Opinion: Digital identity protection will require a collaborative effort.Theres a lot of work still to be done in defining the rules of stewardship for digital identities. We agree with the San Francisco Superior Court that it is not the duty of Visa U.S.A. and MasterCard International to warn credit-card customers that their personal information may have been breached by third-party negligence; wed argue, though, that this is the beginning rather than the end of the discussion of who owes what duty to whom. At issue was the compromise of the data of more than 40 million cardholders, with records of about 200,000 cards thought to have been lifted from payment processor CardSystems network. Disclosures are mandated by the California Security Breach Information Act, which requires companies that are based in California or that have customers in California to notify the customers whenever their unencrypted personal information is lost, stolen or breached. Visa and MasterCard maintain that the banks that issue credit cards have the responsibility of customer notification because they have direct relationships with the affected customers. Visa and MasterCard may not have been at fault for the breach at CardSystems, but their reputations nonetheless suffered by association with the incident.
The bigger issue, however, is how to handle identities in the first place. As states begin to follow Californias lead and pass their own acts involving personal-information security breaches, regulators and legislators need to be just as aware of the issue of who holds the title to information as they are of the questions of who holds the title to a car or to a homeand what steps need to be taken to protect consumers when their identities have been breached.