Home » Identity & Access » Identity Theft

Whose Risk Is It, Anyway?

If you ran a company whose business model consisted of a constant promiscuous intimacy with risk, it would be your fondest wish to offload as much of that risk as you could.

By Lew McCreary

June 01, 2005 — CSO — If you ran a company whose business model consisted of a constant promiscuous intimacy with risk, it would be your fondest wish to offload as much of that risk as you could.

In fact, the almost exclusive goal of risk management is to get someone else to shoulder more downside so that you can enjoy more upside.

And what better way to offload risk than by convincing your customers to assume some of it, and maybe even a lot of it? A classic example of this is the software industry's so-far-successful practice of offering unfinished or (to put it charitably) unperfected products for sale and assuming no liability when those products fail to perform reliably. As the blokes from Guinness like to say, "Brilliant!"

Typically, customers do grouse, but in the aggregate, they've not rebelled and over time have come to accept the practice as fully entrenched. Mainly, that's because most software offerings have been clear steps forward, featuring more innovation than aggravation and more decent performance than poor performance. But as the risks of business interruption and actual losses have grown on the customer sideowing, for example, to the security vulnerabilities associated with Microsoft's operating environmentvendors are being pushed as never before to take back some of the offloaded risk. The sword of Damocles in this push is legislation that would subject software vendors to product liability claims. To stave that off, we now see efforts arguably better than lip service to deliver "trustworthy computing" something that ought to have been an intrinsic part of the product spec from the get-go.

Now, the credit card industry is getting into the offloading game. Recently, my colleague David got a telemarketing call from his card issuer in which he was offered a "free" credit report. All he had to do to get it was authorize the release of a bunch of his personal data to Intersections, a third-party provider of "identity-theft solutions." David's MasterCard issuer, MBNA, offers a program called "Privacy Assist"; Intersections is the outsourced provider of Privacy Assist. After a three-month "special offer" ($19.95), the service sells for $9.99 per month. That's $119.88 a year David would be asked to pay to have Intersections keep an eye on his creditworthiness and card usage, and bird-dog for signs of possible fraud.

Now, on the one hand, David might just like a little bit more identity-theft protection. But shouldn't he be looking to the credit card issuers to get it? Why should he be asked to underwrite what is essentially a program of risk mitigation of significant benefit to MBNA? As the card issuer, shouldn't MBNA be providing much of this service for free in the normal course of doing business?