Saturday, February 06, 2016
Hold organizations responsible for their data breaches—help get a hearing for SB2485
by Larry Geller
I need to ask for your help in getting a hearing for SB2485 – a bill that should help reduce data breaches—and the identity theft that can result—in Hawaii. The bill gives anyone affected by the breach a legal course of action, and makes it more likely that an attorney would take up their case. The text of the bill is here.
How you can help this bill get a hearing
Please call and leave a message asking Sen. Baker to schedule a hearing for SB2485.
phone: 808-586-6070
email: senbaker@Capitol.hawaii.gov
It should be clear that our personal data is increasingly at risk. Amazingly, children’s toys are being connected to the Internet—and there have already been serious flaws in security reported. Check it out in today’s Star-Advertiser if you have a copy, or see a version of the same AP story here: Something new to worry about: Connected toy security (AP, 2/2/2016).
When hackers exploit a security weakness we consumers seldom get more than an apology. Yet weak protection of our personal data makes hacking possible. Sure, the hackers are the criminals, but failure to protect the data entrusted to a company or organization is what enables the hackers to succeed.
If a delivery person leaves packages in a parked car in Manhattan leaving the windows open and then someone takes the packages, they are thieves, but what responsibility did the delivery service have for the theft? If your packages were taken SB2485 would let you go after the company to make good your loss. Just substitute “credit card information” for “packages” to get the idea of the bill.
A great example, and one that may have affected you personally (so please, make that phone call to Sen. Baker!) was the theft of customer information from the Star-Advertiser in 2014. Accounts differ about whether the data was inside or left outside of a storage locker when it was taken. KHON reported:
Sadie Groy, 30, and Tori Samiere, 54, are charged on a combined 14 counts related to identity theft and fraud.
According to police sources on April 4, a worker at a self-storage business found boxes left outside a locker rented by the paper.
At least one of the boxes had paper records on customers including credit card information.
[KHON, Two people arrested in Star-Advertiser ID theft case, 6/5/2014]
So the perpetrators of the identity theft were caught, but what about the responsibility of the paper to have protected that data? Even if the storage locker had been broken into, as another account reported, why was sensitive customer data stored on paper in a locker in the first place? Break ins are not unknown. Clearly, the data was not encrypted, it was on plain paper.
Here are some related links to the Star-Advertiser data breach—probably more than you want to know, but for the record anyway:
• Star Advertiser credit card breach could impact hundreds, if not thousands, of customers
• Story obscures possible Star-Advertiser subscriber data breach
• KHON and Hawaii News Now post info on Star-Advertiser data breach
• Differences in Star-Advertiser data breach stories raise more question
• Blogger questions newspaper’s response to theft of subscriber data
While the national big-box chain Target apologized to its customers when their data was stolen, here in Hawaii, the University of Hawaii did not. Attorney Tom Grande successfully sued UH to get credit protection services for all those affected. Again, SB2485 would let you take individual action if you suffered a loss due to a company’s or organization’s failure to protect your data.
The idea is to make sure your data is protected by letting companies know they’ll be responsible if they have left the windows open and a thief takes advantage.
Please make that phone call today if you can.
Post a Comment
Requiring those Captcha codes at least temporarily, in the hopes that it quells the flood of comment spam I've been receiving.