothetically, to which they could deny fault. This is what judges are for. I agree with your disposition, but many questions have to be asked when a security incident occurs.

Just to prove that there's hope: Search (Google) for "Payment Card Industry". This nomenclature has flown around a lot at my place of employment lately, and the CC Companies behind it mean business, and they impose very stiff peanalties per incident. Steps in the right direction...