Schneier on Security
A blog covering security and security technology.
« Solove on Stuntz on Privacy and Transparency |
| Terrorist Travel Advisory »
April 20, 2006
Identity-Theft Disclosure Laws
California was the first state to pass a law requiring companies that keep personal data to disclose when that data is lost or stolen. Since then, many states have followed suit. Now Congress is debating federal legislation that would do the same thing nationwide.
Except that it won't do the same thing: The federal bill has become so watered down that it won't be very effective. I would still be in favor of it -- a poor federal law is better than none -- if it didn't also pre-empt more-effective state laws, which makes it a net loss.
Identity theft is the fastest-growing area of crime. It's badly named -- your identity is the one thing that cannot be stolen -- and is better thought of as fraud by impersonation. A criminal collects enough personal information about you to be able to impersonate you to banks, credit card companies, brokerage houses, etc. Posing as you, he steals your money, or takes a destructive joyride on your good credit.
Many companies keep large databases of personal data that is useful to these fraudsters. But because the companies don't shoulder the cost of the fraud, they're not economically motivated to secure those databases very well. In fact, if your personal data is stolen from their databases, they would much rather not even tell you: Why deal with the bad publicity?
Disclosure laws force companies to make these security breaches public. This is a good idea for three reasons. One, it is good security practice to notify potential identity theft victims that their personal information has been lost or stolen. Two, statistics on actual data thefts are valuable for research purposes. And three, the potential cost of the notification and the associated bad publicity naturally leads companies to spend more money on protecting personal information -- or to refrain from collecting it in the first place.
Think of it as public shaming. Companies will spend money to avoid the PR costs of this shaming, and security will improve. In economic terms, the law reduces the externalities and forces companies to deal with the true costs of these data breaches.
This public shaming needs the cooperation of the press and, unfortunately, there's an attenuation effect going on. The first major breach after California passed its disclosure law -- SB1386 -- was in February 2005, when ChoicePoint sold personal data on 145,000 people to criminals. The event was all over the news, and ChoicePoint was shamed into improving its security.
Then LexisNexis exposed personal data on 300,000 individuals. And Citigroup lost data on 3.9 million individuals. SB1386 worked; the only reason we knew about these security breaches was because of the law. But the breaches came in increasing numbers, and in larger quantities. After a while, it was no longer news. And when the press stopped reporting, the "cost" of these breaches to the companies declined.
Today, the only real cost that remains is the cost of notifying customers and issuing replacement cards. It costs banks about $10 to issue a new card, and that's money they would much rather not have to spend. This is the agenda they brought to the federal bill, cleverly titled the Data Accountability and Trust Act, or DATA.
Lobbyists attacked the legislation in two ways. First, they went after the definition of personal information. Only the exposure of very specific information requires disclosure. For example, the theft of a database that contained people's first initial, middle name, last name, Social Security number, bank account number, address, phone number, date of birth, mother's maiden name and password would not have to be disclosed, because "personal information" is defined as "an individual's first and last name in combination with ..." certain other personal data.
Second, lobbyists went after the definition of "breach of security." The latest version of the bill reads: "The term 'breach of security' means the unauthorized acquisition of data in electronic form containing personal information that establishes a reasonable basis to conclude that there is a significant risk of identity theft to the individuals to whom the personal information relates."
Get that? If a company loses a backup tape containing millions of individuals' personal information, it doesn't have to disclose if it believes there is no "significant risk of identity theft." If it leaves a database exposed, and has absolutely no audit logs of who accessed that database, it could claim it has no "reasonable basis" to conclude there is a significant risk. Actually, the company could point to a study that showed the probability of fraud to someone who has been the victim of this kind of data loss to be less than 1 in 1,000 -- which is not a "significant risk" -- and then not disclose the data breach at all.
Even worse, this federal law pre-empts the 23 existing state laws -- and others being considered -- many of which contain stronger individual protections. So while DATA might look like a law protecting consumers nationwide, it is actually a law protecting companies with large databases from state laws protecting consumers.
