2006, the summer of identity theft

Once again, data that identity thieves drool over has been compromised. That's at least the 4^th time in the last couple months it's happened This is getting completely out of hand.

Companies just aren't accountable for this stuff. Not even a slap on the wrist, really. In some jurisdictions, they have to inform people whose data may have been compromised. Some laws place a limit on how many affected people it takes to trigger a notification. But by and large, companies don't pay any penalty for screwing this up. It's "whoops, sorry" and you're left wondering whether you're safe or not.

It's only a matter of time before every American is nailed by this. I've had the good fortune of only having a credit card number stolen once, and given how infrequently I used that card and the manner in which it was used, I think that person really just guessed on the number and got lucky. But I know my day will come. I safeguard my data, but I can't say the same for the other entities that hold it.

I posted the following as a comment on Slashdot last week, but I'm going to expand upon it. These companies need to see a real financial and time-cost impact to their lax approach to data security. Some people have suggested $1000 per affected person per lapse. But that's worthless. The money isn't significant to many companies. It's just not a punishment. The company writes a check after a years-long investigation and goes on their merry way. It doesn't repair the damage done. It doesn't protect those affected from further damage. The company's resources aren't consumed in a punitive way for their transgression.

Meanwhile, the people whose data was leaked are in a world of hurt. They're spending days, weeks even, calling banks, creditors, credit agencies, utilities, employers, insurance companies, etc. warning them that there might be fraudulent activity attempted in their name. Spending hours each week going over every little detail of their financial life, making sure that their credit hasn't been destroyed. Wondering if people are going to commit crimes in their name. But the company and people responsible for all this, they pay nothing. They don't have to care.

Here's what I want the company responsible for the information leak to be accountable for.

• Contact all 3 credit bureaus and put a fraud watch flag on my account for at least 2 years, at their expense. I understand that today only I can make this request, by law. Amend the law to make this exception.
• Contact every other institution the responsible company is aware of that I hold accounts with and inform them of the leak, and to watch for bad activity. For example, if my employer leaked my data, I would expect them to contact my bank (I have direct deposit, so they know the bank), the government (IRS), my 401(k) administrator, my health plan administrator, and probably a few others.
• A simple method for me to report all expenses incurred cleaning up after the mess that the other institutions can't do themselves. I'll record my time. I want a fair hourly rate (my personal time is valuable), and payment should be swift (within 4 weeks of reporting, if reporting electronically).
• A fine paid out not to the government, but to each individual whose data was lost. After all, they have those records, right? A flat amount disbursed to each person, at least $1000. Within 4 weeks of the information loss detection. Over and above the payment above.

I know, it'll never happen. But I can dream, can't I?