Class Action Coming for Identity Theft?

zerodaythreat.jpg It wouldn’t be a moment too soon:
I painfully predicted a few years back that phishing and related identity theft would result in class action suits. I lost my bet as it didn’t happen fast enough, but a significant step has been taken (reported by Lynn) with the publication of a book that apparently blames the banks and the software manufacturers for identity theft.

Signs of Liability: ‘Zero Day Threat’ blames IT and Security industry, Ian Grigg, Financial Cryptography, April 14, 2008

The book review iang quotes gets it about online crime not being amateur anymore: it’s organized. And it gets it about perhaps a more important point:
Surprisingly, the real villains in Zero Day Threat are not the identity thieves themselves, despite their unsavory lives of crime. Rather, the villains are supposed pillars of communities: bankers, credit-bureau managers and computer makers who enable the burglars, and who could ameliorate the identify-theft crisis but, instead, look away in the name of larger corporate profit.

“We found that there were much more complex contagions eroding the security and privacy of sensitive data” than mere spammers and virus writers, Acohido and Swartz comment, “and those corrupters had more to do with business practices and marketing strategies of the financial services and technology industries.”

The Exploiters consist of the lawbreakers, some of them addicts needing money for narcotics, some of them stone-cold-sober career criminals operating identity-theft syndicates across national borders. The Enablers consist of the banks, credit bureaus, credit card companies and data brokers seemingly blind, deaf and dumb to the need for privacy protection. The Expediters consist of the technologists who write computer programs with good intentions (at places like Microsoft), and their evil twins who write programs as recreation to disrupt networks.

You won’t guess who’s the bad guy of ID theft, By Steve Weinberg, Special for USA TODAY, 14 April 2008

Corporations favoring profit over customer security or privacy? Say it ain’t so!

And didn’t we just see an example of technologists with good intentions nonetheless expediting information leaks? And the mistakes of a few developers at a state institution are nothing compared to the plague of viruses, botnets, and online crime networks that big software vendors expedite.

The book:

Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity by Byron Acohido and Jon Swartz; Union Square Press, 297 pages, $19.95.
Like Iang, I haven’t read it yet, but it sure sounds good from the review. Somebody is going beyond tinkery details to the big picture!

A book like this could be used by an ambitious prosecutor to go after some of those expeditors. A class action lawsuit could set a precedent that could be better than legislation to establish software vendor liability. As Iang points out, a class action lawsuit gone wrong would only affect one vendor, while legislation is too often written by legislators who don’t understand the subject matter. I would add that legislation is all too likely to adversely affect open software, while no lawyer would be foolish enough to try a class action lawsuit against Linux. Such a lawsuit will go after deep pockets, such as those in Redmond. And while Iang seems to worry that open software is part of the problem, it seems to me that open software gets fixed pretty quickly, while closed software, such as that emanating from Redmond, doesn’t, and is thus much more of a problem.

A class action lawsuit precedent would turn the externalities the vendors are currently ignoring into liabilities they’d have to do something about. One of the things they’d have to do is to get insurance, as Hal Varian has been saying since 2000. And the insurers would then require better security.


3 thoughts on “Class Action Coming for Identity Theft?

  1. Adeah Wetzel

    Identity Theft is real no question about that (noticed I even capitalized it!). There are two sides to this coin: One, there are very few people who really know what it is and what to do about it. Two, there are thousands upon thousands of victims every day from this crime! I would recommend another great book to fill in some of these details about Identity Theft is “The Silent Crime What You Need to Know About Identity Theft” by Michael McCoy & Steffen Schmidt,PhD.

  2. Identity Theft Secrets

    I’ve been thinking about writing something like this for a few years, but I’m glad someone actually has taken the step and written it.
    Good for Ian for being willing to piss off some of the most powerful companies in the US, in order to work to create change in an industry which badly needs it.
    And yes, large class action lawsuits are well on their way… several smaller ones have been filed since 2004 (as best I can tell), and especially since FACTA in 2006.

  3. Iang

    IdentityTheftSecrets: thanks, and you’re right, it pisses some people off, if the slap-downs are any guide 🙂
    But meanwhile, I’m very curious: what class action lawsuits have you seen? I think it will be very important to document this, as I see it as the only economic (good) alternative to uneconomic (bad) liability legislation.

Comments are closed.