So in its current form, this legislation would make things worse, not better.
Of course, things are in flux. They're always in flux. The language of the bill has changed regularly over the past year, as various committees got their hands on it. There's also another bill, HR3997, which is even worse. And even if something passes, it has to be reconciled with whatever the Senate passes, and then voted on again. So no one really knows what the final language will look like.
But the devil is in the details, and the only way to protect us from lobbyists tinkering with the details is to ensure that the federal bill does not pre-empt any state bills: that the federal law is a minimum, but that states can require more.
That said, disclosure is important, but it's not going to solve identity theft. As I've written previously, the reason theft of personal information is so common is that the data is so valuable. The way to mitigate the risk of fraud due to impersonation is not to make personal information harder to steal, it's to make it harder to use.
Disclosure laws only deal with the economic externality of data brokers protecting your personal information. What we really need are laws prohibiting credit card companies and other financial institutions from granting credit to someone using your name with only a minimum of authentication.
But until that happens, we can at least hope that Congress will refrain from passing bad bills that override good state laws -- and helping criminals in the process.
This essay originally appeared on Wired.com.
EDITED TO ADD (4/20): Here's a comparison of state disclosure laws.
Posted on April 20, 2006 at 8:11 AM
• 34 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Another example of "token measures" to appease the public but that in fact, do nothing, or less than nothing, they do harm.
You just gotta love our political system...it's one of the most democratic on earth, but, because we are all selfish, we abuse it for our own ends. An if I've got more time and money to defen my end, it means your end gets left hanging....
Since the current legislation seems to be either weak or harmful, is there any example legislation that we could point out as useful and point out to our Congress persons as legislation that would be good?
"Since the current legislation seems to be either weak or harmful, is there any example legislation that we could point out as useful and point out to our Congress persons as legislation that would be good?"
For a while I have been pointing people to this:
Nicely said, Bruce. You nail the problems with the DATA bill, at least in my opinion
To be fair, though, there is both mention of the encryption algorithms and of key management:
"4) ENCRYPTION- The term `encryption' means the protection of data in electronic form in storage or in transit using an encryption algorithm implemented within a validated cryptographic module that has been approved by the National Institute of Standards and Technology or another comparable standards body recognized by the Commission, rendering such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data. Such encryption must include appropriate management and safeguards of such keys to protect the integrity of the encryption."
You might say that "appropriate" key management leaves plenty of wiggle room, but would you not agree that mandating the use of NIST-approved algorithms is reasonable? If not, I'd be very interested in your objections.
New York's law ( http://assembly.state.ny.us/leg/?bn=S03492&sh=t ) is pretty good. It is quite strong in dealing with the "first initial loophole", so-so on encryption (algorithms not specified), and acceptable on key management (you lose the key, you have to notify).
One feature of the NY law that is highly desirable, is mandatory central reporting of breaches to the state government. This greatly aids in research, and assists the legislature and regulatory folks. No other state has anything like this (although NJ requires the state police to be notified, they are exempt from that state's freedom of information statute, so there may be no teeth in the requirement).
I am going to disagree with the issue of poor Federal laws tend to make a mess out of everything. Once a poor law is in place the "problem is solved" and it gets harder to fix things.
We would be much better off with 50 good state laws than one bad Federal law.
"To be fair, though, there is both mention of the encryption algorithms and of key management..."
No, you're right. I meant to take that out of the essay, but forgot.
I will fix it in the essay above, right now.
I still don't understand why the companies granting credit aren't held fully accountable. The companies are willing and active participants in fraud against individuals. The fraud could not be committed without the assistance of those companies.
In most cases, it's plainly obvious that there is a problem. For example, someone applying for credit using an address that doesn't match anything on their credit report should be a cause for suspicion. It may not indicate a problem since people move and credit reports are slow to get updated. However, I would think there should be additional scrutiny for those accounts.
