Day 1: Experts talk about ID theft
Members of News.com's ID theft roundtable panel open up a discussion with News.com editors and our readers.
The members of this Roundtable panel have agreed to have a discussion with News.com editors and our readers. Although we cannot guarantee a response for every e-mail, you can submit your questions for panelists here.
Can business be trusted?
From: CNET News.com
Subject: Why should people trust the industry?
Sun 10/23/2005 3:42 PM
From reading your opening statements, I'm happy to see that we have a variety of opinions about how to approach this issue. So let me start by asking Jim Harper, who takes a dim view of regulation, arguing that "politicians, bureaucrats, and lobbyists don't know how to do security any better than anyone else." Maybe that's true, maybe not. But seems to me that regulation has worked in other industries, such as food and transportation. Why make the historical exception here? Explain why consumers should trust the industry to police itself without being accountable to the public.
From: Jim Harper
Subject: Why should people trust the industry?
Mon 10/24/2005 5:29 AM
Despite the potential differences among us, I think there is at least one principle that is not in dispute: Companies that breach sensitive data should compensate the consumers whom this harms.
The question, then, is what the liability mechanism should be. Most of the public discussion recently has been about administrative regulation, but that is only one of several tools available to us. There are many different legal mechanisms for enforcing this rule.
I have advocated for recognizing in traditional state tort law that holders of sensitive personal data have a duty to protect the subjects of the data. That means they must prevent identity fraud and any other harm that may come from breach of data. If they don't, they must make the consumer whole, usually through the payment of money damages. At least two states have already adopted this principle.
This rule causes companies to internalize the risk they create to others from holding sensitive data. They will do security in the measure that is the best (they know of) for the data they hold and the circumstances in which they hold it.
I'm sure I'll have plenty of time later to show the weaknesses in administrative regulation compared to tort rules and there are some good arguments against tort law based on how it has been administered by courts in recent years. Left to its own devices, though, common law (of which tort is one branch) is self-repairing. Regulation is a fundamentally flawed system that tends to empower politicians, bureaucrats, corporate lobbyists, and the like over consumers.
Anyone disagree with the idea that consumers should be compensated when they are harmed?
From: State Sen. Joe Simitian
Subject: Why should people trust the industry?
Monday, October 24, 2005 11:40 AM
The "trust us" argument isn't terribly compelling. Private sector actors have a duty to maximize return on investment for their shareholders. I understand and respect that.
By the same token, public sector actors have a duty to regulate the private sector (in a thoughtful and artful way) in order to protect the public interest.
The beauty of California's AB 700 is that it doesn't impose technical requirements for data security; it says, instead, that your security protocols are up to you, but if you fail (and put consumers at risk) then you bear the burden of notice.
That being said, I'm open to considering the kind of "consequences"-based system Jim Harper suggests, but feel sure we'll hear quickly from industry opponents citing their concern about "frivolous lawsuits." The irony, of course, is that such a proposal might make conventional regulation look appealing by contrast.
But this "Who bears the consequences?" question is important and powerful--reminiscent of U.S. Sen. William Proxmire's successful effort decades ago to limit consumer liability to $50 for credit card fraud. That certainly gave the financial industry an incentive for self improvement.
From: Chris Hoofnagle
Subject: What is harm?
Mon 10/24/2005 11:54 AM
Jim Harper's post raises a critical question: What is harm?
The financial institutions have been drawing a line between credit card fraud (when someone uses your credit card number) and new account identity fraud (when new accounts are initiated in your name). The former, in a way, is less severe for consumers. The later does not happen as frequently, but when it does occur, consumers suffer significant costs.
I think credit card fraud harms consumers in two ways. First, it's not like the executives at the credit card companies are taking pay cuts because of fraud losses. These costs are passed on to consumers, and sometimes on to merchants that have accepted a fraudulent transaction. Second, while consumers are not on the hook financially for credit card fraud, consumers do have to spend time to fix the problem. Time is money.
As for liability mechanisms, there is room for both tort actions and regulatory intervention. I think there needs to be more exploration of tort actions where a business acts negligently and enables identity theft. There are lots of situations where a creditor grants a new account to an impostor without adequately identifying him/her. The problem thus far, as with many other common law approaches, is that there needs to be a legal duty recognized between the credit grantor and victim. The cases have not recognized such a duty.
As for regulatory intervention, there's a lot that can be done. There needs to be heightened oversight over those who can access credit reports (and thus enable identity theft). Right now, the Federal Trade Commission commentary allows businesses to just sign a blanket certification that they will use reports responsibly.
I've proposed that consumers should have the option to "freeze" their credit report, thus erecting a nearly perfect shield against new account fraud. Model freeze legislation exists in New Jersey, where a consumer will eventually be able to thaw the file in 15 minutes, thus allowing the consumer to take advantage of instant credit offers.
