Weak Fines Aren't Going To Stop Data Leaks
from the falling-short dept
The concept of “pretexting” — posing as somebody else in order to gain access to their personal information — got a lot of publicity when it was revealed that HP investigators used the tactic to spy on board members and journalists. However, it’s a problem that’s been going on for some time, and the usual responses to it gloss over the fact that wireless operators’ inadequate security is to blame for these leaks as much as any fraudster. Many attempts to enact or strengthen legislation in this area focus on people selling the information, rather than doing anything to force the operators to better secure their customers’ private data, but the FCC has proposed a $100,000 fine against virtual operator Amp’d for its shoddy safeguards to protect users’ calling records. The amount is a drop in the bucket for the company, or any other operator, and isn’t likely to do much in the way of motivation, since enacting better security procedures probably costs more than the fine. This is a big problem with pretexting, or other forms of identity theft: companies have very little motivation to do much to prevent it, since the costs of a leak are borne largely by the victims or third parties. Many companies, including the wireless operators, have been very successful with their PR efforts to make themselves look like victims here, and generate the public perception that hackers and criminals are the real problem, when corporate sloppiness, incompetence and disinterest are more to blame.
Comments on “Weak Fines Aren't Going To Stop Data Leaks”
Risk and reward. If the solution costs more than the fine so in the business sense, it would be stupid to fix the problem. Now, one of the things that does need to be considered is how many customers do they lose over the issue. That is the soft number.
How many people have stopped shopping at TJ Maxx?
Make no mistake- if a cracker steals your information, it’s the cracker’s fault. They are still responsible for their own actions, and just because the company didn’t make it hard enough doesn’t absolve a cracker in the least. I know you didn’t mean to imply otherwise, but it sure sounds like it.
Also, a one-time $100000 fine is nothing, but if the fine is enforced per incident it could get expensive very quickly if a company is overly lax.
Yeah, heck – so if someone offers 250,000 for some data… you could still make a 150k profit.
Why 'pretexting'? Why not privacy?
Why pretexting, why isn’t the argument not ‘privacy vs no privacy?’ Is it ok to have the information because you *work* for subsidiary of ATnT but not OK if you have to *pretend* to work for ATnT to get the info? Are employees of ATnT so much more trustworthy than others? Nah, I don’t think so.
I think the reason is this. A normal privacy vs no privacy argument runs,
#1 ‘I want privacy’
#2 ‘What are you doing wrong that you have to hide?’
#1 ‘If you’re OK with no privacy, show me your bank account’
#2 ‘Erm, if the FBI wanted to see it, that would be OK, but not you’
#1 ‘I am from the FBI, here’s my badge, let me see it’
#2 ‘…I meant to say FBI with a warrant or a national security letter’
#1 ‘That’s OK, I’m allowed to write NSLs, let me get some paper’
#2 ‘…erm no, I still rather not’
And that’s the crux of it, everyone wants privacy, even the people who claim they don’t, don’t reveal their telephone bills, bank statements or anything more than the rest of us.
By arguing for ‘pretexting=crime’ it lets the pro-privacy people score an easy point, and it’s something the anti-privacy people can go for without having to confront the contradictions in their position.