At what point is it identity theft?

I was talking to Dave Kearns last week about a survey on identity theft that we recently conducted, and Dave posed an interesting question: What is identity theft? What qualifies? Is it having your credit card stolen? Does that qualify? Or is it when a thief uses your identity information to gain assets?

As usual, it was an interesting conversation with Dave posing good questions.

If a data theft happens and no financial theft occurs, is it identity theft or not? I pose that anytime there is a data breach and your information that you own and that has value is stolen – that is the theft. Not when someone then goes and gets a mortgage with it. It’s like the “if a tree falls in the forest and no one is there to hear it does it still make a sound?” question. If someone steals your private data and does not use it for financial gain, has a theft occurred? I say yes. Because the risk exists. And the fear. And ultimately because the value is in the data.

As our laws strive to catch up with the identity theft issue, we must define the theft at the point of data breach, not at the point of financial gain.

In the survey we recently conducted with Harris Interactive, we tried to gain an understanding of what adults in the US are currently thinking as it relates to identity theft. Here are a couple of interesting things that I learned:
1. Consumers’ action to prevent identity theft is higher than we thought. Specifically, consumers know and are taking the basic steps like changing their online passwords more frequently. That’s good.
2. Consumers are willing to take action, even if it’s inconvenient, if they are notified that their private data has been compromised. Specifically, they are willing to stop doing business with a retailer or a financial institution if they are notified that their data has been compromised.

My take-away here is that the power is with the consumer. Consumers are savvy about the identity theft issue. Consumers are willing to vote with their wallets, even if it’s a pain in the neck, and take their business elsewhere. So, increasingly, individuals are doing their part.

Companies need to take the steps necessary (and maybe tell their consumers what they are doing?) to increase consumer confidence. My recommendations to them are secure your data, secure your buildings, secure your networks – all of which ultimately come down to know WHO you are letting in and WHO you are keeping out.

And – stop using SSN as an identifier! One reason identity theft has so much power is in its potential. You can search for and find, John Doe’s social security number if you hack into any of thousands of databases – alma maters, credit card companies, insurance companies. But what if we could – and I believe we can, (CAUTION: shameless plug ahead – using Sun’s identity management technology) – completely eradicate the use of social security numbers as a primary means of identifying people? What if we could use technology to go find everywhere you have this nine-digit number, with or without dashes, and take it out? After all, only the U.S. Social Security Administration really needs your social security number.

We have, in one of the identity products, the ability to randomly generate a number, so your number could be 123A7 and that would be your health-care number, for example – a number that will never be used again, is always associated with you, and is in no way, and in no place, tied to your social security number. Outside the context of your healthcare network, it is a meaningless number.

Less meaning = less risk.

We have made some progress here, my SSN for example is no longer on my healthcare card and I know many universities are no longer using SSN as the student number. I suspect, however, that SSNs are sitting in thousands of fields in thousands of databases and that is a problem. (A problem that the right Identity solution can help you solve…OK, I’ll stop).

I know I sound like a broken record, but once again that makes the point that security is changing – it is moving from a “lock it down” overhead function to a business driver. If Web 2.0 is to happen, if we are to enter the Participation Age in a meaningful way, then security will be a key driver behind the next wave of (networked, online) growth.


Several great points here, Sarah.
Michael Barrett of Amex (formerly the Liberty Alliance management board chairman) set out three principal kinds of identity theft when the topic came up at the Liberty Alliance meeting in Chicago earlier this year:
- mass data compromise (for instance, hacking an e-commerce site and snarfing a database full of names and credit card numbers.. which can then be sold 'bulk' on the black market and exploited in a separate phase)
- user account 'hi-jacking' (for instance, by dumpster diving, social engineering or password cracking
- 'true' identity theft, where the attacker gathers enough data about you to open new accounts in your name without your even knowing about it.
The latter is the one which usually makes the headlines: "Man has transaction declined, discovers he has $40,000 of someone else's debt."
And about SSNs.. what's the best solution to that one? Legislation, or educating the service providers? It's tricky either way, I agree with you: only a fraction of the power actually rests with the consumer, until they (we?) are actually prepared to refuse services which are granted on the basis of sub-standard authentication. that's easy to say, but when it's \*your\* utility bill, it's not so straightforward.
However, as you point out, I'm sure Sun can do mor e to help solve this problem than perpetuate it...

Posted by Robin Wilton on November 28, 2005 at 09:44 AM CST #

I generally agree, but I would rather say:

The power is with consumer<u>s</u>.

Me as an individual cannot do anything significant if I do not like how some business handles my data. I may get angry, stop dealing with the business, write about it in my blog. But that's all. Loss of one consumer is insignificant for a well-established business.

If thousands of consumers would get angry, it may have some impact. But for this to happen, there must be a mean for consumers to get angry together. And that brings me to ... reputation?

However I look upon the "identity enabled" businesses, it looks to me more like reputation-based as oposed to government-identity-enforced. I wonder if that can apply to consumer identity as well.

Posted by Radovan Semancik on November 28, 2005 at 08:26 PM CST #

"Beyond this Complaints that the life lock is lose “ID theft protection service” ,Life lock always improve protection quality, improve protection services each and every time, if you getting more knowledge visit this site it is updated and information site I hope you getting good knowledge.

Posted by Samiullah on August 01, 2008 at 12:30 AM CDT #

Post a Comment:
  • HTML Syntax: NOT allowed



« July 2016