I've had it.
I've had it with apathy. Fast approaching, what, 75 million personally identifying records publicly cited as compromised - often by rank amateurs using dilettantes' tactics - and still no indignation. People are more upset about Tom Cruise's behaviour than they are about officious corporations demanding our personal information and then failing miserably to protect it.
The most insidious part of it is that the companies, and the many complicit media, brazenly dump the problem on to the apathetic consumer. The most common ID theft story you'll hear from the media is the one that talks about what you, the consumer, can to do protect yourself and what you should do if your bank's so impotent that it can neither write nor enforce a data usage policy. You call the credit agencies. You call the Social Security Administration. You clear things with your health insurer.
But you are not at fault, and it shouldn't be the consumer's responsibility when a company decides to deploy technology it can't control. When it can't conduct a simple background check. Can't even account for what information went missing and what information didn't after they lose it. This is their fault.
So let's stop it. Stop the grandstanding Congressional hearings and calls for new technology defences. Technology's not the problem. The problem is organizations' being too cheap, too greedy and too big to care enough to invest in data's integrity.
Enough. It's time for the public to take companies, and that includes their CIOs and CISOs - yes, maybe even you, gentle reader - to task. Corporate execs have to stop hemming and hawing about who's responsible for the failure and do whatever it takes (and costs) to guarantee, contractually, that it won't happen again. They have to stop kvetching about the complexity of the problem and step up.
It's a radical problem they've fostered, so it's time for radical solutions.
The most radical of all, of course, would be to adopt the strict, consumer-focused privacy standards of the European Union. But that's not likely to take root during a big business-friendly administration, or during any administration for that matter, as long as the business lobbies and their campaign contributions aren't challenged. Plus, culturally, such privacy strictures just aren't our thing.
So, in the absence of that, we have to resort to prodding these companies where it hurts. Here's my off-the-cuff proposal. If a company loses personally identifying information:
1. It must disclose this fact to the individuals affected, and failure to do so will result in possible criminal charges against those responsible for protecting the data.
2. It must provide and pay for all services required to prevent the theft from spreading to other agencies, including but not limited to other banks and lenders, the Social Security Administration, health insurers and credit agencies, and failure to do so will result in fines of $1,000 per customer that this service is not provided to.
3. It must provide and pay for quarterly credit checks for those affected for no fewer than five years, and failure to do so will result in a fine of $1,000 per customer not provided with the service.
4. It must provide and pay for all services required to clear erroneous charges, misinformation and other damage resulting from the theft, and failure to do so will result in treble charges to the offending company.
5. It must apologize to each customer affected.
Harsh? Yes, but you know the one about desperate times. For years consumers have forked over their Zip code to buy batteries; have had grocery shopping habits recorded and scrutinized in order to avoid a tax on what they buy; have disclosed their income to get a warranty. Consumers have given companies more and more of themselves with some reasonable expectation of privacy, and those companies have flouted that trust.
Now it's their problem. And it's time for them to play big or go home.