Finally, there's also room for technology. The current credit card system is one in which we use the same number, over and over, to charge our account. There is basically no authentication. And we give the number to all sorts of strangers, some of whom store it for "our convenience." The credit card industry should be looking into passwords and other mechanisms for better authentication, but they're loath to do anything that might slow down a transaction.
From: James Van Dyke
Subject: Why should people trust the industry?
Mon 10/24/2005 12:08 PM
I believe that some regulation can be valuable, and in selected cases even invaluable. A good historical example of how the lack of regulation has enabled problems is in the lack of guidance regarding Social Security numbers (SSNs). Is the SSN suitable as an identifier or authentifier?
Lack of policy here causes the de facto answer to default to "both," which in turn has allowed much fraud to happen as Provider "A" uses a consumer's SSN differently than Provider "B." Similar passive government positions have also produced waste and mediocrity, as demonstrated by the U.S. Mint's steady release of new, costly, failed paper and coin currency types which apparently needed the Mint to simultaneously take an equally firm hand in phasing out the old method.
Certainly, we can regulate to excess--my argument is that we can also enable fraud and inefficiency through too little guidance, standards or regulation.
From: James Van Dyke
Subject: Why should people trust the industry?
Mon 10/24/2005 5:00 PM
The data and I agree with many of the points made by Chris ;). I will add in a couple of small points of divergence however.
Financial institutions and other providers do end up absorbing some of the costs of identity fraud. In fact, our ongoing random-sample survey of identity fraud victims shows providers absorbing about 90 percent of the costs, with victims suffering the remaining 10 percent. Now where things get interesting is in where the buck stops among various providers, such as card issuers, associations, and merchants. Banks may be the first to shell out funds to the victim, but they often end up passing these on to the merchant, who will simply raise prices.
This system also produces some strange goings-on for individuals who report fraud, who are probably more likely to find a merchant refusing to accept a card that has been the vehicle for a fraudulent transaction (because a merchant is where the buck stops), while an issuer may tell the consumer to continue charging purchases to the card until more violations occur (because the issuer is the one that will pay for the certain cost of reissuing a card, while many losses will simply be passed on to the merchant).
Regarding financial institution's financial motivations, I know of several industry executives who are bonused based on fraud losses and other related metrics. Similarly, institutions feel the bottom-line financial impact in other tangible ways, such as processing cost and reputational issues that lead to reduced market share.
Regarding the proposal that consumers be able to freeze their accounts, I support this view. I also support account holders being able to have several other controls on how their funds and identity is used, such as being able to freeze certain types of high-risk transactions (international transfers or purchases, large money transfers, etc.).
From: Jim Harper
Subject: Why should people trust politicians and bureaucrats
Mon 10/24/2005 5:30 PM
I agree that many companies wouldn't like liability and would prefer regulation. That's kind of the point: Politicians and bureaucrats are more easily captured than courts. They can be bent to the will of the corporate world. Judges don't even take meetings with lobbyists.
Look at how well the corporations have done already. The debate is about whether or not they'll have to provide notice.
What about paying cash money to people who are harmed when you've been responsible? Isn't that a little scarier? If that rule were adopted at common law, a company that breached data would trip all over itself to protect the consumer from harm.
Which brings us to Chris Hoofnagle's post, engaging somewhat my proposal to create liability when a consumer has been harmed. It's clear that credit card fraud and identity fraud harm consumers. But that doesn't mean credit issuers should always pay. I wouldn't convert the credit card industry into a general insurer against financial crime, but rather hold them liable only if their own actions are closely responsible for the harm. That doesn't happen very often.
Chris has a laundry list of regulatory proposals that have little to do with data security. We could have a whole discussion on each of them. Needless to say, regulation is as much a cause as a solution to these problems.
The Fair Credit Reporting Act has insulated financial services providers from common law liability for decades. If tort theories of defamation, invasion of privacy, negligent entrustment, negligent enablement of impostor fraud, and so on had been allowed to develop in this area over the last 30+ years, I think common law courts would have ground out fair and workable consumer protections in their slow, methodical way.
The result: a much better system of credit reporting would have developed--one that was more responsive to consumers. Perhaps it would even have engaged consumers in the task of developing a good financial reputation.
I agree with James Van Dyke's point about Social Security numbers, but the problem was creating a uniform national identifier and then forcing its use on the (not unwilling) financial services industry. The chickens are coming home to roost on that ill-considered--actually, unconsidered--policy.
The solution is to have no national identifier at all. The solution is not to have a national identifier that is regulated--especially not when you've got elected officials who see it as their "duty" to regulate in the name of some unbounded "public interest." That's an invitation to all kinds of mischief. Their "trust us" argument isn't terribly compelling.
