Dave Kearns'still has a'bee in his bonnet about'my use of the phrase "Identity Theft".' He takes Sun's Sara Gates and me to task in a surrealistic'portrait of'us as'dopplegangers mezmerized by opinion polls.'''
If I understand'him right,'he is arguing'that'"identity theft" sensationalizes something banal and inevitable.' We should'drop'the phrase'and talk in terms of'property theft.' Property theft being as old as the hills, why should theft of information stored on computers surprise anyone?''Dave seems to think that'attempting'to'eliminate theft'of any kind'is about as likely to succeed'as'attempts to eliminate sex, drugs or rock and roll.' So why waste effort?
Similarly, he wants us to'return to the notion of good old fashioned'fraud, perhaps not as'venerable as pure property theft, but still an activity with a long past and clearly unrelated to what we, as technologists, might do or not do:
"Only once we're past the discussion of property theft mis-named as identity theft can we get to the real problem - identity fraud and how to combat it. But identity fraud happens one instance at a time, so it isn't as sexy for the budding Pulitzer Prize winner to write about."
As usual with Dave Kearns, there is an undeniable truth to what he says.' We have to admit that it is not actually "an identity" which is stolen in a data breach, but rather identity information which might potentially be used for phraud.' But so what?' The words don't matter as much as the underlying phenomena.
Apparently to underline his point Dave links to a press release from'ID Analytics, Inc.' When I went to their site I found this:
"The findings detailed in the cornerstone 'National Data Breach Analysis' indicate that different data breaches pose different degrees of risk. In fact, certain types of data breaches may not present a high degree of risk to your customers.
Wow!' That's a relief.' But wait.' Bad news:
"If your organization has suffered a data breach, the implications are serious:
- Erosion of customer trust
- Undesirable publicity
- Legal/regulatory liability
- Added financial obligations or responsibility
Ah.' But maybe good news:
"Realities of a Data Breach
"After conducting the first-ever post-breach data analysis into a series of separate data breaches, ID Analytics is in an unprecedented position to help organizations truly asses the degree of risk associated with a breach they have experienced. While data breaches can be the first and most serious issue facing an organization, the findings detailed in the cornerstone "National Data Breach Analysis" indicate that different data breaches pose different degrees of risk. In fact, certain types of data breaches may not present a high degree of risk to your customers.
Scientists can help me!
"ID Analytics Services
"ID Analytics Breach Analysis Services involve a series of rigorous analytical assessments made possible only through the use of ID Analytics' patented Graph Theoretic Anomaly Detection (GTAD®) technology and the membership-based ID Network™.
- Isolate Data Breach.'' Following an initial confidential briefing, ID Analytics fraud experts will help determine which customer identities must be analyzed for risk of identity theft.
- Identity Risk Assessment. ID Analytics' scientists, leveraging the power of the ID Network, will employ GTAD technology to determine if the isolated customer data set has been misused in an organized fashion. Organized misuse is a reliable indication of the potential for ongoing identity theft. If no organized misuse is detected, ID Analytics will deliver documented certification that the customer data set, as of that date, shows no indications of being misused in a suspicious or fraudulent manner.
- Victim Action List. If organized misuse is detected, ID Analytics will produce a list of impacted identities, allowing the breached organization to deliver victim assistance directly to those that need it.
- Ongoing Monitoring. ID Analytics will continually monitor the entire breached customer data set to detect any further misuse of sensitive identity information, both for previous and new victims.
- Receive reliable indication of whether or not breached data is being used to perpetrate identity fraud or identity theft.
- Determine the risk of harm associated with a data breach and devise risk-adjusted actions.
- Deliver effective and specific communications to impacted customers regarding anticipated harm and remedies pursued.
- Ensure a conclusion to the breach episode through ongoing protection and certification.
"Data breaches are an unfortunate reality in the information age. Even organizations that have invested enormous sums in security are not immune to the threat.
"ID Analytics can discretely assist organizations in understanding the true impact of a data breach to its customers, which can lead to informed and appropriate decisions about how to manage the aftermath."
Sorry -'I forget why the existence of a company paying "scientists" to discreetly "ensure a conclusion to breach episodes"'really proves'Dave's point that all we are dealing with here is a glitch on the PR machine.
I'think'our systems are being attacked more methodically, from more directions, more often and by a more professional'enemy than has ever been the case, and I think these attacks will, if nothing else changes, get progressively worse over the next couple of decades.' This leads me to think it's time to ring the alarm bells and act.''Who cares if we say "identity theft" or "identity information theft", as long as the alarm bells sound?'
Whatever we call it,'our systems are being breached, and we need to work to make them qualitatively more resiliant.' The proposals for an identity metasystem for the Internet are intended to'bring about'a'holistic alternative to the current ad hoc environment.
In the meantime, there will be more breaches, and those writing about them will not be Chicken Littles yelling that the sky is falling.
Tuesday, December 27, 2005
Identity Information Theft versus Identity Theft
Posted by just jon at 11:08