Bruce Schneier provides his thoughts on the ChoicePoint fiasco, noting that until companies like ChoicePoint are forced to absorb (financially) the full costs of ID theft, they’ll continue to treat our personal information merely as a commodity:
Identity theft is the fastest-growing crime in the U.S., and an enormous problem elsewhere in the world. It’s expensive — both in money and time — to the victims. And there’s not much people can do to stop it, as much of their personal identifying information is not under their control: it’s in the computers of companies like ChoicePoint.
ChoicePoint protects its data, but only to the extent that it values it. The hundreds of millions of people in ChoicePoint’s databases are not ChoicePoint’s customers. They have no power to switch credit agencies. They have no economic pressure that they can bring to bear on the problem. Maybe they should rename the company “NoChoicePoint.”
The upshot of this is that ChoicePoint doesn’t bear the costs of identity theft, so ChoicePoint doesn’t take those costs into account when figuring out how much money to spend on data security. In economic terms, it’s an “externality.”
The point of regulation is to make externalities internal. SB 1386 [California’s law requiring notification of ID theft victims] did that to some extent, since ChoicePoint now must figure the cost of public humiliation when they decide how much money to spend on security. But the actual cost of ChoicePoint’s security failure is much, much greater.
Until ChoicePoint feels those costs — whether through regulation or liability — it has no economic incentive to reduce them.