By Neal O'Farrell, security and identity theft expert for CreditSesame.com
Maybe we'll end up calling it the Sony effect, but after years of cybercrimes and data breaches, and endless erosion of our privacy, it seems like the Sony debacle was the final straw for President Obama.
Last week President Obama proposed a raft of new legislative initiatives designed to improve consumer protections on issues like identity theft and privacy. If they're ever adopted, they might make a difference. Or maybe not.
While many experts are calling the efforts somewhat worthy, others are pointing out that they're both just a rehash of legislation previously proposed and rejected, and many are little more than voluntary codes of conduct with few sharp teeth to back them up.
- The Personal Data Notification and Protection Act would require companies to notify customers that their personal information has been exposed in a data breach within 30 days of discovering the breach. The hope is that the sooner consumers are aware that their identity might be vulnerable, the sooner they can take defensive measures.
- The Act would also criminalize oversees trading in stolen identities, although it's hard to imagine how that might be enforced in countries unwilling to cooperate.
- A number of banks and credit unions have begun offering free credit scores to consumers as another way to provide early warning signs of identity theft. This would be great if credit scores actually helped identify signs of identity theft. Unfortunately, many identity theft warning signs start with the consumer's credit reports, and most of these potential warning signs have no impact on their credit scores whatsoever. The best tool for detecting identity theft is credit monitoring, which is designed specifically to alert consumers when there are potential signs of fraud or identity theft. Even then, it really only tells consumers that they're a victim after the fact, and maybe months after.
- There will be increased efforts to increase student privacy at school, and especially the way schools and businesses collect and use student personal information.
- Teachers will become students of security and privacy so they can better understand how to improve student security and privacy.
The devil will be in the details, where it always is. But the devil will also be in the bigger challenges, like making businesses and schools aware of what their new security and privacy obligations will be, persuading them to care enough to comply and policing them to ensure enforcement.
Another word of caution before you feel confident enough to post your Social Security Number on the side of a bus: there have been six previous attempts to pass similar legislation in Congress in just the last two years, and they all failed.
So while it all sounds like a positive, if small step forward, no one's sure if the step will ever actually be taken. If it is, will it be a tiptoe or a giant leap? Privacy and security legislation are notorious for being very, very slow -- and time is something consumers don't have the luxury of.