At what point is it identity theft?
By saragates on Nov 28, 2005
I was talking to Dave Kearns last week about a survey on identity theft that we recently conducted, and Dave posed an interesting question: What is identity theft? What qualifies? Is it having your credit card stolen? Does that qualify? Or is it when a thief uses your identity information to gain assets?
As usual, it was an interesting conversation with Dave posing good questions.
If a data theft happens and no financial theft occurs, is it identity theft or not? I pose that anytime there is a data breach and your information that you own and that has value is stolen – that is the theft. Not when someone then goes and gets a mortgage with it. It’s like the “if a tree falls in the forest and no one is there to hear it does it still make a sound?” question. If someone steals your private data and does not use it for financial gain, has a theft occurred? I say yes. Because the risk exists. And the fear. And ultimately because the value is in the data.
As our laws strive to catch up with the identity theft issue, we must define the theft at the point of data breach, not at the point of financial gain.
In the survey we recently conducted with Harris Interactive, we tried to gain an understanding of what adults in the US are currently thinking as it relates to identity theft. Here are a couple of interesting things that I learned:
1. Consumers’ action to prevent identity theft is higher than we thought. Specifically, consumers know and are taking the basic steps like changing their online passwords more frequently. That’s good.
2. Consumers are willing to take action, even if it’s inconvenient, if they are notified that their private data has been compromised. Specifically, they are willing to stop doing business with a retailer or a financial institution if they are notified that their data has been compromised.
My take-away here is that the power is with the consumer. Consumers are savvy about the identity theft issue. Consumers are willing to vote with their wallets, even if it’s a pain in the neck, and take their business elsewhere. So, increasingly, individuals are doing their part.
Companies need to take the steps necessary (and maybe tell their consumers what they are doing?) to increase consumer confidence. My recommendations to them are secure your data, secure your buildings, secure your networks – all of which ultimately come down to know WHO you are letting in and WHO you are keeping out.
And – stop using SSN as an identifier! One reason identity theft has so much power is in its potential. You can search for and find, John Doe’s social security number if you hack into any of thousands of databases – alma maters, credit card companies, insurance companies. But what if we could – and I believe we can, (CAUTION: shameless plug ahead – using Sun’s identity management technology) – completely eradicate the use of social security numbers as a primary means of identifying people? What if we could use technology to go find everywhere you have this nine-digit number, with or without dashes, and take it out? After all, only the U.S. Social Security Administration really needs your social security number.
We have, in one of the identity products, the ability to randomly generate a number, so your number could be 123A7 and that would be your health-care number, for example – a number that will never be used again, is always associated with you, and is in no way, and in no place, tied to your social security number. Outside the context of your healthcare network, it is a meaningless number.
Less meaning = less risk.
We have made some progress here, my SSN for example is no longer on my healthcare card and I know many universities are no longer using SSN as the student number. I suspect, however, that SSNs are sitting in thousands of fields in thousands of databases and that is a problem. (A problem that the right Identity solution can help you solve…OK, I’ll stop).
I know I sound like a broken record, but once again that makes the point that security is changing – it is moving from a “lock it down” overhead function to a business driver. If Web 2.0 is to happen, if we are to enter the Participation Age in a meaningful way, then security will be a key driver behind the next wave of (networked, online) growth.