Identity Theft — no big deal?

Last night I participated in a panel discussion on identity theft at NAISG/New England. Other panelists were Charles Kolodgy, IDC Research Director of Secure Content and Threat Management,; William M. Straus, Massachusetts State Representative who sponsored a bill on identity theft; Eric Bourassa, Consumer Advocate, MASSPIRG; and Steven Bearak, CEO of Identity Force.

 It was a lively discussion with lots of stats and surveys referenced. I played the role of fear monger and group curmudgeon (surprise, surprise), claiming that we won’t have any real changes of impact until someone dies from identity theft – literally. Although my comments were met with skepticism and thought to be hyperbole, I was quite serious and painted several very plausible and scary scenarios, e.g., changing prescriptions en mass at a hospital (some of the most information-insecure places there are!)   Since the industry began collecting information on identity theft in January 2005 (see www.privacyrights.org), there have been over 100,000,000 identities stolen — and that’s only in North America.  And a lot of press has been generated over certain cases, e.g., The VA, ChoicePoint, AOL, and recently TJX Companies. But according to the 2006 Identity Fraud Survey by Javelin Research, 63% of known information breaches were initiated by factors that were within the consumer’s control, e.g., lost wallet, trusted associate, friends/family, or mail left un-shredded in garbage cans. Further, the Internet was found to be “relatively low risk” with 90% of unauthorized access to sensitive information occurring through non-electronic channels.  So we’re making too much out of electronic identity theft and the breaches that happened at TJX and others, right?  B.S. I say!  These companies have been let off easy, imo. They are trusted agents with our personal data and they need to act responsibly. Unfortunately, none of the industry regulations have sharp teeth. The PCI Data Security Standard is the best effort, imo, and is improving with time. Even the FTC law suits against BJ’s Wholesale and others were tantamount to a slap on the wrist.  Until companies are hit where it hurts (on the bottom line) or until someone dies, we won’t see sweeping change. Analogs existed in automobile safety, anti-tamper requirements on retail drugs, even shipping (the Titanic was _within regulatory boundaries for the number of lifeboats they carried!)  TJX provides an interesting case to analyze — not only are they being sued by consumers in a class-action law suit, but also by the banks that were impacted by this breach… now _that’s a class-action law suit that can hurt. Maybe this will be the spark that ignites legislative and industry change in electronic identity theft and data handling. We can never fully mitigate the human factor, the sheer carelessness or stupidity of people (heck, I do dumb things every day), but we can make it more painful on trusted agents who lose our personally identifiable information. Yes, consumers can apply pressure, too, by cancelling their TJ Maxx cards or refusing to shop at Marshalls… but those grass-roots efforts will take time to have a cummulative effect. So for now, to those who say we’re making too much out of this issue, I say phooey!