Data which is publicly available should not be used for authentication purposes. By publicly available, I mean that data aggregators will sell you as many names, addresses, ssn's, etc as you can afford. The only barrier to entry is cost.
The personal data only has value because companies are willing to accept it as sufficient proof of identity to help someone commit fraud. Notifying people that their data has been compromised is a feel good solution. It doesn't prevent anyone from committing fraud against the individual. It just increases the burden on the individual to request and review their credit reports more frequently.
If we want to have an impact on identity theft, there have to be consequences for the companies granting credit. An affidavit from the individual should be all that is necessary to invalidate the account in question. The burden of proving that the individual owes the company money should lie with the company. There is an obvious conflict of interest when the company is the only party with the evidence needed to prove that the individual did not open the account.
The reality of identity theft is that it's a middle class problem. The poor have no credit, so they're bad targets. The rich can afford to take the risk of a bad credit rating in the interim to fight it out with the companies. These companies know that they don't have a leg to stand on with the fraudulent accounts, but it's in their best interests to try to screw the little guy. The more affluent members of society can make things really unpleasant for the companies, so I suspect the companies are a lot more understanding of complaints by people who already have lawyers on staff.
There is another odd benefit of having 50 different state laws - it becomes so difficult to keep up with all of them that it's just more cost effective to use good security measures. Compliance is an area where companies often do the least they can. However, it's expensive to keep making small changes as the laws change to patch the known problems with the lowest common denominator solution.
'"The term 'breach of security' means the unauthorized acquisition of data in electronic form containing personal information that establishes a reasonable basis to conclude that there is a significant risk of identity theft to the individuals to whom the personal information relates."'
So I guess it is a reversal of onus of proof of a kind? Companies can breach, claim lack of significant risk, and somone has to sue and win in order to force the company to disclose. Since knobody knows that there has been a breach, because the company has not disclosed, that will most likely never happen!
It will be an improvement for Arizona, which is #1 for identity theft in the nation on a per-capita basis (according to the FTC's reports), and which has so far been unable to get an identity-theft notification bill through the legislature.
The passage you cite looks similar to Washington state's safe harbor (in SB 6043) where disclosure is not required if it is determined that the data is not likely to be the subject of a crime.
It may also be a slight improvement for a number of states, like Indiana (SB 503 only applies to state computers) and Georgia (SB 230 only applies to data brokers). It looks like some of the tougher ones are California (SB 1386), Texas (SB 122, must notify even if the data has not been used by a third party), Illinois (HB 1633, covers electronic and paper data, doesn't require the breach to involve a criminal purpose), and Florida (HB 481, has monetary penalties for each day/month of nondisclosure after 30 days).
"It will be an improvement for Arizona, which is #1 for identity theft in the nation on a per-capita basis (according to the FTC's reports), and which has so far been unable to get an identity-theft notification bill through the legislature."
Actually, I think it won't be.
Remember the ChoicePoint story. They were forced to disclose because of the California law. Originally they were only going to disclose to California, because that's what the law said. But public pressure forced them to disclose to everyone. The Californa law benefited the citizens of Arizona.
Right now there are enough good state laws that companies are improving their security across the board. If there were a weaker federal law, then everyone would be less secure -- both residents of states with stronger laws and residents of states with no laws.
"I still don't understand why the companies granting credit aren't held fully accountable. The companies are willing and active participants in fraud against individuals. The fraud could not be committed without the assistance of those companies."
Because they have better lobbyists than we do.
They have better lobbyists because they have a consistent goal - reduce liability. That's easy to do, just defang everything that could possibly be used against you. As with all other things, companies will only comply with the laws that are cost effective.
The victims do not have a consistent goal, other than not wanting to be victims. I don't think we could get enough people to pay lobbyists to change the laws in favor of the majority. In order to make an impact, we need lawyers who are willing to take a chance on a large payoff with these companies.
