I think its about time US passes laws that any company that suffers a data breach is mandated to give a identity theft protection for 1 year to people who's information was compromised.
Identity theft protection doesn't do anything, it isn't even "protection" just notification after the fact and some agent will hold your hand.
Instead how about companies have complete financial liability? That way they'll need insurance, and their premiums will skyrocket if they get breached.
If the market would bare a higher cost they would have already charged it. This can only hurt them, through competition, or just that people won't pay a higher price.
Or they'll move their business to providers that can operate at lower cost because they have more secure operations. They point is to expose the insecurity as a cost.
Screw identity theft protection. It's at best pointless and at worst a scam to get you to pay to continue the "protection" after the initial period expires.
They should instead have a minimum fine per-user that gets paid in cash directly to the impacted individuals. Paying $10 x 1M accounts would make businesses wake up to this problem much faster. Maybe even have the fine be tiered based on the level of data that was compromised:
Agreed. If one wants to change the business's behavior there has to be financial penalty to incentive them to get their act together. Currently, there's zero regulatory compliance required with little to no impact to the company other than momentary bad PR that is not withstanding.
I'm not sure that would do anything other than spur the companies to have an identity theft protection department.
I'd rather them give basic compensation to anyone with breached data (even if it is $10) in addition to covering the costs of anyone who had problems after the breach. The first year, I'd think it would be best if the consumer didn't have to prove it was their fault as that could be too much of a burden for folks.
I'd give an exception for companies that went over and above on their own security and still got breached. After all, security doesn't make one completely safe (much like places can still get robbed), simply less likely.
I doubt that it would stack, though. It'd simply mean that the data protection companies got lots of money since more than one company would pay for protection for a single customer. If data breaches somehow stopped today, we'd all be without "protection" within a year.
I'll take laws just requiring transparency. I want to know exactly what happened, exactly what was taken, how much, exactly how the passwords were hashed, etc.
> T-Mobile declined to comment. "We don't discuss publicly how we encrypt passwords,"
While I agree with the sentiment, everyone should have basic identify theft protection for free. SSN should not be so insecure or should not be used and the stuff the credit bureaus offer seems like a protection racket.
Make it life. The reason identity theft protection exists is because we have inadequate laws to sue these companies in the first place. If someone's identity gets stolen, the breached company should be fully responsible without the user having to file a lawsuit and pay a ton of money / spend a lot of time trying to fix things. Just to be clear, the breached company is typically the credit issuer or any party that allows unauthorized access to the wrong person. It's preposterous that the user has to pay for a mistake by the bank who gave a loan or other type of credit to an impostor. Make these institutions pay and fine then a percentage of their annual revenue up to a hundred percent. You'll see how quickly security practices change.