The members of this Roundtable panel have agreed to have a discussion with News.com editors and our readers. Although we cannot guarantee a response for every e-mail, you can submit your questions for panelists here.
Can business be trusted?
From: CNET News.com
Subject: Why should people trust the industry?
Sun 10/23/2005 3:42 PM
From reading your opening statements, I'm happy to see that we have a variety of opinions about how to approach this issue. So let me start by asking Jim Harper, who takes a dim view of regulation, arguing that "politicians, bureaucrats, and lobbyists don't know how to do security any better than anyone else." Maybe that's true, maybe not. But seems to me that regulation has worked in other industries, such as food and transportation. Why make the historical exception here? Explain why consumers should trust the industry to police itself without being accountable to the public.
From: Jim Harper
Subject: Why should people trust the industry?
Mon 10/24/2005 5:29 AM
Despite the potential differences among us, I think there is at least one principle that is not in dispute: Companies that breach sensitive data should compensate the consumers whom this harms.
The question, then, is what the liability mechanism should be. Most of the public discussion recently has been about administrative regulation, but that is only one of several tools available to us. There are many different legal mechanisms for enforcing this rule.
I have advocated for recognizing in traditional state tort law that holders of sensitive personal data have a duty to protect the subjects of the data. That means they must prevent identity fraud and any other harm that may come from breach of data. If they don't, they must make the consumer whole, usually through the payment of money damages. At least two states have already adopted this principle.
This rule causes companies to internalize the risk they create to others from holding sensitive data. They will do security in the measure that is the best (they know of) for the data they hold and the circumstances in which they hold it.
I'm sure I'll have plenty of time later to show the weaknesses in administrative regulation compared to tort rules and there are some good arguments against tort law based on how it has been administered by courts in recent years. Left to its own devices, though, common law (of which tort is one branch) is self-repairing. Regulation is a fundamentally flawed system that tends to empower politicians, bureaucrats, corporate lobbyists, and the like over consumers.
Anyone disagree with the idea that consumers should be compensated when they are harmed?
From: State Sen. Joe Simitian
Subject: Why should people trust the industry?
Monday, October 24, 2005 11:40 AM
The "trust us" argument isn't terribly compelling. Private sector actors have a duty to maximize return on investment for their shareholders. I understand and respect that.
By the same token, public sector actors have a duty to regulate the private sector (in a thoughtful and artful way) in order to protect the public interest.
The beauty of California's AB 700 is that it doesn't impose technical requirements for data security; it says, instead, that your security protocols are up to you, but if you fail (and put consumers at risk) then you bear the burden of notice.
That being said, I'm open to considering the kind of "consequences"-based system Jim Harper suggests, but feel sure we'll hear quickly from industry opponents citing their concern about "frivolous lawsuits." The irony, of course, is that such a proposal might make conventional regulation look appealing by contrast.
But this "Who bears the consequences?" question is important and powerful--reminiscent of U.S. Sen. William Proxmire's successful effort decades ago to limit consumer liability to $50 for credit card fraud. That certainly gave the financial industry an incentive for self improvement.
From: Chris Hoofnagle
Subject: What is harm?
Mon 10/24/2005 11:54 AM
Jim Harper's post raises a critical question: What is harm?
The financial institutions have been drawing a line between credit card fraud (when someone uses your credit card number) and new account identity fraud (when new accounts are initiated in your name). The former, in a way, is less severe for consumers. The later does not happen as frequently, but when it does occur, consumers suffer significant costs.
I think credit card fraud harms consumers in two ways. First, it's not like the executives at the credit card companies are taking pay cuts because of fraud losses. These costs are passed on to consumers, and sometimes on to merchants that have accepted a fraudulent transaction. Second, while consumers are not on the hook financially for credit card fraud, consumers do have to spend time to fix the problem. Time is money.
As for liability mechanisms, there is room for both tort actions and regulatory intervention. I think there needs to be more exploration of tort actions where a business acts negligently and enables identity theft. There are lots of situations where a creditor grants a new account to an impostor without adequately identifying him/her. The problem thus far, as with many other common law approaches, is that there needs to be a legal duty recognized between the credit grantor and victim. The cases have not recognized such a duty.
As for regulatory intervention, there's a lot that can be done. There needs to be heightened oversight over those who can access credit reports (and thus enable identity theft). Right now, the Federal Trade Commission commentary allows businesses to just sign a blanket certification that they will use reports responsibly.
I've proposed that consumers should have the option to "freeze" their credit report, thus erecting a nearly perfect shield against new account fraud. Model freeze legislation exists in New Jersey, where a consumer will eventually be able to thaw the file in 15 minutes, thus allowing the consumer to take advantage of instant credit offers.
