I think most people would agree that 2005 has not been, so far, a good year for information security. Indeed, when...
you add up the total number of personal data records reported as compromised in the first six months you get a figure that some people justly consider alarming: 66 million. But I suggest that this number, and the phenomenon it represents, goes way beyond alarming, way out into previously uncharted territory. In fact, I respectfully suggest that we don't yet have the vocabulary needed to describe what is happening to personal data today, let alone understand all of the implications.
In an effort to remedy this situation I propose a new word for that vocabulary: dataflation. But before I offer my definition of dataflation, let me provide some context for that 66 million. In the most recent U.S. census the number of Americans aged 18 or older was 210 million. If you factor in the numerous compromises of personal data records that occurred in 2004, it is entirely possible that data relating to one in three American adults is now "out there," available to be abused.
This personally identifiable data or PII -- things like name, address, date of birth, Social Security number, mother's maiden name, employer, account numbers, user names and passwords -- is the raw material of identity theft, fraud and other forms of information abuse. Some is data we cannot change. Some is data that can be changed, but often at considerable cost, to ourselves and the fabric of our society and our economy. Hence the term, dataflation: the destabilizing tendency of data to lose value due to factors such as large-scale unauthorized access, excessive abuse and loss of confidentiality.
For some time now a sort of informal "infoseconomics" has been emerging in the world of corporate IT, based on notions such as the supply of, and demand for, data that are unique to an entity or individual. We already know that spending to protect PII reduces profits, while exposure of PII can reduce revenue and create costs. What we have not yet figured out how to handle is dataflation, the decline in the relative value of PII as security breaches place more and more of it "in circulation."
Negligence, incompetence, and malfeasance by institutions and individuals charged with protecting the confidentiality of personal data is currently creating a flood of recycled identifiers, new passwords, new account numbers, each as easily compromised as the last. The search for truly fresh identifiers is already underway, with some people pointing to biometrics as a potentially rich vein of unique identifiers. However, unless we do a far, far better job of protecting biometric data than we have of protecting our other personal data, I see nothing to prevent biometric data from succumbing to dataflation.
What does all this mean? To be honest, I don't know. I do know that trust is vital to commerce and lack of trust is an impediment to widespread prosperity. Countries whose citizens trust the people and companies with whom they do business grow faster than those where mistrust abounds. And trust depends upon knowing, or at least correctly identifying, those with whom you are dealing. Identity is based on personal data and the relative value of much of America's is falling. In the long term it may be possible to reverse this trend, to do a better job of protecting people's data. But in the short term, this year's announcements of massive personal data exposures may actually help the people who failed to prevent the exposures.
For example, suppose Jane becomes a victim of identify theft shortly after a tape containing details of her account at Huge Bank goes missing. Jane sues Huge Bank for negligence. Huge Bank's defense? "How can you be sure the theft of your identity is attributable to our loss of data tapes?" it might ask. "Could it not have come about through of one of the many other security lapses that have occurred recently, or those that are very likely continuing to occur anywhere that personal data with a well-established black market value is handled in conditions which provide inadequate protection against its theft and abuse."
To stand a chance in court, Jane needs a confession from the identity thief to the effect that, "Yes, I got her data from a Huge Bank computer tape that I stole from the back of a delivery truck." Given the small percentage of identity thieves that get caught, and the even smaller number who give up where they got the data they abuse, Jane is hardly likely to get that confession. And Huge Bank is unlikely to be held accountable.
If e-commerce is going continue to contribute to the growth of our economy, then it will require more and more personal data, more user names, more passwords, more secret questions and answers, more unique identifiers. But unless we drastically reduce the current rate of data exposure, we will see electronic trust--the basis of e-commerce--rapidly decline as dataflation takes its toll. In the next few years the effects of dataflation --the stalling or reversal of the rate of uptake of e-commerce, the costs to companies, the customers lost, the fraudulent charges written off--could easily hurt the economy more than traditional monetary inflation.
Stephen Cobb is a 25-year veteran of computer audit and security who helped start several successful security companies and is the author of numerous books, including Privacy for Business (Dreva Hill, 2002).