Readers: Ask the experts about ID theft
Members of News.com's ID theft roundtable panel open up a discussion with News.com editors and our readers.
The members of News.com's Roundtable panel have agreed to have a discussion with News.com editors and our readers. Although we cannot guarantee a response for every e-mail, you can submit your questions for panelists here.
Click here to return to the main resources page.
Friday: Driver's licenses and next steps
From: Jim Harper
Subject: California's attempt to reduce ID fraud: any statistics?
Thu, 27 Oct 2005 14:40:31
The urge to try to pick the right security practices is natural, especially among smart, interested people. But we are talking here about writing general rules that will be applied over the indefinite future. Is it possible to right a rule now about when encryption should be used in all the future contexts that may arise? What about the quality of encryption that must be used? I think the consensus is that it's impossible.
Better to write a rule at a higher level of abstraction, one that focuses on what we really want: consumer protection. The imposition of proportional liability for harming a consumer through data breach puts the encryption decision with the party closest to the problem--the data holder--and puts the risk with the data holder for getting it wrong.
Apropos of Sen. Simitian's comment, I would also argue for placing liability on public sector actors - including government officials in their personal capacities--to get the incentives right. Otherwise, an agency may breach and pay out taxpayer dollars in compensation, but that means little to the people in the agency making decisions.
Sen. Simitian cites his A.B. 1219 as a response to criminal identity fraud. I would be curious to know how many times it has been used since it was enacted three years ago. Senator, did you hit your target?
Also, I'm still curious to know whether A.B. 700 has reduced identity fraud in California. Senator, any statistics?
From: James Van Dyke
Subject: Self-regulation by industry groups
Thu, 27 Oct 2005 14:52:00
In the debate on the need for and design of regulation, we must consider the existence and efficacy of what is effectively self-regulation. Effective regulation need not be solely the product of government entities. Financial industry bodies such as Visa, BITS, and NACHA act to create, implement and occasionally even strongly enforce standards of behavior on the part of their members with regard to the handling of customer financial records.
For example, CardSystems, a processor of payment card transactions for merchants, disclosed that millions of consumer records were exposed, and subsequently were met with plans for network excommunication by Visa and American Express (which will likely be their death knell). Regulation makes the most sense when individual self-interest is not in line with the greater good. However, in a well-organized industry such as financial services, government entities need not be the sole source of regulation.
From: Orson Swindle
Subject: Re: Self-regulation by industry groups
Thu, 27 Oct 2005 14:55:41
Amen!
From: CNET News.com
Subject: Driver's license data and legal fix recommendations
Fri, 28 Oct 2005 07:30:57
One of our readers, Amy Smith, posed this question to the panel:
My question to the panel is what gives a state government agency like the DMV the right to sell my data? I just went to renew my drivers license and no where on the form did I see a disclosure that my data might be sold for commercial purposes nor am I given the right to "opt out" if they choose to do so? Is this legal, and if not, what are the implications to agencies and data acquirers?Any thoughts on how the federal "Driver Privacy Protection Act" has worked in practice?
Also, since it's our last day for this roundtable, I wanted to thank you again for participating and ask you what the most important legal fix would be to help reduce the likelihood of identity theft. Is it security breach notification laws, regulations of so-called data brokers, etc.?
From: Chris Hoofnagle
Subject: Re: Drivers license data and legal fix recommendations
Fri, 28 Oct 2005 08:08:26
Amy Smith asks, "what gives a state government agency like the DMV the right to sell my data?"
The federal Drivers Privacy Protection Act has prohibited this practice since 1998, unless the individual opts in to the sale. At least one state (Florida) didn't implement the law until this year. So that might explain it.
The question reveals an attitude that speaks to individuals' anger about privacy. "What give them the right," is something I hear pretty frequently. The answer is that they can collect your data and use it for almost any purpose unless there is privacy legislation protecting both the data and the context in which it is collected.
There is a pretty strong correlation between invasive practices and self-regulation. And while legislation isn't always perfect, it is privacy law that shields your television records from being collected (Cable Communications Policy Act), your video rental records from being sold (VPPA), and your cell and wireline phones from ringing. If you look at the fields where self-regulation controls, you'll find that your data is being sold to anyone, even criminals, for almost any purpose.
