Its beginning to feel like a weekly occurrence: A large company with sensitive employee or customer information—financial records, Social Security numbers—announces that its security has been breached. Theres a flurry of headlines and then a little pause. Then theres another announcement by another company.
This week it was CitiGroups turn. The company said digital tape records carrying customer credit ratings had been lost en route to a credit agency. In this announcement, CitiGroup joins Time Warner, ChoicePoint and Lexis-Nexis in having to acknowledge security breaches or loss of records, although CitiGroup said that, as far as it could tell, no harm had been done any of its customers.
Whats going on here? Why are these incidents in the news all of a sudden?
For that you can blame California politicians. Lawmakers probably didnt intend to launch a drumbeat of bad publicity for credit card and other big companies when they passed a law requiring those companies to notify customers when they learn that their personal information has been released. But thats the effect the law is having.
Its simply too hard to parse out California customers—the state is so large that it would receive most of the notices anyway—so companies are erring on the side of caution and telling everyone when theres a potential problem. And that drumbeat of publicity is, itself, having consequences.
Not to be left out, other states are passing or introducing their own legislation mimicking Californias law. And its fairly clear that Congress will take similar action by the end of this year. So notification will become the law of the land. That, of course, could mean more bad publicity.
Which raises a more important question: What—really—is to be done in the long term? Its hard to tell.
Part of the problem, says Larry Ponemon, a data security and privacy expert, is that Congress and the Federal Trade Commissioners (the FTC is the agency that oversees fraud and other consumer issues) isnt very technically sophisticated. They dont see the range of trouble and theyre often dismissive of sophisticated solutions.
“I dont think the regulators understand the complexity of the problem, said Ponemon, who has been called in to talk to some groups on Capitol Hill. “Their technological acumen is pretty low.”
Well, its hard to make a group of folks who depend on being recognized by the Capitol Police as they walk around the U.S. Capitol and its surrounding office buildings understand the utility of, for instance, a barcode system of tags that could be read by sensors embedded in doorways thresholds. For the unsophisticated, it just seems too easy to rely on a machine, not a man who smiles and holds the door.
The security systems that are used today—reliance on personal information like birthdays, mothers last name, Social Security numbers—worked well when commerce was based on paper and information was harder to discover and difficult to save in an orderly fashion.
Once information is stored in a database it can be found, replicated, linked to other information and easily shipped around. That, of course, makes it easy for an American shopper to use a credit card in Singapore or for a business traveler to claim frequent flyer miles at the airport check-in, but it also creates easy opportunities for theft. Once a thief knows a little, he knows a lot.
One solution that appears to be gaining some credibility is the idea of a Digital ID. The ID—a number or code—could be replaced if it fell into the wrong hands. Unlike a Social Security number, its not tied to bank accounts or credit reports. There are problems with this idea, of course. It cant be sloppily managed like, say, the allocation of Social Security numbers has been. If compromised, the system would never work properly. Its got to be tightly managed from the beginning.
Still, the idea of a system which separates identifying features from the accounts that are currently associated with ID—namely Social Security numbers—isnt a bad one. But Digital ID does sound a little too controlling for some. Its a bit too close to the creation of a national ID card—in fact, its probably a first step—and that is a concept that will meet with strong opposition from a number of quarters in and outside the tech community.
Certainly, frustration is building, and the regular announcements about data security breaches arent going to ease anyones fears. Instead, they may well increase peoples worries. Consumers, frustrated by seeing their personal information released again and again into the wrong hands, and especially business and other frequent travelers frustrated by airport and immigration delays and a growing sense that online security is far too fragile, may well force some sort of universal solution.
It wont be immediate—its maybe four or five years away—but its coming.