Fear and Loathing in the Database

It's scary enough to hear reports about 380,000 people's confidential information being compromised at the University of California--San Diego last year, or ChoicePoint Software getting scammed into coughing up data on 145,000 consumers. Consider that the information can be used to open your company up to direct attack, and that you may be liable to customers whose data you expose, and you can see why data security personnel might break into a cold sweat. Identity theft cost consumers and businesses $53 billion in 2003, the last year for which the Federal Trade Commission has complete data. About 10 million people that year discovered there had been unauthorized access to their bank accounts or credit cards, or that a stranger had acquired an official document in their name. Beyond those immediate costs, a piece of California legislation labeled SB 1386 includes a requirement that a company whose security is breached must directly contact (by email or post) every person exposed to potential identity theft as soon as possible, unless the cost would exceed $250,000 or require notification of more than 500,000 people. Notification is still required under those exceptions, but may include posting the notice on the agency's Web site or a general release to statewide media. The financial cost and loss of confidence could be fatal to a victim company. A number of other states are considering similar laws, and a handful of bills that would require disclosure of potential identity theft is before the House and Senate. Phishing is the most visible threat, but it isn't the main one, according to Jonathan Penn, principal analyst for identity and security for Forrester Research. "Spyware and trojans are the big thing," Penn says, "and they also relate back to phishing." Postcarding is a technique where users receive an Internet greeting card with a link that takes them to a site that downloads spyware to the system. "Once the ID is compromised it becomes much more valuable to a criminal as an access point than it would be in terms of the assets he could take." It's incumbent upon companies to provide not only protection, but also reassurance. "When identity theft happens, institutions should first provide damage control," Penn says. "But then they must reassure customers. If they don't already use them, this is when companies can suggest monitoring services, credit reports, and other preventive measures." The industry's reaction to data security threats has been entrepreneurial, as well, for example, credit card companies' handling of identity theft and fraud. Kimberly A. Forde, director of public affairs for American Express, says, "Our privacy policy oversees how data can be used, and we have high standards that we require of all business partners. We also work with our business partners to educate them about threats and maximizing the protection of data." American Express charges cardholders a small fee for its Credit Secure service, and has been marketing its Blue card partly on the security benefits of the card's smart chip. The Identity Theft Assistance Center (ITAC), a program proposed by the Financial Services Roundtable to be managed by member Wells Fargo, will make it easier for consumers to alert their creditors to security breaches by providing a single point of contact and uniform complaint systems to quickly shut down access to exposed accounts. Data gathered by Wells Fargo in this process will, with the consumer's permission, be reported to the appropriate law enforcement agencies and analyzed for patterns to help crack cases and better understand how widespread ID theft really is. The pilot program began in May 2004.