I know there's nothing I can do to prevent identity theft, but I can also live with having my credit rating trashed for a while. If I were a victim of identity theft, the first thing I would do is look for lawyers who want their 40% of a large lawsuit. Class action lawsuits against deep pockets make lawyers drool. The one thing our legal system still has going for it is the juries. I think the average jury would have an easier time relating to people being screwed by companies.
"Because they have better lobbyists than we do."
I think (while that is certainly true) it is a little more complicated than that. I really doubt Americans would be happy with the level of difficulty in obtaining credit if sane identity checks were put into place to prevent identity theft. As long as identity theft is something that primarily happens to "other people", we are not going to give up our same day credit card and mortgage approvals.
And really when you think about it, how could it be done better? Opening credit requires more data than it does now? That won't solve the problem, just make the data-sets larger all around. The best authentication method we have is biometric (human recognizing another human, not machines trying to recognize humans, that is one of the worst we have), but that requires proximity that is not realistic in a global marketplace.
You really almost either need a centrally managed identifier with a secret component (this is as close as I will ever come to suggesting a government run PKI for the masses) or you need some form of "web of trust"-like attestation system which would likely also be cumbersome and unworkable on a large scale.
"How could it be done better?"
That's a fair question. I think I have some reasonable and cost effective answers.
1. Let people have some control over their account opening options.
We already have major credit bureaus as a choke point for information about people's credit history. It wouldn't be difficult to let people give input on their own credit preferences. It can be as simple as giving three basic options like open(same as now), confirm (with phone number specified, as can be done now with a fraud statement), or only allow opening accounts in person with appropriate identification. I have enough accounts for all of my needs right now, I would be willing to put up with the inconvenience of having to do something in person on the rare occaision I need to open an account.
2. Confirm that information is consistent.
Before opening new accounts, a credit report is pulled currently. If the information (name, address, etc) on the application does not match the credit report, stop the automated process. When the address doesn't match anything else, that should indicate a higher risk. If someone opens a credit card in my name and the credit card goes to my mailbox, it's much more difficult for someone to hide that fact from me, let alone use it. Since the information is available on the credit report and application, this is a quick confirmation step.
3. Authentication can be transitive.
It's not realistic for me to authenticate myself in person to a bank in New York. However, they can tell from my credit report that I have existing relationships with other major banks. Having me identify myself at my convenience at a local branch of the bank of their choosing isn't much of an imposition. Someone wouldn't even need an existing relationship with a financial institution to get their identification verified, but there would probably be a fee in that case.
I don't think a web of trust would be unworkable if you look at that in the context of current credit reporting practices. I think it would be workable if there was an easy way for me, as a customer of Chase to have Chase tell Bank of America "our customer(name, address, telephone #) would like to open an account with you." That, in combination with an application that makes sense would go a long way towards preventing most of the fraud we currently see. If nothing else, it would create an audit trail and help in modeling the risk of creating a new account.
Banks already have mechanisms to move money amongst themselves. Maybe if we had trust-bucks that you could transfer from an existing account to a new one, the same infrastructure could be used. If I transferred 1 from each of 5 accounts I have, it would suggest that it's either legit or that I've been totally compromised.
Another great article!
Some very insightful comments. I agree with your elaboration on the delinquency of the banks and FI's when it comes to preventing fraud.
You are also "on the mark" regarding 50 state laws. What I see FI's doing is taking a "least common denominator" approach and shoring up their security to support the most strict state laws, while complaining they need a "one law for all" from the feds.
I also like your idea to allow consumers to restrict creation of new accounts, with some form of "in-person" authentication required to make changes. This could go even further to allow consumers to restrict account creation to their state of residence, or even their city. For those that don't, and may never travel outside their country, or even state, they should be able to restrict usage of their accounts by country, state, or even city.
For example, I move around my state and neighboring states a lot, and regularly travel around the country on business, but I don't have plans to travel internationally anytime in the near future, so why should my ATM cards, credit cards, etc. be usable outside the US?
