Bruce Schneier was quoted in the NYTimes today for an article on identity theft.
We need to do two things:
(1) Change from an "opt out" to an "opt in" culture
Because there is no law against it everyone in the United States automatically opts in to the collection and sale of their personal information. Companies can collect, buy, sell and trade information about you such as your spending patterns, financial history, residence history, information about your dependants, income and medical history. Regulations such as GLB, HIPAA, and PCI say that companies must safeguard your personal information but they do not restrict the collection and sale of it to others.
Today credit card companies investigate you to see if you've been paying your car bill or electric bill on time to see if they should raise your interest rates. It will get to a point where any information about you can be bought or sold for the right price. And this is all being done with your "permission" because you failed to opt out. (Many companies don't even give you the opt out option!)
(2) Make the company collecting your personal information liable if it is disclosed to others without your permission.
If a bank lost your money would you not hold them liable? Why no do the same with companies that hold your personal information? If they became liable and risked fines their mentality about keeping that information safe would change overnight.
Compliance requirements without teeth are not worth a thing. But the addition of deadlines and fines changes the risk equation. Now corporate CEOs need to balance the risk of a data compromise against the cost of compliance. If a compromise of one person's personal data was associated with a fine of even $1, then the CardSystems breach of 40 million data records would send a strong message to those who didn't find it necessary to properly secure the data entrusted to them.
Posted by volubis at July 12, 2005 06:49 PM | TrackBack