Research on Security and Innovation in the Cloud

After reading Roger A. Grimes’ post, “Identity Thefts? What Identity Thefts?”, I had a look at the mentioned US Government Accountability Office (GAO) report, called “Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft is Limite...”.

In his post, Roger says: “The GAO reports that identity theft really isn’t a problem. The problem, apparently, is that the process of notifying consumers whenever their personal financial information has been compromised is confusing us simple-minded folks. … The 50-page report was developed to assist Congress with crafting all the various data breach notification legislation being proposed (the Data Security Act of 2007 (H.R. 1685), Data Accountability and Trust Act (H.R. 958), Identity Theft Prevention Act (S. 1178), and the Personal Data Privacy and Security Act of 2007 (S. 495), to name a few.) Overall, it’s not an entirely bad report, but it comes to nebulous conclusions.”

I share some of Roger’s concerns. It also looks odd to me the statement that “the extent to which the data breaches result in identity theft is not well known” and the fact that end-users (data subjects) have (apparently) not been involved in the surveys and interviews.

In addition, I believe that just focusing on “Notification Strategies/Legislation” is not the right way to go. The “Notification” of identity thefts should really be the last step, once the damage has been done, as an ultimate attempt to contain its consequences. Legislation should also focus in defining criteria and guidelines to be met in terms of effective data protection, policy enforcement, good security and business practices as well as defining punishments for breaching rules and compensations for affected people. I think this will give an “impulse and motivation” to be more compliant and tackle root problems.