I don’t want you to be me

No offense, but I don’t want you to be me. Last year the Federal Trade Commission received almost 162,000 complaints concerning identity theft, up from 117,000 in 2001. And there is no indication that the problem is abating.

It is usually not possible to figure out where identity thieves get the information needed to mimic other people. But clearly a major reason for the dramatic increase in the threat stems from the all-too-easy availability of personal information on computer systems connected to the Internet. Yet, unless you live in California, you might never know if someone who should not do so gets access to some of this data.

As of July 1, the new California Database Security Breach Act requires that an operator of a computer notify anyone whose unencrypted personal information has been exposed by some type of security breach, but only if you live in California. Sen. Dianne Feinstein (D-Calif.) has introduced a bill to establish a U.S. federal law to extend the requirement nationally. There are a few differences between the California law and the Feinstein proposal – including not letting individuals sue companies for a failure to notify the individual of a security breach – but the basic idea is the same: Warn someone whose data has been compromised to keep an eye open for signs that someone is exploiting the information.

There was a lot of press coverage of the new California law and of Feinstein’s proposal. But far too much of it, including a June 30 cover story in this magazine, focused on companies whining that it will be hard or embarrassing to comply with the idea that they should care enough about the people whose data they use and abuse to let those people know if someone else might be about to make their lives a nightmare.

Companies that actually care about the well-being of their customers have been doing the right thing for years. It’s only companies that value a reputation built on lies that have not been letting customers know about security failures.

It is unfathomable to me why a company would consider, even for a second, obeying the California law only for California residents. It is not the legal risk that a company might miss a customer who moved to California that makes this narrow approach unfathomable, or that there soon might be a national law. Rather, it is the immorality of not notifying other customers. But I guess that morality is not a prerequisite for some corporations’ lawyers.

Some corporations complain that notifications will give a false impression of their security systems and might cause customers to move to companies with better security records. They are both wrong and right: Disclosure will give a true picture that a company is too stupid to keep customer data well protected and encrypted, and the market will punish such companies. Both are good things.

Disclaimer: Harvard’s relationship to the concepts of “stupid” and “good things” are in the mind of the beholder, but the above observation is my own.