The Internet has made identity theft trivially easy – a new report from Symantec says that for $14 you can obtain someone’s name, date of birth, mother’s maiden name, social security number, bank account (with password), and credit card information (with security code). At any given time, nearly 150,000 credit card numbers can be purchased online.
When we celebrate and encourage open data on the new web, this isn’t what we’re talking about. The FTC estimates that identity theft costs our economy about $50 billion per year. It takes people years to recover from a full blown identity assault.
In the U.S., our government has done very little to protect us. Part of the problem is that credit bureaus, auto dealers and retailers spend millions lobbying the federal and state governments to keep the laws just as they are. If a company is in the business of selling credit information and/or opening new credit accounts, they’re probably on the wrong side of this issue, and working to keep the transfer of private information as easy as possible.
But at some point this is going to pop. It will probably happen when a few members of Congress have to go through the ordeal of identity theft themselves, or when the volume of citizen complaints becomes too serious to ignore. And at that point, Congress is likely to push legislation that not only cuts out the cancer, but lots of healthy tissue as well.
We saw this with Sarbanes Oxley, federal legislation hurriedly enacted following the Nasdaq implosion five years ago. While Sarbanes Oxley certainly improved the level of disclosure needed for public companies in the U.S., it also put a very heavy burden on reporting companies. Many feel that it was the most significant contributing factor in the huge reduction in U.S. initial public offerings since that time (many companies have gone pubic in London or other countries instead).
If Congress finally does act to protect us against identity theft, the legislation could similarly go overboard as well, and have an impact on all these great companies making a living on the free exchange of data over the Internet.
Gray market startups like Jigsaw that are in the business of brokering personal information don’t make it any easier for the rest of the industry to show that they take the management of personal information seriously. Other startups, like TrustedID, are trying to find a private sector way of protecting us (see if your personal data is on any of the well known fraud forums with TrustedID’s StolenIDSearch).
Symantec and others sell products to companies that help them protect their servers (and the data on them) from attacks. That’s good, but the ultimate solution is to hold companies financially accountable if their users’ data is stolen from their servers. And the burden of proof that it did or didn’t occur should fall on the company holding the data, not the user.
Companies won’t want this liability, and they’ll start finding ways to get that data off of their servers. New startups will launch that are willing to take that risk. And ultimately, sensitive user data will be stored in far fewer places than it is today. That’s a good thing.