When ATM cards first came out, they were secure since they would only work in the issuing banks ATM machines. I think in many instances, consumers should be able to create similar types of geographical restrictions. For many consumers, especially those that aren't "geographically mobile", why shouldn't they be able to constrain those regions they want to be able to access their funds.
Granted, as automated fraud detection technologies gets more sophisticated, establishing usage patterns and such, a lot of this type of fraud will be detected. However, why not be able to "help out" the fraud detection, by letting the consumer provide geographic usage areas?
"a poor federal law is better than none"
That's a dangerous phrase - I'm glad you immediately qualified it.
I welcome more legislation to disclosing personal data "loss".
Frankly, I'm sick and tired of financial institutions playing fast and loose with my personal information.
This reminds me of the fiasco a few months back with the Bankruptcy law. The lobbyists for the credit card companies essentially bribed congress with $70 million in Pork Barrel and Campaign contributions and got a law passed which hold consumers hostage
I agree with Mike Sherwood, with one caveat:
The default for #1 on your credit bureau report should be "closed" -> only allow new accounts in person with identification. If you want to change your status to "verify" or "open", there should be an interface with the credit bureau to change your status.
Since credit companies *want* people to open new accounts, they'll underwrite the cost of this (preventing DMV-like queues). However, since most consumers actually probably would benefit from the additional security, having "default deny" enabled is a good thing.
One final benefit -> given the fact that many people (particularly young people) have damaged their credit rating by getting addicted to easy credit, adding a delay point might cut down on the general American debt load.
Been doing some reading of the various state breach laws. I came across a rather, uhmmm, inclusive definition from the great state of Nevada:
" NRS 205.4742 “Encryption��? defined. “Encryption��? means the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to:
1. Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;
2. Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or
3. Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.
Yep. "Any protective measure".
Bruce> This is the agenda they brought to the federal bill, cleverly titled the Data Accountability and Trust Act, or DATA.
If they were really being clever, they would have called it DATA Accountability and Trust Act, in true RMS fashion. :^)
I think credit bureaus should be held responsible for information they hold and distribute in the same way that credit card companies should bear the burden of their bad lending decisions. If a credit card company says that I signed up for a card and didn't pay for purchases on it, they should bear the burden of proving that I signed up for it. If they report to a credit bureau that I signed up and didn't pay, and that's not actually the case, that's libel. If the credit bureau repeats that false statement, that's libel as well. Civil prosecution should be able to take care of these.
As far as credit being more difficult to get in such a world, it would probably become more difficult to get at the current rates. However, it seems likely to me that some companies would chose to keep their current rate structure and do more verification of customers, and others would change their rate structure to be able to handle higher losses and then make it easier to get credit. In fact, companies are already doing this; there are special high-interest-rate cards for people with poor or little credit history.
"a poor federal law is better than none "
That certainly is NOT what the original framers of the constitution intended......the federal government is to have ONLY those powers specifically ascribed in the Constitution, otherwise its to be the jurisdiction of the states. We have abandoned that on many fronts.
"can be as simple as giving three basic options like open(same as now), confirm (with phone number specified, as can be done now with a fraud statement), or only allow opening accounts in person with appropriate identification."
Many states already have what's known as a "credit freeze" system in place with the bureaus that each individual can acitvate. So when creditors go to check your credit file for credit worthiness, they will see that your file is "frozen" and can only be unlocked by the individual. The bureaus give you a PIN number where you can unlock your file by calling (I believe it lasts for around three days).
The bureaus fought tooth and nail over this because it becomes an added cost for them to maintain. They also fought tooth and nail over credit alerts until they found out they could make money by offering people side products to go along with it.
The problem is that just because the creditors see this doesn't mean they pay attention to it. The car salesman may sell the car to the person anyways if he badly needs to make the sale.
The only real chance to cut down on these circumstances is to punish the companies that allow the ID theft to happen in the first place, and as Bruce says, they have better lobbyists than we do so good luck with that.
