Saturday, February 06, 2016
Hold organizations responsible for their data breaches—help get a hearing for SB2485
by Larry Geller
I need to ask for your help in getting a hearing for SB2485 – a bill that should help reduce data breaches—and the identity theft that can result—in Hawaii. The bill gives anyone affected by the breach a legal course of action, and makes it more likely that an attorney would take up their case. The text of the bill is here.Your phone call or email to Sen. Baker urging her to hear the bill will help—please take a moment to call or email right away. Details are at right.
It should be clear that our personal data is increasingly at risk. Amazingly, children’s toys are being connected to the Internet—and there have already been serious flaws in security reported. Check it out in today’s Star-Advertiser if you have a copy, or see a version of the same AP story here: Something new to worry about: Connected toy security (AP, 2/2/2016).
When hackers exploit a security weakness we consumers seldom get more than an apology. Yet weak protection of our personal data makes hacking possible. Sure, the hackers are the criminals, but failure to protect the data entrusted to a company or organization is what enables the hackers to succeed.
If a delivery person leaves packages in a parked car in Manhattan leaving the windows open and then someone takes the packages, they are thieves, but what responsibility did the delivery service have for the theft? If your packages were taken SB2485 would let you go after the company to make good your loss. Just substitute “credit card information” for “packages” to get the idea of the bill.
A great example, and one that may have affected you personally (so please, make that phone call to Sen. Baker!) was the theft of customer information from the Star-Advertiser in 2014. Accounts differ about whether the data was inside or left outside of a storage locker when it was taken. KHON reported:
Sadie Groy, 30, and Tori Samiere, 54, are charged on a combined 14 counts related to identity theft and fraud.
According to police sources on April 4, a worker at a self-storage business found boxes left outside a locker rented by the paper.
At least one of the boxes had paper records on customers including credit card information.
[KHON, Two people arrested in Star-Advertiser ID theft case, 6/5/2014]
So the perpetrators of the identity theft were caught, but what about the responsibility of the paper to have protected that data? Even if the storage locker had been broken into, as another account reported, why was sensitive customer data stored on paper in a locker in the first place? Break ins are not unknown. Clearly, the data was not encrypted, it was on plain paper.
Here are some related links to the Star-Advertiser data breach—probably more than you want to know, but for the record anyway:
While the national big-box chain Target apologized to its customers when their data was stolen, here in Hawaii, the University of Hawaii did not. Attorney Tom Grande successfully sued UH to get credit protection services for all those affected. Again, SB2485 would let you take individual action if you suffered a loss due to a company’s or organization’s failure to protect your data.
The idea is to make sure your data is protected by letting companies know they’ll be responsible if they have left the windows open and a thief takes advantage.
Please make that phone call today if you can.