Not to discount your point- you’re right it’s so disingenuous.
BUT we’re quickly approaching a world where every American has been in a leak that affects their data and SSN. Not 100% of course (simply because young people haven’t had a chance to be screwed over) but at some point we should assume that the information is public for a large enough portion of the population and we need to set new expectations.
> we’re quickly approaching a world where every American has been in a leak that affects their data and SSN. Not 100% of course (simply because young people haven’t had a chance to be screwed over)
… that number, presently, has to be a rounding error from being 100%. My SSN was first breached when I was in high school, at least.
But yeah, I agree, we should set new expectations. There could definitely be a better system, and I would like to see companies held to account, but material fines against corps are basically unicorns in America.
We need a bunch of case law indicating that banks and credit card companies that don’t authenticate past this widely leaked PII are on the hook for the loss of money (rather than the uninvolved third parties who are being impersonated).
This is already the case. You have to prove you weren’t involved (a quick police report will do), but you’re expected to be made right already. Banks have just deemed this current level of fraud acceptable.
Currently, if Mallory finds Alice’s SSN and opens a credit line at Lazy Bank Corp, and then runs up a bill in Alice’s name, Alice will be assumed responsible. It’ll affect Alice’s credit score, etc when the banks report these balances.
If Alice notices these changes, they can submit a letter to the bank, demanding that the bank remove these reports and close the account (Fair Credit Reporting Act?). The bank can say “but we have the SSN of Alice, so it’s Alice’s” but if Alice can prove they’re not responsible -through lawyers or strongly worded letters or otherwise- (“I don’t and have never lived at the address on file, that IP address originated from Belarus, etc”) then the bank is legally required to remove the association between Alice and that debt. Note that filing a police report is like “auto winning” because it’s a crime to lie to the police.
I think the real question is what’s the actual harm on a society level in not validating further? We already have a process to undo the harm on an individual level, but do we need more onerous procedures?
BUT we’re quickly approaching a world where every American has been in a leak that affects their data and SSN. Not 100% of course (simply because young people haven’t had a chance to be screwed over) but at some point we should assume that the information is public for a large enough portion of the population and we need to set new expectations.