By Fred H. Cate</i></font>
A California law requiring businesses to notify consumers when the
security of their personal data is breached is a poor substitute for
real action to address the scourge of identity theft.
The law makes no distinctions based on the nature of the breach or the
risk of subsequent harm. All affected consumers get notices,
regardless of whether the company or law enforcement believes the
breach will put consumers in danger.
Fortunately, evidence suggests that most security breaches do not
result in identity theft. But if the California law were adopted
nationally, like the boy who cried wolf, the flood of notices would
soon teach consumers to ignore them. When real danger threatened, who
would listen?
Thanks to recent financial and health privacy laws, U.S. consumers are
already bombarded with more than 2 billion privacy notices
annually. Most are never read; U.S. Postal Service surveys indicate
that more than half may never be opened. Another notice hardly seems
an appropriate response to identity theft.
Moreover, the California law misses the forest for a single tree. The
Federal Trade Commission reports that most identity theft is not
committed by strangers using third-party data, such as that provided
by ChoicePoint. Instead, it involves a relative or friend using data
obtained from victims themselves -- situations ignored by the
California law.
The problem at the heart of most identity theft isn't access to
information or consumer inattention, it is the lack of will and
effective tools to verify the identity of consumers, especially when
granting credit.
Stealing even the most personal information would be useless to
identity thieves -- whether friends or strangers -- if they could not
use it so easily to open credit or obtain products and services in
somebody else's good name.
The focus on notices, therefore, is all too likely to distract
lawmakers from the more urgent need for practical means to protect
individuals' identities and to restore the good names of identity
theft victims.
Identity theft is a serious problem. It requires solutions more
serious than just another notice.
Fred H. Cate is a distinguished professor of law and director of the
Center for Applied Cybersecurity Research at Indiana University.
NOTE: For more telecom/internet/networking/computer news from the daily
media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra . New articles daily.
*** FAIR USE NOTICE. This message contains copyrighted material the
use of which has not been specifically authorized by the copyright
owner. This Internet discussion group is making it available without
profit to group members who have expressed a prior interest in
receiving the included information in their efforts to advance the
understanding of literary, educational, political, and economic
issues, for non-profit research and educational purposes only. I
believe that this constitutes a 'fair use' of the copyrighted material
as provided for in section 107 of the U.S. Copyright Law. If you wish
to use this copyrighted material for purposes of your own that go
beyond 'fair use,' you must obtain permission from the copyright
owner, in this instance, Fred Cate, Center for Applied Cubersecurity
Reasearch.
For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml
[TELECOM Digest Editor's Note: When Visa first went into business,
back in the early 1960's, they were known as BankAmericard, named
after Bank of America which started the service. First National Bank
of Chicago took an incredible hit on the program in the first two or
three years; they lost millions of dollars on fraud. Their original
idea was to just send out cards, no questions asked, no application
required to every 'customer account' on their book; consequently
credit cards were sent out unsolicited to accounts in the names of
little babies (whose parents had a bank account for the child) and
to people who were deceased, or had moved away. The post office was
dropping credit cards all over the place. Many -- far too many -- of
the first issue of credit cards fell into the 'wrong hands', to put
it politely. When bank quit that foolishness and started requiring
at the very least a signed application from everyone, that cut back
somewhat on the fraud. PAT]