Why would any institution take security of the people data seriously if it take a lot of resources if all they had to suffer is to offer 12 months of free credit monitoring?
And they even have the audacity to call that Industry standard.
> Why would any institution take security of the people data seriously if it take a lot of resources if all they had to suffer is to offer 12 months of free credit monitoring?
Serious question from someone who takes their privacy seriously. What actual harms have we documented from these breaches?
I'm not a statistician, but I like barinstorming:
- Spearphishing and the consequences of such
- Persistent robocalls
- Wide net identity theft
- Targeted scam calls to family members
> I like barinstorming: - Spearphishing and the consequences of such - Persistent robocalls - Wide net identity theft - Targeted scam calls to family members
Actual, not hypothetical. Again, I believe this happens. But why is it so difficult to document?
It is hard to document and then sue anyone for data breach. Now I have all information needed for someone to open credit cards in my name (ot assume identity in general) from the following sources.
- My old university
- T mobile
- My health provider
Now if you try to sue any one them regardless of their arbitration mandatory you would have to prove that the harm is because of this particular institution and not the others.
And the notion of identity theft is putting the blame on the people where the actual victims are the banks/dealers and not you. But it is easy to put the responsibility on you.
> if you try to sue any one them regardless of their arbitration mandatory you would have to prove that the harm is because of this particular institution and not the others
No, you'd just have to show the first part. That they caused harm.
> the notion of identity theft is putting the blame on the people where thr actual victims are the banks/dealers
This is a real problem. But I haven't seen anyone successfully tie a case of identity theft, even in part, to a particular breach.
Your second part is answering your first part. You did not see anyone successfully tied it to a particular breach because you have to show that it is because of this breach not other breach.
These companies have deep buckets and will employee laywers who have experience into squashing all the suits of this kind.
Edit: I have much less faith that your question in the beginning was serious with good intentions now.
> did not see anyone successfully tied it to a particular breach because you have to show that it is because of this breach not other breach.
Again, this is not true. If two people steal your data, and you can tie the use of any of that stolen data to harm, they are each liable. The problem is in identifying the harms. Not calculating the attributed damage.
> companies have deep buckets and will employee laywers who have experience into squashing all the suits of this kind
A multibillion-dollar payoff for lawyers and a wealthy plaintiff to get a class certified, and the answer is a conspiracy of corporate counsels?
> black market databases are often amalgamations of several data breaches
Sure. But why are these database operators' tradecraft so universally solid that nobody can back out attribution, including law enforcement when they search and seize them?
Mature response. Now actually think about it. If you solve this, you've solved the key barrier to incentivizing change. If you can't answer it, then security seems more like an aesthetic preference than a social problem.
Yeah I'm pretty unsold on any benefits. Who cares if anyone knows my health information. There was a time before HIPAA and I don't recall a lot of issues. I guess I should read up on the history that motivated it.
If that’s true then willingly open source it. Within a short time you’ll either be blackmailed, your identity stolen, or have your insurance premiums go up.
My insurance company already knows everything there is to know about my health history.
The other stuff, yeah I guess that could hypothetically happen, but how much of a problem was it really and is the cost of HIPAA worth it?
HIPAA, as I have read, was mostly about health insurance portabilty and eliminating things like losing coverage for pre-existing conditions when you changed jobs and insurance. All the privacy regulations were added by the Department of Health and Human Services after the law was passed.
I work in info sec. The emphasis is never on securing things but rather on "risk management" the entire field of information security from a business perspective is the quote from fight club
"A new car built by my company leaves somewhere traveling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now, should we initiate a recall? Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one."
That is literally what the entire field exists for. Here's the kicker the cost of X is so monumentally low right now because there are no consequences for it other than firing your CSO (Chief Sacrificial Officer) that there is almost never a reason to issue the recall.
People knock it, but it's the best system in the world. Costs more per capita than anywhere else, long waits for specialists, doctors and nurses are overworked, and many have to fight insurance to get even basics needs covered.
And they even have the audacity to call that Industry standard.