'08 Tech Policy Outlook: Identity Theft and Data Security

Our next post in this series on Technology Policy in 2008 focuses on two connected issues – Identity Theft and Data Security. Data breaches continue, as a recent theft of a hard drive at Georgetown University demonstrates. According to PrivacyRights.org, since January 2005 there have been over 218 million records exposed. To date a corresponding increase in identity theft has not happened. How long data hosts will continue to dodge this bullet is unclear.

Identity theft and data security are important issues for any large database, or any document that relies on large databases. As the Department of Homeland Security attempts to roll out REAL ID, they will claim such a gold standard identity document will reduce identity theft. As indicated in our comments on REAL ID, and the post we did on this subject two weeks ago, we disagree. REAL ID, besides lacking sufficient security, stands to shift identity theft from credit related information to drivers license/identification card information. The benefits of having a compromised ‘reliable’ identity document are significant.

There will be other items addressed this year that involve data security and identity theft issues. If the E-Verify (formerly Basic Pilot) program is expanded, making employment eligibility verification both mandatory and electronic for all employers, a large insecure system will be created and abused. These concerns, particularly about scaling small databases into larger ones, were addressed in in Congressional testimony we submitted in June of 2007.

While national privacy legislation (which may or may not include provisions on identity theft) has been frequently introduced and approved by the House Energy and Commerce Committee over the last few years, it has yet to be considered by the full House. Comparable Senate legislation has also suffered a lack of attention. Legislation on data breaches has attracted about as much consideration. While the VA data breaches in 2006 led to significant Congressional action for that agency, it seems unlikely that privacy or security legislation will attract enough motivated interest to see a bill passed in 2008. Given the jurisdictional conflicts with these issues – where more than one committee in each house of Congress would be involved in a truly comprehensive bill – it appears that more focused legislation stands a better chance of passage. That is not a guarantee that more focused privacy or security legislation will pass this year, but an assessment that something focused on, for example, health privacy, will make it further along in the legislative process than a broader bill.

The sticking points on data security legislation often revolve around notice requirements – at what point would companies or other data repositories be obligated to notify people that their records were exposed. In other words, at what level does the risk of harm to the consumers outweigh the expense and effort of notification. While this would appear to be a silly question – of course you should notify people when their records are exposed – the limited impact of the data breaches to date suggests it may be overkill to offer credit services and additional assistance for everybody exposed every time it happens. However, this perspective is a bit on its head. These expenses, on a regular basis, ought to be sufficient motivation for data repositories to improve their security. That it isn’t suggests a market failure where computer security is concerned. I am afraid that it will take a serious breach, with identity theft consequences, to really change behavior. At that point trust in computer systems will be harmed, and it was avoidable.

As suggested before, the real action on identity theft and data security will be in legislative and other government activity in other areas. As health information technology legislation, further action on REAL ID, efforts to expand electronic employment eligibility, and the increased use of computer databases continues this year, data security and identity theft will be (or at least should be) part of these discussions. We’ll keep you posted as they emerge.