In practice, DPPA has been mediocre. While it did cut off driver's information for commercial purposes, there are 14 exemptions to the law. It is underinclusive in that it only protects your driver record, and so marketing companies now try to get your data from your drivers license (ever had your licensed "swiped"). Even if a bar/car rental company says that they are swiping your card for security purposes, in most states, they can keep all of the data captured from it and use it for whatever purpose they see fit.
EPIC has done quite a bit of work on the DPPA, and we recently filed an amicus brief in an 11th Circuit case where we successfully argued that default or "liquidated" damages are available under the law.
As for the most important legal fix for identity theft? I'm for credit freeze. If individuals had more control over their credit reports, it would be less likely that identity thieves, pets and toddlers would be issued credit cards.
Have a nice weekend!
From: Orson Swindle
Subject: Re: Drivers license data and legal fix recommendations
Fri, 28 Oct 2005 9:00:36
Amy Smith's dismay is shared by many, I suspect. The U.S. Code is pretty clear, yet I am sure there are those who see loopholes through which they can continue this practice. Does anyone have idea as to the magnitude of this practice in revenue terms as a state government "profit center"? For those who believe government should intrude big time and is best suited to solve the identity theft problem with new laws and regs, might this driver's license data situation (where a government entity is allegedly not following the law) be lesson about the ability of the government to get it right?
As to News.com's last question, a couple of comments:
The Safeguards Rule has esssentially been expanded beyond its original scope by BJs Wholesale Club case. There is a new universe of data users who are not familiar with compliance requirements envisioned in the Safeguards Rule. Congress will likely move on this, but slowly, then there are rules to write. The Center for Information Policy Leadership will provide some rational thoughts to mapping out what needs to be done to cope with Safeguards Rule requirements, expanding existing Rules, and meeting responsiblities for protecting sensitive information.
Second, law enforcement, such as the FTC, needs and has requested more flexibility in cross-border fraud investigative work that will require the ability to share information across borders with law enforcement agencies. Current restrictions often stand as impediments in tracking down the culprits when they are offshore.
There must be greater attention given by CEOs and Corporate/Organization Boards to information security and privacy obligations. These functions need to move obscurity to the boardroom in significance. The concerns are not going away. Those who invest in better information security practices (in terms of resources and attitude) will gain competitive advantage and those who fail or refuse to do so will suffer much harm as they allow their customers, cliets and consumers to be harmed.
General public awareness must be enhanced--constantly. Think of the process of making users of information technology more aware of their responsibilities and vulnerabilities as a journey, not a destination. We must keep this dialogue going, inform the lawmakers, increase private sector leadership, and make sure the public understands how important safe computing practices are for our future.
I look forward to working with you all in my capacity as Chairman of Information Security Projects at the Center and from my new relationship with The Progress & Freedom Foundation.
From: Joe Simitian
Subject: A defense of California's data-security laws
Fri, 28 Oct 2005 13:58:39
Lots of ground to cover today.
Jim Harper asks about the level of use of AB 1219 in California to help mitigate the impact of criminal identity theft. Honest answer is: I don't know. After three years on the books, this would be a good time to assess whether the statute has been put to good use.
As to the effectiveness of AB 700/SB 1386--we'll never know for sure what steps informed consumers have taken, or with what effect, in the aftermath of a data security breach. Perhaps more importantly, we do know that in response to AB 700/SB 1386, the private sector has taken steps to improve security and avoid the problem altogether.
Prior to the July 1, 2003 implementation of AB 700 I met in Los Angeles with 200 data security breach experts from around the country at a conference organized, in part, by the U.S. Secret Service. They were ramping up new protections to help their clients avoid a breach and subsequent notice requirement. I later heard quite a bit about folks along the Route 128 corridor around around Boston (where there is apparently significant expertise in this area) ramping up their efforts.
So, we'll never know what breaches were avoided; but we do know security was improved in direct response to the legislation.
As to the provocative question of the day (i.e., what's the single most important step we could take?), I'd like to suggest we think big on this.
We need a fundamental change in our thinking about who our personal information belongs to. Does it "belong" to anyone who happens to have it? Or does it belong to each of us individually? If we took the view that our personal information is our own, and that each of us is entitled to control the manner in and extent to which it is used, the privacy world would look quite different.