Finally, there's also room for technology. The current credit card system is one in which we use the same number, over and over, to charge our account. There is basically no authentication. And we give the number to all sorts of strangers, some of whom store it for "our convenience." The credit card industry should be looking into passwords and other mechanisms for better authentication, but they're loath to do anything that might slow down a transaction.
From: James Van Dyke
Subject: Why should people trust the industry?
Mon 10/24/2005 12:08 PM
I believe that some regulation can be valuable, and in selected cases even invaluable. A good historical example of how the lack of regulation has enabled problems is in the lack of guidance regarding Social Security numbers (SSNs). Is the SSN suitable as an identifier or authentifier?
Lack of policy here causes the de facto answer to default to "both," which in turn has allowed much fraud to happen as Provider "A" uses a consumer's SSN differently than Provider "B." Similar passive government positions have also produced waste and mediocrity, as demonstrated by the U.S. Mint's steady release of new, costly, failed paper and coin currency types which apparently needed the Mint to simultaneously take an equally firm hand in phasing out the old method.
Certainly, we can regulate to excess--my argument is that we can also enable fraud and inefficiency through too little guidance, standards or regulation.
From: James Van Dyke
Subject: Why should people trust the industry?
Mon 10/24/2005 5:00 PM
The data and I agree with many of the points made by Chris ;). I will add in a couple of small points of divergence however.
Financial institutions and other providers do end up absorbing some of the costs of identity fraud. In fact, our ongoing random-sample survey of identity fraud victims shows providers absorbing about 90 percent of the costs, with victims suffering the remaining 10 percent. Now where things get interesting is in where the buck stops among various providers, such as card issuers, associations, and merchants. Banks may be the first to shell out funds to the victim, but they often end up passing these on to the merchant, who will simply raise prices.
This system also produces some strange goings-on for individuals who report fraud, who are probably more likely to find a merchant refusing to accept a card that has been the vehicle for a fraudulent transaction (because a merchant is where the buck stops), while an issuer may tell the consumer to continue charging purchases to the card until more violations occur (because the issuer is the one that will pay for the certain cost of reissuing a card, while many losses will simply be passed on to the merchant).
Regarding financial institution's financial motivations, I know of several industry executives who are bonused based on fraud losses and other related metrics. Similarly, institutions feel the bottom-line financial impact in other tangible ways, such as processing cost and reputational issues that lead to reduced market share.
Regarding the proposal that consumers be able to freeze their accounts, I support this view. I also support account holders being able to have several other controls on how their funds and identity is used, such as being able to freeze certain types of high-risk transactions (international transfers or purchases, large money transfers, etc.).
From: Jim Harper
Subject: Why should people trust politicians and bureaucrats
Mon 10/24/2005 5:30 PM
I agree that many companies wouldn't like liability and would prefer regulation. That's kind of the point: Politicians and bureaucrats are more easily captured than courts. They can be bent to the will of the corporate world. Judges don't even take meetings with lobbyists.
Look at how well the corporations have done already. The debate is about whether or not they'll have to provide notice.
What about paying cash money to people who are harmed when you've been responsible? Isn't that a little scarier? If that rule were adopted at common law, a company that breached data would trip all over itself to protect the consumer from harm.
Which brings us to Chris Hoofnagle's post, engaging somewhat my proposal to create liability when a consumer has been harmed. It's clear that credit card fraud and identity fraud harm consumers. But that doesn't mean credit issuers should always pay. I wouldn't convert the credit card industry into a general insurer against financial crime, but rather hold them liable only if their own actions are closely responsible for the harm. That doesn't happen very often.
Chris has a laundry list of regulatory proposals that have little to do with data security. We could have a whole discussion on each of them. Needless to say, regulation is as much a cause as a solution to these problems.
The Fair Credit Reporting Act has insulated financial services providers from common law liability for decades. If tort theories of defamation, invasion of privacy, negligent entrustment, negligent enablement of impostor fraud, and so on had been allowed to develop in this area over the last 30+ years, I think common law courts would have ground out fair and workable consumer protections in their slow, methodical way.
The result: a much better system of credit reporting would have developed--one that was more responsive to consumers. Perhaps it would even have engaged consumers in the task of developing a good financial reputation.
I agree with James Van Dyke's point about Social Security numbers, but the problem was creating a uniform national identifier and then forcing its use on the (not unwilling) financial services industry. The chickens are coming home to roost on that ill-considered--actually, unconsidered--policy.
The solution is to have no national identifier at all. The solution is not to have a national identifier that is regulated--especially not when you've got elected officials who see it as their "duty" to regulate in the name of some unbounded "public interest." That's an invitation to all kinds of mischief. Their "trust us" argument isn't terribly compelling.