This article can also be found in the Premium Editorial Download "Information Security magazine: Spotlight on the incident response hot seat."
Download it now to read this article plus other related content.
To all the people in my Outlook address book, mea culpa.
While upgrading to a new laptop, I lost four years' worth of contacts--names, phone numbers, e-mail addresses, notes. Desperation led to Plaxo. I've had suspicions about Plaxo, but I knew many knowledgeable security people who used the free automated contact management service. If they felt comfortable with it, so could I.
Wrong! I got responses like: "I'm morally opposed to Plaxo." "Plaxo is the devil's work!" And, "Dude, it just makes me nervous." My favorite: "How can I tell you're the real Larry Walsh and not some Michael Moore-loving clone?"
Who can blame them? The service asks for copious amounts of personal information. All I wanted was people's e-mail addresses and phone numbers, but got birthdays, spouse's names and blog sites, too. Suddenly, my Outlook is popping up with reminders of people's birthdays. Worse, every PR agent and publicity hound is trying to send me their v-card.
All this got me thinking about how uncomfortable we are with our identities. We fear ending up on ceaseless spam lists, having our cellphone number exposed to salesmen and our identities pilfered by thieves. Look at the outcry in the wake of the ChoicePoint, LexisNexis and Bank of America breaches. Suddenly, everyone from my Aunt Kathy to Congress is screaming for stricter data protection laws; some states are racing to enact mirrors of California's SB 1386.
Paradoxically, we want
Identities have become the currency of the Information Age. And, there's a risk when using your identity as fluidly as greenbacks.
Prior to the New Deal, bank collapses and robberies must have been as scary as identity theft is today. Imagine waking up one morning and finding your life savings in the hands of Bonnie and Clyde, or that your savings and loan went bust. We don't think about the risk of putting our hard-earned money in banks anymore; they have layers of security to protect our accounts from bandits (at least in the physical world). And, if someone chances the security guards and closed-circuit cameras, there's FDIC to cover our loss up to $100,000.
Instead of a bunch of loophole-riddled SB 1386 clones, we need an FDIC for identities--some form of government-sponsored insurance that helps cover losses and costs incurred to the victims of identity theft. Companies like ChoicePoint suffer untold reputation and business loss because there's little they can do to restore people's identities once their stolen. Likewise, individuals may not be liable for expenses accrued by fraudulent accounts, but it can take years and thousands of dollars to rectify their credit scores.
A Roosevelt-caliber system to insure identities would go a long way toward closing the residual risk between the security measures companies take to protect identities and the threats they can't anticipate or guard against. Individual identity theft policies and recovery services exist, but we need something as pervasive and solvent as FDIC to act as a safety net for the information-based economy that will allow us to spend our identities as fluidly as cash.
This was first published in March 2005