The members of News.com's Roundtable panel have agreed to have a discussion with News.com editors and our readers. Although we cannot guarantee a response for every e-mail, you can submit your questions for panelists here.
Click here to return to the main resources page.
Friday: Driver's licenses and next steps
From: Jim Harper
Subject: California's attempt to reduce ID fraud: any statistics?
Thu, 27 Oct 2005 14:40:31
The urge to try to pick the right security practices is natural, especially among smart, interested people. But we are talking here about writing general rules that will be applied over the indefinite future. Is it possible to right a rule now about when encryption should be used in all the future contexts that may arise? What about the quality of encryption that must be used? I think the consensus is that it's impossible.
Better to write a rule at a higher level of abstraction, one that focuses on what we really want: consumer protection. The imposition of proportional liability for harming a consumer through data breach puts the encryption decision with the party closest to the problem--the data holder--and puts the risk with the data holder for getting it wrong.
Apropos of Sen. Simitian's comment, I would also argue for placing liability on public sector actors - including government officials in their personal capacities--to get the incentives right. Otherwise, an agency may breach and pay out taxpayer dollars in compensation, but that means little to the people in the agency making decisions.
Sen. Simitian cites his A.B. 1219 as a response to criminal identity fraud. I would be curious to know how many times it has been used since it was enacted three years ago. Senator, did you hit your target?
Also, I'm still curious to know whether A.B. 700 has reduced identity fraud in California. Senator, any statistics?
From: James Van Dyke
Subject: Self-regulation by industry groups
Thu, 27 Oct 2005 14:52:00
In the debate on the need for and design of regulation, we must consider the existence and efficacy of what is effectively self-regulation. Effective regulation need not be solely the product of government entities. Financial industry bodies such as Visa, BITS, and NACHA act to create, implement and occasionally even strongly enforce standards of behavior on the part of their members with regard to the handling of customer financial records.
For example, CardSystems, a processor of payment card transactions for merchants, disclosed that millions of consumer records were exposed, and subsequently were met with plans for network excommunication by Visa and American Express (which will likely be their death knell). Regulation makes the most sense when individual self-interest is not in line with the greater good. However, in a well-organized industry such as financial services, government entities need not be the sole source of regulation.
From: Orson Swindle
Subject: Re: Self-regulation by industry groups
Thu, 27 Oct 2005 14:55:41
Amen!
From: CNET News.com
Subject: Driver's license data and legal fix recommendations
Fri, 28 Oct 2005 07:30:57
One of our readers, Amy Smith, posed this question to the panel:
My question to the panel is what gives a state government agency like the DMV the right to sell my data? I just went to renew my drivers license and no where on the form did I see a disclosure that my data might be sold for commercial purposes nor am I given the right to "opt out" if they choose to do so? Is this legal, and if not, what are the implications to agencies and data acquirers?Any thoughts on how the federal "Driver Privacy Protection Act" has worked in practice?
Also, since it's our last day for this roundtable, I wanted to thank you again for participating and ask you what the most important legal fix would be to help reduce the likelihood of identity theft. Is it security breach notification laws, regulations of so-called data brokers, etc.?
From: Chris Hoofnagle
Subject: Re: Drivers license data and legal fix recommendations
Fri, 28 Oct 2005 08:08:26
Amy Smith asks, "what gives a state government agency like the DMV the right to sell my data?"
The federal Drivers Privacy Protection Act has prohibited this practice since 1998, unless the individual opts in to the sale. At least one state (Florida) didn't implement the law until this year. So that might explain it.
The question reveals an attitude that speaks to individuals' anger about privacy. "What give them the right," is something I hear pretty frequently. The answer is that they can collect your data and use it for almost any purpose unless there is privacy legislation protecting both the data and the context in which it is collected.
There is a pretty strong correlation between invasive practices and self-regulation. And while legislation isn't always perfect, it is privacy law that shields your television records from being collected (Cable Communications Policy Act), your video rental records from being sold (VPPA), and your cell and wireline phones from ringing. If you look at the fields where self-regulation controls, you'll find that your data is being sold to anyone, even criminals, for almost any purpose.
