Thursday, January 7, 2010

An Armed Society

Ever hear of the phrase "An armed society is a polite society"? It does take things a bit far but the principle is right on the money. I've said time and again that if you can successfully remove the value from the data then you can actually reverse the trend in data theft and misuse. It shouldn't be the sole responsibility of the "data keepers" to protect it from lurking thieves. Just as in terrorism or any crime of attack, the good guys have to be right 100% of the time where the attacker only has to be right once. Not exactly great odds.

When you look at the practical percentages of theft surrounding your personal data you can see that the odds are lower of your stuff being stolen and used, than is widely perceived. Currently there are roughly 10 million domestic identity theft victims each year according to FTC and Ponemon Institute estimates. A little over 60% of those cases are the result of data theft from a public or private entity. But that doesn't mean that it is any less devastating. The problem is that when you entrust the data keeper to report the loss to you, or to fix a breach weak link, or frankly do anything for you after the fact, you are dreaming. No breached entity will tell you that the breach will likely result in identity theft. They will run damage control instead, meaning that they will downplay that aspect to protect their public image. The problem with that is that time is now on the side of the thieves to sell or use your personal information. A breached entity can take months or in some cases years to notify you of the loss. Sometimes not at all if the breach doesn't rise to the threshold the states' reporting laws have in place.

In light of that reality why then can't we all empower ourselves to be our own first line of defense when it comes to our personal data? With the power to act in our hands we are able to react to incidents of breach and identity theft much faster and with greater precision than is possible from the university, government agency, employer, or hospital, etc, that lost it in the first place. A professional agency dedicated to notifying us when our information is misused and report that misuse within hours is our best line of personal defense. If that agency can not only report these incidents to you in a timely way but also act as your proxy to correct the errors and false records entries on your behalf when it does occur is the most direct way to protect ourselves.

Tangentially, by having such a representative we are lowering the value of the data to the thieves. Illicit data brokers and identity thieves rely on time being on their side to profit from the misuse of your information. They need days or weeks to actually use the data to make purchases or obtain insurance, file false claims, get employment, etc. Draining bank accounts or running up credit purchases, while pretty awful, are largely handled by the banks and credit card companies themselves. With timely reporting a bank generally will help the victim but only with timely reporting. That means within hours or a day or so at the longest. Beyond a few days a banks' responsibility is much reduced. If you are not aware of the misuse you cannot report it to the bank. An agency that can notify the client within hours of an identity theft episode can shut down the misuse and render that identity information nearly useless almost immediately. The client is isolated from the incident, identified as a victim of identity theft, and the agency then can begin the restoration of the records or credit files affected. They will also look for other misuse within other databases in the event the incident is more widespread than the original incident. This can all take place within hours of the incident. Not a bad timely response to the attack in my opinion.

1 comment:

Anonymous said...

Fore armed is a good thing. Anyone else here reading “I.T. WARS”? I had to read parts of this book as part of my employee orientation at a new job. The book talks about a whole new culture as being necessary – an eCulture – for a true understanding of a "business-technology weave." It has great chapters on security, risk, project management, content management, acceptable use, disaster recovery (rebranded as disaster awareness, preparedness and recovery), policies, and so on. Just Google “IT WARS” – check out a couple links down and read the interview with the author David Scott. (Full title is “I.T. WARS: Managing the Business-Technology Weave in the New Millennium”).