Tech Needs to Opt-In For ID Protection

Now that we have members of the U.S. Senate shocked and
outraged
about the need for better data protection in this
country,
will they pass laws that let consumers actually opt-out of how their personal information is
sold to third parties?

There’s plenty of fallout to goad them into action after the
disclosure
from credit-check company
ChoicePoint that an ID theft ring gained access to the its vital credit
information, putting
145,000
consumers’ data at risk for identity theft. Sen. Patrick
Leahy
of Vermont (D-Vt.) is calling for hearings on private data companies
that
have little oversight and few rules that protect public privacy.

Sen. Diane Feinstein (D-Calif.) is pointing to the ChoicePoint
incident as she looks to expand the California law that requires data
collection companies to notify affected individuals if there is a
breach in
their data system. And Sen. Chuck Schumer (D-N.Y.) is just outraged
that,
for a simple little fee, anyone can pluck Social Security numbers out of
WestLaw’s database. He wants the law governing this access to Social Security numbers tightened.

Well, bully for them. How about adding opt-out provisions that give
consumers more say in how data is handled by third parties such as
ChoicePoint? Better yet, how about requiring the banking industry to
beef up
its fraud protection measures that keep credit cards out of the hands of identity thieves?

With online banking rates soaring, and the rate
of identity theft escalating as well, you would think there
would be an incentive to improve data protection. Think again.

If history is any guide to how Congress will act to protect
consumer data, don’t expect too much. Take a look at the last time
Congress
acted to protect the use of customer data with opt-out
provisions written in the Financial Modernization Act of 1999.

Instead of putting the onus on banks and financial service providers
to
get permission before selling your financial data and profile, the
Graham-Leach Bliley Act puts the onus on consumers to opt-out of the
practice.

That means consumers have to wade through the fine print of their
credit
card agreements, for example, in order to find out how to extract
themselves
from the providers’ plans to sell their data to all kinds of third
parties. Even when customers go the extra mile to opt-out, banks and other financial service providers have
plenty of ways to profit from your data. The act merely explains all of
this to consumers.

Even improvements to the Fair Credit Reporting Act can give one a
false
sense of security. One free credit report each year isn’t going to help detect whether someone is in the process stealing your identity. Checking it often, and being aware of ongoing activity in the report, are key.

“When I hear about the government getting on the case of data
providers,
I think they need to clean up their own act first,” says Avivah Litan,
technology and online banking analyst for Gartner. “There are more than
300
million credit records in some of these databases, in a country with
just
over 200 million adults,” she said. Illegal citizens “steal valid
Social
Security numbers all the time and use them to pay taxes and become
citizens.
They pay taxes with stolen Social Security numbers and the IRS doesn’t
care,” she says.

“What the government should do is enable consumers to deny
permission for
companies to buy and sell data about them,” Litan adds. But this would
effectively slow down the flow of credit in this country. If you were a
betting person, would you lay odds that Congress would let such a thing
happen?

Truly better data protection would mean a similar approach to
data
protection as in European countries, where the onus is on
banks and holders of sensitive data to get
permission
before customer data is sold, not the other way
around. This kind of action is doubtful in a Congress where the financial services lobby is so powerful.

Second, Congress needs to extend the California law that helped break the
ChoicePoint data theft open in the first place, Litan added. The law stipulates that
residents be notified of a data breach. On this count, Congress may be goaded into doing more, given the
escalating rates of identity theft.

But while Congress goes on with its hearings, you could do worse than to bet on the technology industry
stepping up and addressing identity protection problems.

The smarter tech providers are already moving into the market with
products that help consumers and businesses protect against
fraudulent activity.

Take the so-called Unified Threat
Management appliances with security features baked right in. As we reported
recently, RSA Security just launched a fixed-function appliance for
two-factor authentication. Called SecurID, the appliance authenticates
via
keychain tokens whose constantly changing numbers, coordinated with the
appliance, help Web sites manage secure logins and do away with static
passwords.

IDC projected in a report last fall that the UTM market is “being created because it is quickly catching on with customers and vendors. UTM incorporates firewall, intrusion detection and prevention, and antivirus in one high-performance appliance.”

Litan reckons that by 2007, up to 75 percent of U.S. banks and up to 70 percent worldwide will be using improved authentication methods beyond the
passwords that are so easily abused.

“Vendors are going to have to figure out how to make money solving
these
problems for us,” Litan says. Or at the very least, they need to figure
out
a way to provide consumers with information about how their information
is
being used so they can act quickly to prevent or stop it.

The outrage in Congress will make for good political theater. Who
knows, members may even toss in a fine or two against companies if they don’t act
aggressively enough to protect data that can make or break a customers’
quality of life.

But for real action on data security, it is up to the technology industry to offer solutions, such as services that alert you about the slightest changes in your credit activity, and who is checking or trying to use your credit. The technology industry exists to solve problems. It has one with the need to improve data security.


Erin Joyce is executive editor of internetnews.com

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web