Why am I responsible for their mistake?
June 6, 2006 11:51 AM Subscribe

Why should I be held responsible for companies "losing" my personal information? Don't you think that if they were responsible for it, there would be alot less identity theft?

I really have a major beef with this. There are instances in your life where you are forced to give away alot of personal info to certain companies; address, SSN, etc.

Then those entities "lose" your info, and all they have to do is tell you in a letter or email, sometimes months after the occurence, that your personal info "may have been" compromised. And that's it, the problem isn't theirs anymore.

I think that's totally bogus. If the laws were setup where they would be held liable, don't you think they would do more to protect your personal info?

A few examples to try and explain what i mean;

1) I get a letter from UCSD saying that my info from years ago may have been compromised, including SSN, etc. My sister who applied that year gets the same letter.

2) That lame scam where you get an email telling you to "update your cc info" that looks like it came from Chase, but didn't.....well, my sister fell for this one. Only it gets a bit interesting; she never ONCE recieved an email to this affect untill she actually ACTIVATED her new chase card. Now her inbox is innandated with them, so i would assume that this is an internal leak at Chase.

3) Personal Data of Millions of Borrowers Lost

4) Hotels.com Customer Data Stolen ....just becasue of a careless employee...happend mid Feb, customers infomed in May.

It happens constantly, everywhere, and it just keeps getting worse....So am i just supposed to live with this?? Just waiting untill someone who stole my SSN decides to use it 20 years later?

posted by TheDude to computers & internet (16 comments total) 1 user marked this as a favorite

Your sister's inundation may not be a result of a leaky Chase. Anyone who can get her credit history can see she has a Chase card. That's a lot of people, BTW.
posted by Kirth Gerson at 11:57 AM on June 6, 2006

Yes -- your sister's info was probably sold by the credit reporting agencies. They'll sell you out for a nickle.
posted by voidcontext at 12:12 PM on June 6, 2006

You forgot the 'add-on services' banks will sell you, for an extra charge, to protect you against 'future identity theft.' There's a word for that ...

Nothin but money talks. Do the research, find the non-retarded financial / banking institutions, and support them with your money. Support the few politicians proposing non-insane consumer protection bills, and people like the EFF.

When exiting the old institution, the customer service phone droid isn't going to care, but mention your specific beef with their policies. At least it'll be a tickmark in an Excel sheet somewhere, under "Consumers lost to our hypocritical policies." But that's about it.
posted by bhance at 12:13 PM on June 6, 2006

Define "responsible." If a credit card company suffers an out-and-out theft, why should they be held responsible if your information is used by the thief? Isn't the thief at fault here? Are you saying that all companies should have perfect security, always, everywhere? That's just not possible.

Moreover ... prove that the use of your information is directly tied to the specific theft at that particular credit card company. Your information could've been stolen by any number of people at any time previous to or after the theft at the credit card company.
posted by frogan at 12:15 PM on June 6, 2006

More to the point ... in our theft example, you would have to prove that the credit card company was negligent in how they handled the data. Meaning, they had identified a risk and failed to act in a reasonable fashion. Then you could conceiveably make a claim against them.

If someone steals my gun and shoots you, it's the bad guy's fault, not mine. You would have to prove I was negligent in handling my gun (e.g. I gave the gun willingly it to a known felon who said he was going to shoot you with it).
posted by frogan at 12:19 PM on June 6, 2006

Frogan, nobody is saying they should have PERFECT security. Just that they should be responsible when something in their care is stolen. If you borrowed something from a friend, and it was stolen, your friend won't hate you, since you had no control. But if you were a decent human being, you'd replace the item - you are taking responsibility.

Resonsibility = the ABILITY to RESPOND.

I agree with the poster. It's ridiculous to suggest that consumers should be responsible for the integrity of data that they are not responsible for the safekeeping of.
posted by luriete at 12:31 PM on June 6, 2006

Just that they should be responsible when something in their care is stolen.

You're talking about negligence, then. This is a legal standard which I'm sure is covered in excruciating detail on any contract you sign with any company of significant means.

You can't ask "shouldn't these companies be held responsible?" You have to ask "can these companies be found negligent in their contractual obligations."

AND THEN you'd have to prove that their negligence is directly responsible for damages.
posted by frogan at 12:36 PM on June 6, 2006

Security expert Bruce Schneier has spent a lot of time thinking and writing about this. Some of his recent posts on the subject are Mitigating Identity Theft, Identity-Theft Disclosure Laws and (in a round-about way) Aligning Interest with Capability.

