Fear and Loathing in the Database
It's scary enough to hear reports about 380,000 people's confidential information being compromised at the University of California--San Diego last year, or ChoicePoint Software getting scammed into coughing up data on 145,000 consumers. Consider that the information can be used to open your company up to direct attack, and that you may be liable to customers whose data you expose, and you can see why data security personnel might break into a cold sweat.
Identity theft cost consumers and businesses $53 billion in 2003, the last year for which the Federal Trade Commission has complete data. About 10 million people that year discovered there had been unauthorized access to their bank accounts or credit cards, or that a stranger had acquired an official document in their name. Beyond those immediate costs, a piece of California legislation labeled SB 1386 includes a requirement that a company whose security is breached must directly contact (by email or post) every person exposed to potential identity theft as soon as possible, unless the cost would exceed $250,000 or require notification of more than 500,000 people. Notification is still required under those exceptions, but may include posting the notice on the agency's Web site or a general release to statewide media. The financial cost and loss of confidence could be fatal to a victim company. A number of other states are considering similar laws, and a handful of bills that would require disclosure of potential identity theft is before the House and Senate.
Phishing is the most visible threat, but it isn't the main one, according to Jonathan Penn, principal analyst for identity and security for Forrester Research. "Spyware and trojans are the big thing," Penn says, "and they also relate back to phishing." Postcarding is a technique where users receive an Internet greeting card with a link that takes them to a site that downloads spyware to the system. "Once the ID is compromised it becomes much more valuable to a criminal as an access point than it would be in terms of the assets he could take."
The Identity Theft Assistance Center (ITAC), a program proposed by the Financial Services Roundtable to be managed by member Wells Fargo, will make it easier for consumers to alert their creditors to security breaches by providing a single point of contact and uniform complaint systems to quickly shut down access to exposed accounts. Data gathered by Wells Fargo in this process will, with the consumer's permission, be reported to the appropriate law enforcement agencies and analyzed for patterns to help crack cases and better understand how widespread ID theft really is. The pilot program began in May 2004.