Congress is now addressing the problems brought to light by the ChoicePoint, Bank of America, DSW, T-mobile and other recent stories. The question is whether Congress is addressing the right problem. I’ve already discussed how the data aggregators need to be held liable for protecting the data, and for ensuring its accuracy and validity. However, once the data is stolen from the data aggregators, there must be laws to reduce the ability for criminals to use the data for illegal purposes. The actual theft of the data is a relatively small problem compared to the criminals using the data. If the data is never used, the actual problems with it being stolen are minimal.
Protecting the data from being stolen is necessary, but it is only part of the solution. If the government and the financial institutions make it very difficult for the data stolen to be used, the rewards of stealing data will drop significantly, and make data theft a less tempting crime.
Where does the liability for the data use lie… Does it lie with the consumer? No, obviously not. The consumer is often the last to know that the data has been stolen. Why should the consumer be responsible for the actions of someone else.
The real responsibility lies with the companies that act based on that data. Banks, financial institutions and stores should be responsible for verifying that the information an applicant uses to apply for credit, loans and other financial resources actually belong to the individual applying. They, and not the consumer, whose identity was stolen, should be also held responsible for any losses that occur. This only makes sense, as they are the ones who are responsible for approving the transactions—they should also bear the risks of those same transactions, should their scrutiny of the identity used fall short. Isn’t it the responsibility, and thus the liability, of the vendor who approved the financial transaction to verify the identities of their customers
The way the current laws are written, the banks, credit card companies, and other financial institutions can go after the identity used by their customer… even if the identity in question was stolen. It then falls upon the person, whose identity was stolen, to prove, often at great expense, that they were not the individual involved in the transaction. What makes this scenario even more ridiculous, is the judgement of some courts that the person whose identity was stolen has no right to sue the involved financial institutions, as they are not a customer of the institutions, even though their identity is the one involved.
The current laws and regulations also allow the banks, credit card companies and other financial institutions to report these fraudulent transactions to the credit reporting agencies, and essentially libel the consumer whose identity was stolen with little or no recourse for the customer. This compounds the injury to the consumer, whose identity is stolen, as they didn’t actually do the things the financial institutions are reporting, yet they are the ones affected by the false reports. Correcting such mistakes is often time-consuming and costly for the consumer…
Congress should take a long, hard look at making the companies who profit from both the collection and sale of personal data, as well as the banks, stores and other financial institutions—who profit from the financial transactions of consumers—responsible for their actions. Congress should also look to shield consumers from the actions and mistakes of these same companies as well as the thieves who use the stolen data to steal identities.
Bruce Schneier has an excellent article on this same subject, which you read on his blog.