The only way to control today's identity theft epidemic is for consumers, Congress and corporate America to team up.
Jim Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies in Washington, D.C., today told a panel of security experts from eBay, eTrade, RSA Security, Forrester Research and BITS that protecting data is a shared responsibility. "Consumers have to become more perceptive about risks, but companies that use and hold data have a greater responsibility to put procedures and safeguards in place," he said. "Government's responsibility is to make sure this happens and to prosecute the criminals."
The panel, held Friday morning in the nation's capitol, addressed the recent rash of data thefts from Bank of America, LexisNexis and ChoicePoint that has left consumers scratching their heads about who is supposed to protect their confidential information.
Those in the security industry have long debated the question of responsibility, and it now appears that though consumers may play a limited role in data protection. Bruce Schneier recently said that consumers can't be expected to keep their passwords secure or their computers virus-free, and so can't be part of the solution.
That didn't set well with Lewis. "How about a traffic system where we remove white lines, stop signs, stop signals and speed
What's the next step?
Lewis believes that better policies and better technology for credentials, such as hardware tokens and biometrics may help.
Another panelist believes the entire identity management system needs to be overhauled.
"I see legislation as a last resort, but if it came to that, the way we handle identity management is outdated and does not reflect how we store, use and disseminate identity information in the IT world," said Howard Schmidt, a former White House cybersecurity adviser. "No one has a good answer for why we collect all this data. We need to question all of this as a society and look at identity management in a completely different way."
Do we need federal regulation?
Despite the desire by many in the industry to self-regulate, it may not be effective.
"Clearly there should be some sort of regulation. And we don't need individual states creating different laws that apply to all companies," said Art Coviello, president and CEO of RSA Security in Bedford, Mass., during the panel "We don't want to end up with a patchwork quilt -- if we're going to regulate, we need to do it right."
According to Coviello, that means a group effort by government, business, IT vendors and consumers to assess what should be regulated and how.
He'd like to see requirements to safeguard stored data similar to those found in HIPAA or the Graham-Leach-Bliley Act. "Companies don't like notification, but that dislike will help motivate them to put better processes and safeguards in place," Coviello said. "Safeguard requirements should be kept at a general level, though -- it's always bad when legislation gets too prescriptive."