Some people still just don't "get" identity theft, because they have a very limited view of which documents can put you at risk. Recently I interviewed for a new job, and I was asked to submit, in addition to my resume, a multi-page application form containing enough information to do a background check. Well, sure enough, the HR department of the company in question claimed they had "lost" the form, and emailed me to ask me to submit it again. After dickering back and forth for a while, and guessing that they were just making me do this because it was easier than them doing a proper search, I finally sent them an email saying more or less: "The problem isn't doing the form again. It's that there will now be the previous copy of all my personal information, SSN, ten year job history, school history, address history, etc, floating around where someone may casually pick it up. Think identity theft.".
Within literally five minutes of hitting the "send" button on the email, I got an apologetic phone call to say "Sorry, don't send another copy of the form. We found the original one after all".
I recently heard of an elderly woman in southern Ontario, Canada, who lost her home because someone else had mortgaged it and defaulted on payments. It boggles my mind how a fraudulently acquired mortgage can legally have any effect on her ownership. It looks to me like someone, everyone admits it wasn't her, defrauded a bank - why should that affect her at all?
"elderly woman in southern Ontario, Canada, who lost her home"
You don't say how she lost it, it could have been due to not being able to pay legal fees or other debt incured with trying to assert her rights. Or to some peculiarity of the law or something even more bizzar.
I like your comments, but I sure hope we don't have to wait for federal action. I'd rather see a simple "carrot and stick" approach. The stick, if you will, wielded by the first gutsy, greedy mega-law firm persuasive enough to push a class-action suit against a major credit card company or retailer on a theory of negligence for fraudulent credit card transactions that result in damage to consumer credit ratings. Stronger identification, though not full- (or fool) proof, is easily within reach of today's technology, so failure to take action shows a lack of due care on the part of lenders and merchants in the credit card chain. I think a talented team of hungry lawyers could convince a jury that the Visa's and MC's just don't care about the damage they are allowing to happen.
The carrot, the business opportunity, will come to the credit card company that offers n-factor identification (fingerprints, SecureId pins, etc) for a small fee, and perhaps even develops a business model that offers lower rates to consumers who want stronger anti-fraud features.
The lenders simply pass on the cost of card fraud to borrowers. Perhaps the rising interest rates anticipated because of the inflation caused by oil prices will provide some incentive to cut lending costs and continue to be competitive.
"...a poor federal law is better than none."
Can we all say together, "Sarbanes-Oxley" ?
"What we really need are laws prohibiting credit card companies and other financial institutions from granting credit to someone using your name with only a minimum of authentication."
As pointed out by several people in this thread, we don't need laws preventing companies from making stupid decisions. We need a way for ordinary people to assert their rights when the company tries to get the innocent party to pay for the consequences of that stupidity. Clearly a company that made a trust decision based on inadequate information is liable, but first one needs to convince the company's legal department of this -- and things degenerate into a game of chicken, to see who will give in first. It is clearly in the company's economic interest to play this game for a while, since it results in better profits than improving security. So stupid decisions may not be so stupid after all when there is a legal department on standby.
My personal preference would be better court procedure, where the party who files a malicious suit is automatically liable for costs.
We should sue the Federal Goverment and make them accountable for the fact that they FORCE us have this SS #. This number can never be changed. This number can and does hold us accountable for actions taken that require this number. There is no current means to definatively prove that we are who we are. Solutions could be easily implemented. Finger and Foot prints SHOULD BE required upon Application for a Social Security Card. Finger Print required on all transactions and or Application for credit using this number. So Simple yet our goverment would rather give our indenties benefits to illegals who then collect the benefits we worked hard to earn. Peoples Character, opprotunities, and finances have impacted and due to the governments lack of responsibiilty to its citizens we suffer irrepairable damages. Some people have actually been arrested for identity theft. What has to happen before US Citizens get a back bone.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.