Coverage AreasServicesAbout UsPressClient AccessComplimentary ContentContact Us
Burton Group Home  


Burton GroupPress
 About 
 Categories 
 Burton Group News
 Digital Rights Management
 Directory Services
 Essays & Columns
 General
 Identity Management
 Infrastructure
 Personal Notes
 Science
 Security
 Web services
 Recent Posts 
 Hurry, Get 'Em While They're Hot!
 Signs of the Times?
Jamie Lewis - CEO and Research Chair
Opinions from Burton Group's CEO and Research Chair

« Can You Say "BackLash"? | Main | Cloning RFID Passports »

August 06, 2006

The End of This Story?

The Wall Street Journal Online reported yesterday that two teenagers were arrested in the well-publicized case of the theft of a laptop and hard drive containing the personal identity information of some 26.5 million veterans and military personnel. According to the story (fee-based/login required), the teenagers did not target the VA employee’s home, and did not know what information was on the drive until after the story broke. The WSJ story also says that the laptop and hard drive were “turned into the FBI June 28 by an unidentified person in response to a $50,000 reward offer,” and “that the FBI has determined with a high degree of confidence that the files weren't compromised.” (Later: Here's a link to a New York Times story on the same subject.)

That sounds like good news. But as Scott Blackmer pointed out in his discussion of this incident during his Catalyst presentation, the toughest part of a case like this is that, at the time of the theft, it’s often impossible to know the motives of the criminal. One could logically assume that—as it turned out to be in this case—petty theft for quick cash, not targeted theft for more sinister motives, is the most likely scenario. But until that’s proven, the victims of such a crime can’t operate based on that assumption. Organizations must operate on the worst-case scenario assumption, that the identity information has been, or will be compromised, and that the thief knows what they have.

In his talk, Scott estimated that it cost the federal government $25 million just to set up and operate the call center necessary to handle the inbound inquiries from veterans. That doesn’t include offering each person credit monitoring services. And if this were a non-governmental organization (say, like the University of Ohio), the cost of law suits (win or lose) would be astronomical.

And this is just the beginning. The costs associated with breaches, measured in terms of reputation damage, money spent on managing the mess, and potential civil and criminal penalties will keep going up. The best thing organizations can do is to seriously consider what kind of identity information they really need to keep, define the minimum necessary, and keep no more than that minimum. As I’ve said before, aggregating identity information aggregates risk, so even with a minimum amount of data retention, systems must be architected accordingly.

August 6, 2006 in Identity Management | Permalink


 

HomeTerms of UsePrivacy PolicySite MapFeedback © 2003 Burton Group. All rights reserved