Rights for Privacy Breach Victims

I received a provacative question on Twitter last week from idExperts, “If you had a wish list of rights for identity theft victims, what would that be?”
Sounds like a great blog topic! 🙂 Here are my thoughts…

“Identity theft” is such an over-used and mis-used term that it first must be well defined what is meant by “identity theft.”
For instance, take the U.S. federal definition:

“The Identity Theft and Assumption Deterrence Act, enacted by Congress in October 1998 (and codified, in part, at 18 U.S.C. §1028) makes identity theft a federal crime.
Under federal criminal law, identity theft takes place when someone “knowingly transfers, possesses or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law.”
Under this definition, a name or Social Security number is considered a “means of identification.” So is a credit card number, cellular telephone electronic serial number, or any other piece of information that may be used alone or in conjunction with other information to identify a specific individual.
Violations of the federal crime are investigated by federal law enforcement agencies, including the U.S. Secret Service, the FBI, the U.S. Postal Inspection Service, and the Social Security Administration’s Office of the Inspector General. Federal identity theft cases are prosecuted by the U.S. Department of Justice.
For the purposes of the law, the FCRA defines identity theft to apply to consumers and businesses.”

Not every country, organization, group, agency, individual, etc. uses this same definition.
The definition relies upon knowing or discovering that someone *actually did something bad*. There are likely huge numbers of bad things being done with stolen personally identifiable information (PII) that no one even knows about; at least not yet, if ever.
And, as the recent Identity Theft Resource Center® (ITRC) “Identity Theft: The Aftermath 2008” report demonstrates, there are many bad things that can occur when PII is stolen.
The statistics provided were a bit fuzzy in their descriptions and corresponding percentages, but the numbers are no less compelling:

  • “Criminal only identity theft crimes represented 5%”
  • “Governmental issues, which may involve employment, benefit fraud, tax fraud or someone using a fraudulent driver’s license as an identifier, accounted for 2%.”
  • “Financial and criminal (6%)”
  • “Financial and governmental (9%)”
  • “Combination of all three types (5%)”
  • “Medical Identity Theft: More than 2/3 of those responding to these questions reported that medical providers billed for services received by the imposter. Another 56% were contacted by a collection agency or billing department for those services. One-third of the respondents said there is now another person’s information on their medical records and 11% were denied health or life insurance due to unexplained reasons.”

All these types of PII breaches can happen to individuals in ANY country, not just the U.S. So, there needs to be equal concern for the stolen or lost PII of all individuals, not just those living in specific geographic locations.
I’d like for you to consider another related question; what are the rights of individuals whose PII has been compromised, such as lost, stolen, misused, and so on? This is the question being asked when considering compliance for most data protection laws. Wouldn’t it be good to do as much as possible to prevent identity theft (known and unknown) by preventing PII from being stolen, or lost and subsequently compromised?
So, what should be the rights of individuals whose PII was lost, stolen or compromised from a business or organization?
1) Timely notification – covered in current breach notice laws, so I won’t elaborate here.
2) Credit monitoring – many organizations provide this, but not all. And it is not a typical legal requirement. Usually is just for one year, which is not that effective, considering smart criminals (yes, there are many out there!) will often wait much more than a year to use PII. Whether or not credit monitoring is provided is a haphazard, inconsistent issue from breach to breach.
3) Penalties to the organization where the breach originated, being based upon the following factors:

a. Did the organization have a comprehensive risk-based information security program in place including

i. Documented information security and privacy policies, procedures and responsibilities?
ii. Validated effective and targeted regular training and ongoing awareness communications?
iii. Validated administrative, operational and technical safeguards? E.g., encryption, irreversible destruction of disposed information, etc.
iv. Documented personnel responsibilities for security and privacy?

b. Did the organization consistently enforce their policies?
c. Did the organization perform adequate due diligence activities to ensure their business partners, to whom they entrusted PII access, have stronge security and privacy practices in place, along with including detailed security requirements within their contracts?

The more of these listed basic security and privacy factors that the organization does not meet, the more significant the penalty should be, including such things as:

a. Restitution to the individuals whose PII was breached, determined by a judge or intermediary based upon each situation. Plus…
b. 10 – 20 years of required ongoing third party reviews, similar to what the FTC usually includes within their consent decrees. Plus…
c. The organization must subsidize information security and privacy programs for K-12 and undergraduate education for schools in their area. This may sound a bit radical or harsh, but think about it; if a company can help ensure our leaders of tomorrow grow up with an information security and privacy mindset, they will help to dramatically reduce the number of privacy incidents that occur in the future. If organizations cause incidents, then they should help to provide education to make sure their mistakes are not repeated by others in the near future.

History shows, and psychology research confirms, that people must be motivated to do things they otherwise would not do on their own accord. These types of penalties would provide much more motivation for business leaders to implement strong security and privacy programs than current laws and regulations provide.
A blog post is not the place to do this topic justice. I haven’t even touched upon the considerations that must be made for the insider threat. But, I need to get back to doing my work to bring home some bacon!
However, I hope I’ve given some good food for thought about this very important issue of how to make amends to individuals whose PII was lost, stolen and possibly misuse through no fault of their own! Individuals should not have to continue paying for the bad security practices of organizations who should have prevented incidents from occurring in the first place.
Let me know your thoughts!

Tags: , , , , , , , , , ,

Leave a Reply