His basic premise is what you have a beef with: banks issue credit without sufficient identification but consumers suffer, so banks have no reason to fix the situation.
posted by revgeorge at 12:56 PM on June 6, 2006

Just an aside on the Chase thing: that may have nothing to do with Chase's information at all. I have gotten that spam countless times, as well as similar ones claiming to be from SunTrust, Washington Mutual, Corporate America Federal Credit Union, and Credit Union 1, among others. I have never had an account with any of these companies. (I've also gotten the eBay/Paypal phishing spam - but never to the email address I actually have registered with eBay/PayPal.) I wonder if that's a case of the phishers sending it via blast to so many email addresses, figuring at least some have accounts with those companies.
posted by SisterHavana at 1:03 PM on June 6, 2006

Frogan points out that this is the current way the legal system works, but I assume submitter's ire is more due to the cleanup and recovery process being offloaded onto the consumer.

Most of these companies admit their responsibility. That they are only required to say "Hello, we just lost all of your private and critical financial information. Here is your notification letter. We now wash our hands of the matter" - this is the problem.

The gun theif in frogan's example is indeed the more responsible party. Does this make a gunshot victim any less angry when he hears the owner didn't properly secure his gun? No. And there are laws to penalize people for that sort of thing.

(I'm guessing that leaving a quarter million credit card numbers unencrypted and exposed to theft is indeed negligent behavior. But only being required to do the letter-notification, free-credit-report dance - it just isn't enough.)
posted by bhance at 1:14 PM on June 6, 2006

Imagine if we actually created a group of representatives from each state and county who we instilled with enough power to enact legislation to force these credit reporting agencies to allow us American citizens to be able to monitor our own credit for free and as often as we liked. Imagine if we had representatives that actually represented individuals and protected our rights like Congress represents the rights of corporations...
posted by any major dude at 1:57 PM on June 6, 2006

Dudes, you can do this without creating a formal group. It's called writing your representatives, and get your friends and fellow me-fites to do the same. Or go to The Petition Site, start a petition (for free) to the issuing companies and/or government representatives and get people to sign it. I would.

p.s. If you do start a petition, please post the link here so we can sign it. Thanks!
posted by ml98tu at 2:14 PM on June 6, 2006

In the one instance that I encountered professionally, the financial instituion in question was actually screwed by some idiot in an auditor's office, but still made good with the customers by providing a credit monitoring service (I think Equifax 3-in-1) for the customers that were exposed. If you personally have been or become a victim of ID theft through the negligence of an FI or one of its affiliates and/or vendors, then asking for at least this service for free is totally reasonable. It's not that they're not responsible for it -- they are -- but you as the consumer bear the brunt of the issue becuase it's YOUR credit that's possibly in the mix. It's not as if the FI will be borrowing against your personal credit, so they can't really be hurt by your particular bad credit. When something egregiously stupid, negligent, or malicious happens, the banks (and others like Choicepoint) can be and are sued for it, as well as (in the case of FI's) sanctioned by their regulators, which is almost always expensive and embarassing, and can also result in really fucking up your FI's business.
posted by Medieval Maven at 3:22 PM on June 6, 2006

Like Sister Havana, I have received (The Dude: note spelling of receive) lots of phishing attempts from banks that I have never had business with or, in some cases, never heard of. But, like TheDude's sister, I received a survey from Chase about a week after I signed up for a credit card with them and very nearly filled it in (they offered a $25 bribe and I am cheap) but, as they asked for my SSN, I checked and, sure enough it was a phishing attempt. There was no time for this to have been done through the credit reporting agencies. Till I saw this thread, I assumed it was just a lucky (for them) mail blast as mentioned by Sister Havana but, to paraphrase Oscar Wilde, once may be regarded as a misfortune; twice looks like carelessness (or worse).

On the subject of phishing, I have noted several recent attempts coming from small sites that have been hijacked - a Virginia Little League site, a small ISP, an English pub in Florence (Italy). Anyone else noticed this?
posted by TheRaven at 3:30 PM on June 6, 2006

Am I the only person on the internets who has never, ever been phished?

I feel left out.
posted by dirtynumbangelboy at 7:03 PM on June 6, 2006

I've been fished. I know I've been phished by both FIs I do business with, and those I don't. I am fairly sure I remember the ones that match more than the ones that don't! I usually send phishing attempts on to the named institutions (I'm old fashioned and still think of the 'netizen' concept).

I feel you have a valid point. However, I think frogan is pointing out the nature of liability law. If that is the case, then it is the law that needs fixing, so any-major-dude has the right of it.
posted by Goofyy at 6:29 AM on June 7, 2006

« Older Is throwing away organic matte... | Help me find a travel medicine... Newer »

This thread is closed to new comments.

Why am I responsible for their mistake? June 6, 2006 11:51 AM Subscribe

Why am I responsible for their mistake?
June 6, 2006 11:51 AM Subscribe