If Feds Fail, What can Stop Identity Theft?
Modernizing Authentication — What It Takes to Transform Secure Access
"Who steals my purse steals trash," says Shakespeare's Iago, "but he that filches from me my good name/Robs me of that which not enriches him/And makes me poor indeed."
As we all know by now, the modern identity thief can enrich himself quite nicely by stealing your good nameas long as he also gets your good Social Security number, address, and possibly your bank account number along with it. The Federal Trade Commission alone logged nearly 250,000 identity theft complaints in 2004, up from about 160,000 in 2002.
This year, the news has been focused on just how easily identity thieves can get the data they needeither by fraud, hacking, or simply asking for it. The Wall Street Journal counts 11 major -incidents of mishandled consumer data already this year, involving institutions as diverse as ChoicePoint, LexisNexis, DSW Shoe Warehouse and my own employer, the University of California at Berkeley. Just last month, Citigroup disclosed that backup tapes containing financial data of nearly four million customers of its loan business had been lost by UPSthe tapes literally fell off the back of a truck!
Some of the revelations of poor security practices involved in these incidents can be credited to a 2003 California law that requires companies to report the unauthorized access of personal information to affected California residents. Now, dozens of other states have or are considering passage of similar legislation, and Congress has been holding hearings on new regulations that would set minimum standardsand accompanying penaltiesfor companies that collect, store, and process consumer data.
Is there an identity theft crisis? Former National Security Council member Richard A. Clarke, for one, thinks so, and he recently called on Congress to "come up with an identity-protection bill of rights." I think such a law would be a terrible mistakeas would most of the proposals circulating for increased federal oversight of information processing practices.
For one thing, governments are especially ill-suited to deal with problems involving confidential data. The "right to privacy" that has been read into the U.S. Constitution, remember, is there to protect citizens from invasions by the government. Any agency charged with monitoring compliance with an "identity protection bill of rights" would likely require access to the data itselfone reason civil liberties groups in particular have not pushed for a regulatory solution to the problem.
More to the point, it is unlikely that any new law would actually solve the problem. Congress has a poor track record of legislating in a crisis, particularly when that crisis involves rapidly evolving technologiesand this also makes determining both costs and potential benefits difficult. (See "The New Alignment Challenge," CIO Insight, May 2005.) Consider a few earlier efforts to solve perceived problems of data misuse:
n_The Fair Credit Reporting Act: Passed in 1970, the FCRA was intended "to insure that consumer reporting agencies exercise their grave responsibilities with fairness, impartiality, and a respect for the consumer's right to privacy." Instead, the act is largely seen today as a safe harbor for the burgeoning credit industry. The FCRA, for example, actually immunizes credit bureaus from potentially stronger state regulations. Indeed, at the time of the act's potential sunset, in 2003, the credit industry was one of the major forces lobbying for reenactment.
n_The Truth in Lending Act: This 1968 act requires "meaningful disclosure" of key information in any consumer credit transaction, but consumer organizations have long criticized the regulations issued to date as toothless. (Take a look at the most recent announcement of new terms and conditions sent to you by your credit card company, or at the closing documents on your last mortgage. Do they provide "meaningful disclosure" of credit terms?) According to Consumers Union, the $800 billion credit card industry is "virtually unregulated."
n_The Health Insurance Portability and Accountability Act: A key provision of HIPAA was a requirement that healthcare providers and insurers create and maintain electronic patient records that would improve healthcare efficiency and ensure confidentiality. The act was passed in 1996, but enabling privacy regulations were repeatedly delayed until 2003. Meanwhile, the idea of an electronic patient record is still just that. President Bush recently set a new goal of 2014.
These are just a few patches in the crazy quilt of federal, state and even international laws that govern how companies collect, store and process data, most of them passed without taking into account their effect on each other, or the difficulties and costs of compliance. Any new law aimed at the identity theft "crisis" would likely make things worse. But what are the alternatives? Here are four nonregulatory solutions that, taken together, would solve the problem, and do so in a cost-effective way:
n_Commit to effective self-regulation, and then prove it. Companies that collect, store, or process consumer information must take immediate action to improve data handling practices. Compliance with ISO 17799, "Code of Practice for Information Security Management," would be an excellent starting point, but so far only a few companies have been certified. A pledge from a coalition of trade associations to beef up the standard, and adopt it, would go far toward quieting calls for legislation. But the promise must be kept.
n_Encourage market-based solutions to the problem. State laws that require disclosure of compromised consumer information are only making consumers more anxious. Today there is little a consumer can do with the knowledge that her private information may soon be misused.
The alternative to litigating responsibility one incident at a time is a market-based solutionpossibly offered by the credit agencies and data aggregators themselvesthat offers low-cost insurance and other forms of protection against identity theft (half a dozen major insurers already offer such a policy, some as cheap as $25 a year). And as part of the development of new insurance products, we might get some real data about the scale of the problem today.
n_Targeted Legislation. Rather than setting and enforcing broad standards, Congress should consider more specific legislation that would slow the escalation of identify theft and related crimes. Many consumer groups, for example, argue persuasively that the pervasive use of Social Security numbers as both a customer identifier and a means of authentication has made identity theft an easy crime to commit. Replacing Social Security numbers with unique customer identifiers would be expensive, but not as expensive as the more sweeping proposals under consideration.
n Public Education. Though large-scale breaches grab the headlines, many victims of identity theft are themselves the source of the offending disclosure (by responding, for example, to e-mail "phishing" and other online and offline scams). Making sure consumers understand what identity theft is, how they can prevent it, and their rights if it does occur, would greatly reduce the incidence and impact of fraud.
CIOs and other executives understandably complain that legislators rarely consider the costs of complying with information regulations. Worse, the anecdotal evidence suggests that many information-related laws punish the innocent while doing little to solve problems. The way out of this spiral is to take preemptive action now to minimize future disasters. But time is running out.
Larry Downes is Adjunct Professor at the University of CaliforniaBerkeley School of Information Management and Systems. He is the author of Unleashing the Killer App: Digital Strategies for Market Dominance (HBSP, 1998).