The following text is copyright 2003 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.
I donŐt want you to be me
By Scott Bradner
I do not want you to be me, but that seems to be happening more and more. Last year the US Federal Trade Commission received almost 162 thousand complaints concerning identity theft, up from 117 thousand in 2001 and there is no indication that the problem is not getting worse this year. It is not possible to figure out where the identity thieves got the information they needed to mimic other people but clearly a major reason for the dramatic increase in the threat stems from the all too easy availability of personal information on computer systems connected to the Internet. But, unless you live in California, you may never know if someone who should not do so gets access to some of this data.
As of July 1st, the new California Database Security Breach Act requires that an operator of a computer must notify anyone whose unencrypted personal information has been exposed by some type of security breach, but only if you live in California. California Senator Dianne Feinstein has introduced a bill to establish a US Federal law to extend the requirement nationally. There are a few differences between the California law and the Feinstein proposal, including not letting individuals sue companies for a failure to notify the individual of a security breach, but the basic idea is the same -- warn someone whose data has been compromised to keep an eye open for signs that someone is exploiting the information.
There was a lot of press coverage around July 1st of the new California law and of Feinstein's proposal but far too much of it, including a cover story in this paper, focused on companies whining that it will be hard or embarrassing to comply with the idea that they should care enough about the people whose data they use and abuse to let those people know if someone else may be about to make their lives a nightmare.
The companies that actually care about the wellbeing of their customers have been doing the right thing for years. It's only the companies who value a reputation built on lies that have not been letting their customers know about security failures. It is unfathomable to me why a company, as reported in the NWW cover story, would consider, even for a second, obeying the California law only for California residents. It is not the legal risk that they might miss a customer who moved to California that makes this narrow approach unfathomable, or the fact that there may soon be a national law, it is the immorality of not notifying their other customers. But I guess that morality is not a prerequisite for lawyers for some corporations.
Some corporations complain that notifications will give a false impression of the security of particular corporations and might cause customers to move to companies with better security records. They are both wrong and right: disclosure will give a true picture that a company is too stupid to keep customer data will protected and encrypted, and the market will punish those companies. Both are good things.
disclaimer: Harvard's relationship to the concepts of "stupid" and "good thing" are in the mind of the beholder but the above observation is my own.