Saturday, July 02, 2005

Identity Infringement

I've read some of the recent stories about how companies have stored personal information such as social security numbers unnecessarily. Then a hacker or employee steals the data and sells it, putting millions of people at risk for identity fraud. (I've written about a similar topic here.) This is what I think should happen to the offending companies:

1) Any company that keeps personal information not central to it's core business is held to higher standard
  • You must be informed of what information the company is storing and how long they will store the information. For example, some companies like to run credit checks. I believe this requires a social security number (ssn). If the company holds on to the number after the check is done, they must inform you of it and become liable for it.
  • If for any reason your ssn is breached, the company must 1) notify you within 10 days 2) pay you $100 for your troubles and 3) pay to provide you with full credit reports from all 3 credit bureaus for the next 3 years.
  • If your credit card number pin is stolen the company must pay you $50. (I don't think the company should be storing this at all) but in theory, it's a lot easier to close down a credit card then recover your ssn.
  • These conditions also apply to government agencies like schools who foolishly use a ssn as a personal identification number.
2) Any company that keeps personal information central to it's business (i.e. banks have your ssn because they have to report taxes) must
  • Notify you within 10 days if they suspect your information has been breached
  • If investigation determines the company has been negligent (data not encrypted or casually shipped via ups) all the conditions for #1 apply.
I recognize that given a determined hacker, almost any computer system is vulnerable, but these companies have no incentive (other than bad publicity) to ensure your information is protected. Let's give them some.

No comments: