Data management is in crisis. Private data is subject to abuse, and legal punishments for the leakage of data are in ascendancy. Today, personally identifiable information (PII) is just as valuable as money or intellectual property. Identifiers such as name, postal address, e-mail address, social security number, credit card number and so on, need to be managed and guarded with the same diligence afforded other types of precious assets. In the past PII was not so valuable. But in today's information society, where institutions like banks deal with individuals through telecommunications, PII is critical for knowing who is who and what their reputation is.
One problem is that, if someone can steal PII, they can profit from it. They can masquerade as some other person, for example by taking out a loan or renting an apartment in the person's name. This is often referred to as identity theft.
Identity theft has, in just the past few years, become rampant. The U.S. Federal Trade Commission now estimates that a staggering 10 million Americans were victims of identity theft in the 12 month period preceding September, 2003. To business, the cost of identity theft during those 12 months has been estimated to be $47.6 billion. Further, it has been estimated that this is on its way to becoming $2 trillion.
For criminals, a growing source of access to PII is through computer break-ins. Incidents of computer break-ins are rising sharply, and the public is unhappy about it. Legislators and government watchdogs are taking action. Businesses are paying real dollars.
As one example, California Senate Bill 1386 provides that people holding PII in electronic form must give prompt notice to any California resident whose data is reasonably believed to have been compromised. Under Senate Bill 1386, Wells Fargo spent millions of dollars in late 2003 and early 2004 to give notice and support to 200,000 customers after a criminal stole a laptop computer containing their names and account information. Since July, 2003, numerous other institutions have been forced to notify data subjects about computer burglaries. These include Arkansas-based Acxiom, the University of California at Berkeley, and Equifax Canada.
In March, 2004, Softbank (Japan's largest broadband ISP) notified its 4.51 million current and former subscribers that someone had breached the security of its customer database. To compensate customers, the company dedicated $37.8 million for free services, and executives agreed to cut their salaries for the year. In August 2002, the New York Attorney General forced Ziff-Davis to pay $125,000 after a hacker broke into its database of online game customers. The attorney general took action under the state's deceptive trade practices law.
Ligand Pharmaceuticals settled a common-law negligence lawsuit brought by 30 employees who suffered identity theft after their names, birth dates, addresses and social security numbers were stolen from company records.
In late 2003, the California legislature enacted another law, Senate Bill 1, which provides specific monetary penalties for financial institutions that negligently allow PII to get out.
These developments are alarming, and it is expected that the future will bring more lawsuits, and more new laws. Information technology has brought the situation to a point of crisis. There is a need for ways to manage personal information in ways that better promote the interests of all parties.