Friday, September 12, 2008

Personal Point of View

The world of professional and academic privacy specialists and practitioners is populated by persons much more qualified than I. During the last three and a half years I have read and met some remarkable people that I hold in the highest regard. I've learned a great deal from each of them as they have helped to shape my position and opinions about data safety and the trade-off between public access and personal protection. As we move into a new paradigm of computing, the so-called Web 2.0 new ideas about privacy are emerging. Some great ideas including single internet log on IDs, and anonymous IP addresses are being seriously considered. These are good proposals for the future of the online "Uber Databases" that Google and other companies are proposing to establish. The problem is that this doesn't begin to touch the problem of identity theft.

The opinions in this column are just that, my opinions. As my work takes me into the field of speaking with employee groups I see what most people perceive as identity theft based on the information they get mostly from the media. The perspective I have come away with stems largely from what I learn from the experts, but also from what I see and hear in those employee meetings. You see identity theft is a personal crime with individual victims. In preparing to speak with these groups my research often involves a lot of statistics. There are huge losses to business ranging in the billions of dollars each year, staggering figures of information loss & theft in the hundreds of millions of records, and the millions of cases of victims and their nightmarish experiences. I don't think I have met anyone in the past three years or so that doesn't know about identity theft or has a personal story about it. I am also a victim of identity theft.

One thing I have observed since I began my interest in identity theft. The companies and organizations that are entrusted to safeguard the data they have simply do not care about the persons who could become victims. I can say with certainty that almost without exception this is true. There is a mentality of separation where a company takes it for granted that the "victims" are someone else, nameless and anonymous. Company officers don't think in terms of themselves being victims or their families or employees. It is always in the abstract. The businesses that are involved in privacy and who market "solutions" for data loss are only concerned with the bottom line of the company, its' corporate data, and the public image of the business. No one seems to be interested in talking about the thousands of places where existing data lists are ripe for the taking. As I have tried to point out in previous columns the information is in lots of places, not just in big repositories. Doctors offices, personnel files, accountancys, points of sale, county records are examples of the smaller and much easier to steal records. I have not met among the professional privacy community one single person whose primary concern is with the crime of identity theft. Businesses are engaged in protecting themselves and some make money by providing protection services for other companies, but not tackling the question of identity theft. I also have never met any individual identity theft victim who really cared which database was the source of their identity theft.

Nearly every U.S. state has enacted breach reporting laws designed in part to notify potential victims that their information may have been compromised. In the vast majority of data breach cases the potential victims are not notified due to loopholes in the statutes, and when they are notified the letters are often misleading, promising that no real danger exists but to check their bank statements anyway. On occasion they will offer simple credit monitoring, again misleading the public that monitoring alone is a safeguard.

Laws will not prevent identity theft any more than any other crime. Federal legislation and now state legislation have completely failed to stem the tide, and most predictions are for a sharp upswing in identity theft activity. The solution can only be found in arming the public with the correct information about the crimes we call identity theft and giving each one the tools to protect themselves. There cannot be any other solution. As long as there is value in the data thieves will continue to steal it, sell it, and profit from it.

No comments: