The Top 10 Hot Identity Topics: A Smart Card Alliance Identity Council White Paper

An in-depth report on issues affecting identity management and protection


·         Stay educated about the value of identity characteristics. 

·         Monitor sources of identity for possible abuse or misappropriation. 

·         Develop an attitude of caring about identity as a personal asset. 

Identity Topic #2: Protection of Identity Information—Is Your Identity Protected? Can You Protect It?

Introduction

As the result of legislation and the threat of litigation, both the public and private sectors are instituting new policies and practices designed to protect identities, ensure privacy and control access to identity information.

Protecting one’s identity depends both on personal efforts and on the practices, policies, and systems of those organizations to which a person entrusts personal information. Daily life requires individuals to interact with other individuals and with organizations and, in the process, to exchange identity and other personal information. People constantly risk losing control of identity information and must rely on the entities that share the information to protect it.

The increasing incidence of identity theft has led to an increasing awareness of the need to protect identity information. As a consequence, both individuals and organizations are taking more aggressive steps to secure personal information. Concurrently, a number of laws and regulations have been put in place to ensure that personal information is protected and secured. The threat of litigation and financial penalties are motivating organizations and individuals to institute appropriate mitigating measures.

Laws and Regulations

A number of new U.S. Federal and state laws and regulations have recently passed (or are pending) that address the risk associated with organizations not adequately protecting the identity data in their custodial care. These mandates address policy and business practices as well as ensuring that appropriate operational and information technology security measures are instituted.

One piece of legislation that was recently passed specifically to address the identity theft issue is the California Security Breach Information Act (SB 1386), which requires commercial organizations to notify their customers whenever they suspect the security of a customer’s data has been compromised. This notification is required regardless of whether there is evidence that an individual’s data file has actually been compromised. The Act also requires across-the-board notification if only one person’s file has been affected. The consequences for not complying with the notification requirement include financial penalties, negative publicity, and the risk of multiple civil lawsuits. These negative consequences create a strong incentive for affected companies to comply with the law. A bill has been introduced in the U.S. Congress modeled after the California law.  The bill is still in conference but could become law sometime over the next few years.

Other laws that directly affect privacy protection in the U.S. include Sarbanes-Oxley, Gramm-Leach-Bliley, and the Health Insurance Portability and Accountability Act. The common theme of all these laws is that sensitive information, be it personal, medical, or corporate financial, needs to be protected to prevent restricted or private data from being accessed by unauthorized individuals or organizations.

Corporate Policies and Practices

More corporations and private sector organizations are modifying their business practices, operations, and policies to enforce the protection and appropriate use of private data. Certainly anyone who has a brokerage, banking, or credit card relationship with an institution has received privacy notices that describe how the institution protects and uses the private data entrusted to them to facilitate business-consumer transactions.