It's the multiple personality disorder of the internet age — at least that's what a buddy and I called it over a couple beers in a good old-fashioned arcade complete with Asteroids and 1970s-style pinball machines. He was one of the unfortunate former Time Warner employees who received a letter last year after a backup tape with his and other staff's personally identifiable information (PII) was lost.
Indeed, tallying up all the IDs possibly compromised in breaches over the last year can drive anyone to video games and drink. More than 32 million U.S. identities have been exposed by cybercriminals in the past six months alone, according to IT security company Edentify. If such activity remains constant, says a company spokesperson, this could equate to thefts of 78 million IDs by the close of this year. 2006, then, could be the best year yet for thieves to gobble up PII.
Some industry pundits say federal ID theft legislation is superfluous. Yet already numerous states have public disclosure laws that, while similar, still have differences with which private industry must contend. Companies have enough trouble with IT security as it is without navigating a patchwork of ID theft laws, so a federal law that supersedes state requirements makes sense.
Still, a federal law alone won't be the savior. Even understandable guidance, a combo package of carrots and sticks, and substantial investment in resources to actually enforce the mandate won't move some companies to modify current practices.
But customer outrage will. That's capitalism at its best.
With the recent theft of a Veterans Affairs (VA) laptop storing the details of some 26.5 million individuals, the criticality of the situation couldn't get clearer. The breach has prompted a class action lawsuit seeking damages of $1,000 for every person listed in the laptop's files and calling for the VA to implement stronger security mechanisms.
A federal law will help — most well-written legislation does. However, what also will incite organizations to spend money on protective measures are business requirements.
Companies better get cracking, too. Otherwise, an inescapable avalanche of civil lawsuits launched by irate customers, coupled with an inevitable federal law, could spell ‘game over' for less security-conscious organizations.
Illena Armstrong is editor-in-chief.