By Fred H. Cate
A California law requiring businesses to notify consumers when the security of their personal data is breached is a poor substitute for real action to address the scourge of identity theft.
The law makes no distinctions based on the nature of the breach or the risk of subsequent harm. All affected consumers get notices, regardless of whether the company or law enforcement believes the breach will put consumers in danger.
Fortunately, evidence suggests that most security breaches do not result in identity theft. But if the California law were adopted nationally, like the boy who cried wolf, the flood of notices would soon teach consumers to ignore them. When real danger threatened, who would listen?
Thanks to recent financial and health privacy laws, U.S. consumers are already bombarded with more than 2 billion privacy notices annually. Most are never read; U.S. Postal Service surveys indicate that more than half may never be opened. Another notice hardly seems an appropriate response to identity theft.
Moreover, the California law misses the forest for a single tree. The Federal Trade Commission reports that most identity theft is not committed by strangers using third-party data, such as that provided by ChoicePoint. Instead, it involves a relative or friend using data obtained from victims themselves -- situations ignored by the California law.
The problem at the heart of most identity theft isn't access to information or consumer inattention, it is the lack of will and effective tools to verify the identity of consumers, especially when granting credit.
Stealing even the most personal information would be useless to identity thieves -- whether friends or strangers -- if they could not use it so easily to open credit or obtain products and services in somebody else's good name.
The focus on notices, therefore, is all too likely to distract lawmakers from the more urgent need for practical means to protect individuals' identities and to restore the good names of identity theft victims.
Identity theft is a serious problem. It requires solutions more serious than just another notice.
Fred H. Cate is a distinguished professor of law and director of the Center for Applied Cybersecurity Research at Indiana University.
NOTE: For more telecom/internet/networking/computer news from the daily media, check out our feature 'Telecom Digest Extra' each day at. New articles daily. *** FAIR USE NOTICE. This message contains copyrighted material the use of which has not been specifically authorized by the copyright owner. This Internet discussion group is making it available without profit to group members who have expressed a prior interest in receiving the included information in their efforts to advance the understanding of literary, educational, political, and economic issues, for non-profit research and educational purposes only. I believe that this constitutes a 'fair use' of the copyrighted material as provided for in section 107 of the U.S. Copyright Law. If you wish to use this copyrighted material for purposes of your own that go beyond 'fair use,' you must obtain permission from the copyright owner, in this instance, Fred Cate, Center for Applied Cubersecurity Reasearch.
For more information go to:[TELECOM Digest Editor's Note: When Visa first went into business, back in the early 1960's, they were known as BankAmericard, named after Bank of America which started the service. First National Bank of Chicago took an incredible hit on the program in the first two or three years; they lost millions of dollars on fraud. Their original idea was to just send out cards, no questions asked, no application required to every 'customer account' on their book; consequently credit cards were sent out unsolicited to accounts in the names of little babies (whose parents had a bank account for the child) and to people who were deceased, or had moved away. The post office was dropping credit cards all over the place. Many -- far too many -- of the first issue of credit cards fell into the 'wrong hands', to put it politely. When bank quit that foolishness and started requiring at the very least a signed application from everyone, that cut back somewhat on the fraud. PAT]