Obama ID protection plan may be best alternative to data theft
Framework would set standards, rules, fines for storing sensitive data securely
The data-breach and personal-information-theft stories have been so thick recently it's hard to find time to write about anything else.
They number of breaches and ease with which they're made make it hard to imagine how we can continue to do business online if we have to assume – no matter how carefully we protect our own data – that some vendor or service company that isn't so careful will leave a door open so all our financial data can escape and start a new life for itself in China or Eastern Europe.
One in 10 Americans has been a victim of identity theft, according to this nifty graphic that aggregates data from multiple sources (and which you'll have to magnify to see clearly) .
The average number per year ranged between 8.1 million and 11.1 million from 2003 and 2009. The average cost per consumer was $4,581; the average total nationally was $54 billion. Repairing a stolen identity takes 330 hours on average; in some cases it has taken 5,840 – the equivalent of two years of full-time work.
Businesses with 500 employees spend an average of $110,000 on password management -- $220 per user per year – according to an RSA study on password costs.
Stolen data is so common, there's a relatively standard price list to rent or buy many bits of it.
One possible solution is to give every consumer a way to control what personal information is supplied to whom, when and under what circumstances. Not just whether to send the Visa number to Sony to pay for a month of Everquest, but for how long Sony gets to see the Visa number (if at all) so the transaction can be completed and our personal information can be automagically deleted from Sony's databases, so it won't be stolen.
Nice idea. Almost impossible, technically.
One alternative is a national ID system that serves as a central, secure repository of personal data over which individual consumers have control.
That might solve some data-theft issues, while raising others – the potential for abusive invasion of privacy and covert surveillance by government agencies ranging from the IRS to the local Parks and Rec. Department being the first that come to mind.
Given the record of government agencies losing tons of data – like when Texas left personnel files including Social Security Numbers on a public server for more than a year and a half – having a federal agency be the storehouse for identity data would not be my first choice of solution.
Last month the Obama administration proposed an approach called the National Strategy for Trusted Identities in Cyberspace (NSTIC).
It must be a well-thought out plan, because it not only has extensive PDFs explaining the details of the NSTIC, and the "reasons we need it." It also has a simplistic animation describing how NSTIC would work.
I haven't seen anything quite as patronizing since the last time I was willing to sit through a vendor presentation at a trade show in exchange for an Earth globe squishy ball or flashlight keychain as a bribe to the kids to let me back in the house when I got home.
NSTIC is supposed to rely on a network of private-industry organizations and store bits of your information in different places, so it's not all available in one vulnerable spot.
It's supposed to provide mechanisms to let consumers establish whether a web site is legit before they give it any information, and control who gets access, when and for how long.
Federal agencies would set the data-exchange and security standards, probably set or limit the costs, adn require companies participating in it abide by the Fair Information Practice Principles (another PDF).
Given how well companies that already are supposed to be securing our data – to protect their own assets, if not ours – I'm not that confident a new agency trying to enforce a set of information-management practices most companies will fight to avoid is going to be all that successful.
I'm also concerned the cost. A 2009 survey from Financial Executives International found the average cost of audits and reporting stemming from the 2002 Sarbanes-Oxley Act is $1.7 million. Smaller companies had smaller costs.
There's no telling what the cost, or even responsibility of the companies having to manage customer identities according to NSTIC guidelines (which have not yet been set) would be.
I'm confident cost estimations from CFOs and CIOs will range from "way too much" to "holy #%@#," however.
It would be easy to be paranoid about government oversight of identity data, and to resist a new identity program because it would cost too much.
Without broad-scale mechanism to provide some level of security and confidence in identity data, though, the pace of data breaches is such that in a couple of years the only way the rest of us will be able to get our own financial data will be to hack into the databases of identity thieves and take it.
That will be a big problem; unlike Sony and so many others, the identity thieves' security will probably be pretty good.