In practice, DPPA has been mediocre. While it did cut off driver's information for commercial purposes, there are 14 exemptions to the law. It is underinclusive in that it only protects your driver record, and so marketing companies now try to get your data from your drivers license (ever had your licensed "swiped"). Even if a bar/car rental company says that they are swiping your card for security purposes, in most states, they can keep all of the data captured from it and use it for whatever purpose they see fit.
EPIC has done quite a bit of work on the DPPA, and we recently filed an amicus brief in an 11th Circuit case where we successfully argued that default or "liquidated" damages are available under the law.
As for the most important legal fix for identity theft? I'm for credit freeze. If individuals had more control over their credit reports, it would be less likely that identity thieves, pets and toddlers would be issued credit cards.
Have a nice weekend!
From: Orson Swindle
Subject: Re: Drivers license data and legal fix recommendations
Fri, 28 Oct 2005 9:00:36
Amy Smith's dismay is shared by many, I suspect. The U.S. Code is pretty clear, yet I am sure there are those who see loopholes through which they can continue this practice. Does anyone have idea as to the magnitude of this practice in revenue terms as a state government "profit center"? For those who believe government should intrude big time and is best suited to solve the identity theft problem with new laws and regs, might this driver's license data situation (where a government entity is allegedly not following the law) be lesson about the ability of the government to get it right?
As to News.com's last question, a couple of comments:
The Safeguards Rule has esssentially been expanded beyond its original scope by BJs Wholesale Club case. There is a new universe of data users who are not familiar with compliance requirements envisioned in the Safeguards Rule. Congress will likely move on this, but slowly, then there are rules to write. The Center for Information Policy Leadership will provide some rational thoughts to mapping out what needs to be done to cope with Safeguards Rule requirements, expanding existing Rules, and meeting responsiblities for protecting sensitive information.
Second, law enforcement, such as the FTC, needs and has requested more flexibility in cross-border fraud investigative work that will require the ability to share information across borders with law enforcement agencies. Current restrictions often stand as impediments in tracking down the culprits when they are offshore.
There must be greater attention given by CEOs and Corporate/Organization Boards to information security and privacy obligations. These functions need to move obscurity to the boardroom in significance. The concerns are not going away. Those who invest in better information security practices (in terms of resources and attitude) will gain competitive advantage and those who fail or refuse to do so will suffer much harm as they allow their customers, cliets and consumers to be harmed.
General public awareness must be enhanced--constantly. Think of the process of making users of information technology more aware of their responsibilities and vulnerabilities as a journey, not a destination. We must keep this dialogue going, inform the lawmakers, increase private sector leadership, and make sure the public understands how important safe computing practices are for our future.
I look forward to working with you all in my capacity as Chairman of Information Security Projects at the Center and from my new relationship with The Progress & Freedom Foundation.
From: Joe Simitian
Subject: A defense of California's data-security laws
Fri, 28 Oct 2005 13:58:39
Lots of ground to cover today.
Jim Harper asks about the level of use of AB 1219 in California to help mitigate the impact of criminal identity theft. Honest answer is: I don't know. After three years on the books, this would be a good time to assess whether the statute has been put to good use.
As to the effectiveness of AB 700/SB 1386--we'll never know for sure what steps informed consumers have taken, or with what effect, in the aftermath of a data security breach. Perhaps more importantly, we do know that in response to AB 700/SB 1386, the private sector has taken steps to improve security and avoid the problem altogether.
Prior to the July 1, 2003 implementation of AB 700 I met in Los Angeles with 200 data security breach experts from around the country at a conference organized, in part, by the U.S. Secret Service. They were ramping up new protections to help their clients avoid a breach and subsequent notice requirement. I later heard quite a bit about folks along the Route 128 corridor around around Boston (where there is apparently significant expertise in this area) ramping up their efforts.
So, we'll never know what breaches were avoided; but we do know security was improved in direct response to the legislation.
As to the provocative question of the day (i.e., what's the single most important step we could take?), I'd like to suggest we think big on this.
We need a fundamental change in our thinking about who our personal information belongs to. Does it "belong" to anyone who happens to have it? Or does it belong to each of us individually? If we took the view that our personal information is our own, and that each of us is entitled to control the manner in and extent to which it is used, the privacy world would look quite different.