Shock: Identity Theft (Still) Often An Inside Job
from the just-realizing-this-now? dept
For years and years people have been pointing out that all those suggestions on how to avoid having your identity from getting stolen are pretty much useless considering how many ID theft scams are really inside jobs from companies who have access to all your data. So, of course, now that we’re seeing all of these massive data leaks (some accidental, some on purpose by inside employees), we’re hearing, yet again, that inside employees are one of the biggest issues in identity theft. Of course, if everyone has known this for so many years, how come no one’s done anything about it? All of these companies that let minimum wage employees have full access to all your data and trusted them not to be tempted when scammers offer them $10 per report should be held responsible for not putting in place better systems to protect your data. This isn’t a new problem by any means, and the fact that these companies chose to ignore it seems like negligence on their part.
Comments on “Shock: Identity Theft (Still) Often An Inside Job”
insiders and identity theft is no surprise
We have access to very 30,000 SS#s and full name/address #s and emails here at work because they are being used as identity #s for pretty much everything at work. A couple of employees in the postal dept. have already been busted for taking out credit cards in student and faculty names. The institution makes us sitting targets.
Why, yes, it IS negligence.
At least a Court of Appeals in Michigan says so.
No Subject Given
Our group processes all of the personal income taxes for a large state. Our employees are typically seasonal workers who we hire only during the peak processing season. Most of them are well behaved and take their jobs seriously, but we have had quite a few incidents of people trying to steal SS#, addresses, bank account numbers (direct deposit refunds). Our systems don’t protect the data well and management doesn’t see a reason to spend development effort to make it harder for an employee to obtain this information.
BTW, we are an outside contractor, not state employees. I suspect the only way we would improve our system is either by forcing us to accept full liability for any losses incurred or by legistrative changes within the state in question. I suspect neither will happen anytime soon. Especially the former as “losses incurred” is difficult to determine in an identity theft case.
On the Choice to Ignore and Negligence..
Eventually the law will be extended to deter this, imposing fines and/or imprisonment. Although it will take a few high profile thefts to occur to start the legislative ball rolling. Companies will come to be held liable for thefts of their data, even if they occur outside the jurisdiction of the U.S.
A collector of data will come to be defined as a ‘custodian of an instrument’, with instrument defined as something that could cause irreparable harm.
In the way a parent is responsible for leaving a drawer unlocked for a child to take a loaded gun, is the same as a collector leaving the drawer unlocked for a criminal to steal data; both the parent and collector are or should have been aware of the danger, in particular the likelihood of a crime being committed with the instrument, and accountability if a crime is committed with it (either the gun or the data respectively) as in this case both would be used as weapons to commit a crime.
The fact that the child may not understand what she is doing, whereas the criminal does is irrelevant. The point is the custodian of the instrument understands, and therefore is responsible, and that is what is relevant.