RealTime IT News

Tech Needs to Opt-In For ID Protection

Now that we have members of the U.S. Senate shocked and outraged about the need for better data protection in this country, will they pass laws that let consumers actually opt-out of how their personal information is sold to third parties?

There's plenty of fallout to goad them into action after the disclosure from credit-check company ChoicePoint that an ID theft ring gained access to the its vital credit information, putting 145,000 consumers' data at risk for identity theft. Sen. Patrick Leahy of Vermont (D-Vt.) is calling for hearings on private data companies that have little oversight and few rules that protect public privacy.

Sen. Diane Feinstein (D-Calif.) is pointing to the ChoicePoint incident as she looks to expand the California law that requires data collection companies to notify affected individuals if there is a breach in their data system. And Sen. Chuck Schumer (D-N.Y.) is just outraged that, for a simple little fee, anyone can pluck Social Security numbers out of WestLaw's database. He wants the law governing this access to Social Security numbers tightened.

Well, bully for them. How about adding opt-out provisions that give consumers more say in how data is handled by third parties such as ChoicePoint? Better yet, how about requiring the banking industry to beef up its fraud protection measures that keep credit cards out of the hands of identity thieves?

With online banking rates soaring, and the rate of identity theft escalating as well, you would think there would be an incentive to improve data protection. Think again.

If history is any guide to how Congress will act to protect consumer data, don't expect too much. Take a look at the last time Congress acted to protect the use of customer data with opt-out provisions written in the Financial Modernization Act of 1999.

Instead of putting the onus on banks and financial service providers to get permission before selling your financial data and profile, the Graham-Leach Bliley Act puts the onus on consumers to opt-out of the practice.

That means consumers have to wade through the fine print of their credit card agreements, for example, in order to find out how to extract themselves from the providers' plans to sell their data to all kinds of third parties. Even when customers go the extra mile to opt-out, banks and other financial service providers have plenty of ways to profit from your data. The act merely explains all of this to consumers.

Even improvements to the Fair Credit Reporting Act can give one a false sense of security. One free credit report each year isn't going to help detect whether someone is in the process stealing your identity. Checking it often, and being aware of ongoing activity in the report, are key.

"When I hear about the government getting on the case of data providers, I think they need to clean up their own act first," says Avivah Litan, technology and online banking analyst for Gartner. "There are more than 300 million credit records in some of these databases, in a country with just over 200 million adults," she said. Illegal citizens "steal valid Social Security numbers all the time and use them to pay taxes and become citizens. They pay taxes with stolen Social Security numbers and the IRS doesn't care," she says.

"What the government should do is enable consumers to deny permission for companies to buy and sell data about them," Litan adds. But this would effectively slow down the flow of credit in this country. If you were a betting person, would you lay odds that Congress would let such a thing happen?

Truly better data protection would mean a similar approach to data protection as in European countries, where the onus is on banks and holders of sensitive data to get permission before customer data is sold, not the other way around. This kind of action is doubtful in a Congress where the financial services lobby is so powerful.

Second, Congress needs to extend the California law that helped break the ChoicePoint data theft open in the first place, Litan added. The law stipulates that residents be notified of a data breach. On this count, Congress may be goaded into doing more, given the escalating rates of identity theft.

But while Congress goes on with its hearings, you could do worse than to bet on the technology industry stepping up and addressing identity protection problems.

The smarter tech providers are already moving into the market with products that help consumers and businesses protect against fraudulent activity.

Take the so-called Unified Threat Management appliances with security features baked right in. As we reported recently, RSA Security just launched a fixed-function appliance for two-factor authentication. Called SecurID, the appliance authenticates via keychain tokens whose constantly changing numbers, coordinated with the appliance, help Web sites manage secure logins and do away with static passwords.

IDC projected in a report last fall that the UTM market is "being created because it is quickly catching on with customers and vendors. UTM incorporates firewall, intrusion detection and prevention, and antivirus in one high-performance appliance."

Litan reckons that by 2007, up to 75 percent of U.S. banks and up to 70 percent worldwide will be using improved authentication methods beyond the passwords that are so easily abused.

"Vendors are going to have to figure out how to make money solving these problems for us," Litan says. Or at the very least, they need to figure out a way to provide consumers with information about how their information is being used so they can act quickly to prevent or stop it.

The outrage in Congress will make for good political theater. Who knows, members may even toss in a fine or two against companies if they don't act aggressively enough to protect data that can make or break a customers' quality of life.

But for real action on data security, it is up to the technology industry to offer solutions, such as services that alert you about the slightest changes in your credit activity, and who is checking or trying to use your credit. The technology industry exists to solve problems. It has one with the need to improve data security.

Erin Joyce is executive editor of internetnews.com