intruders26uuu.info

TheJohnMarshallJournalofInformationTechnology&PrivacyLawVolume26Issue1JournalofComputer&InformationLaw-Fall2008Article2Fall2008BeyondWhiffle-BallBats:AddressingIdentityCrimeinanInformationEconomy,26J.
MarshallJ.
Computer&Info.
L.
47(2008)ErinKenneallyJonStanleyFollowthisandadditionalworksat:http://repository.
jmls.
edu/jitplPartoftheComputerLawCommons,InternetLawCommons,PrivacyLawCommons,andtheScienceandTechnologyLawCommonshttp://repository.
jmls.
edu/jitpl/vol26/iss1/2ThisArticleisbroughttoyouforfreeandopenaccessbyTheJohnMarshallInstitutionalRepository.
IthasbeenacceptedforinclusioninTheJohnMarshallJournalofInformationTechnology&PrivacyLawbyanauthorizedadministratorofTheJohnMarshallInstitutionalRepository.
RecommendedCitationErinKenneally&JonStanley,BeyondWhiffle-BallBats:AddressingIdentityCrimeinanInformationEconomy,26J.
MarshallJ.
Computer&Info.
L.
47(2008)\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:120-MAY-0913:32BEYONDWHIFFLE-BALLBATS:ADDRESSINGIDENTITYCRIMEINANINFORMATIONECONOMYERINKENNEALLY&JONSTANLEY*I.
INTRODUCTIONInformationtechnologyhasenabledAmericanstolivesignificantas-pectsoftheirlivesinadigitalenvironment.
TheU.
S.
legalsystem'sre-sponsetothisshifthasbeenprotracted,confused,anduninspiredattimes.
Asignificantconsequenceofthismuddledresponsehasbeenawideninggapbetweenacitizen'sexpectationsofasafeandsecuredigitalenvironmentandthestarkrealityofachaoticandattimes,dangerous,digitalenvironment,mediatedbyvariousmarketingandadvertisingperceptionmachines.
1Thesituationresemblesonewherebusinessandgovernment,racingtoexploitthenewopportunitiesthattechnologyinspires,setupashop-pingmalltoenticevisitors.
Atthesametimeandunknowntothecon-*ErinKenneallyisalicensedattorneyandforensicscientistwhoconsults,researches,publishes,andspeaksonprevailingandforthcomingissuesatthecrossroadsofinformationtechnologyandthelaw.
Theseincludeevidentiary,privacy,andpolicyimplica-tionsrelatedtoinformationforensics,informationsecurity,privacytechnologyandinfor-mationrisk.
Ms.
KenneallyisfounderandCEOofElchemy,Inc.
andholdsaCyberForensicsAnalystpositionattheUniversityofCaliforniaSanDiego.
Ms.
KenneallyholdsJurisDoctorateandMasterofForensicSciencesdegrees.
JonStanleyistheDirectorofTechLawforElchemy,Inc.
andPrincipaloftheLawFirmofJonStanley.
Hisfocusareasincluderegulatoryconcernsforbusinessentities,informationsecurity,privacy,cybercrime,cyberspaceinsurance,andintellectualproperty,aboutwhichhehasspokenatvariousna-tionalconferencesincludingtheAmericanBarAssociation,ComputerSecurityInstituteandtheAnnualRSAConference.
Mr.
StanleyearnedhisJ.
D.
fromtheUniversityofMaineLawSchoolandhisLL.
M.
inInformationTechnologyandTelecommunicationsLawfromStrathclydeLawSchool,UK.
ThisprojectwassupportedbyAwardNo.
2005-IJ-CX-K061and2006-DE-BX-K001awardedbytheNationalInstituteofJustice,OfficeofJusticePrograms,U.
S.
DepartmentofJustice.
Theopinions,findings,andconclusionsorrecommendationsexpressedinthispublication/program/exhibitionarethoseoftheauthor(s)anddonotnecessarilyreflecttheviewsoftheDepartmentofJustice.
1.
SeeWordNet,http://wordnet.
princeton.
edu/perl/webwns=chaotic(lastvisitedAug.
12,2008)(searchdefinitionof"chaotic:""lackingavisibleorderororganization").
47\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:220-MAY-0913:3248JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIsumer,this"mall"isazonewhereeachbeleagueredconsumerislargelylefttohisowndevicestoprotecthimselffromfraudortheft.
2Whilethelegalsystemdoesnotallowtheoutrightbludgeoningofharriedcitizen-consumersinthesemalls,itimplicitlydemandsathresholdofanear-muggingbeforeitwillinterveneonthecitizens'behalf.
Moreover,con-sumers'choicesareincreasinglylimitedtothese"unprotected"mallsasinstitutionsrazetheirconcretestoresandmigratetothevirtualstores.
Thiswouldbeanuntenablescenariointhephysicalworld,yetitissuggestedthatthisishappeninginthedigitalworld.
Thistensionbe-tweenconsumerexpectationsandrealitycanbeviewedasamacrore-flectionofthefeatures-versus-securitytradeoffinsoftwaredevelopment,wherethelongstandinganddominantfirst-to-marketpolicyhasnotco-incidentallyspawneddemandformoresecurecode.
Yetinthislargerdigitalmallspacetheoutcryforsecurityisdispersedandmuffled,thusallowinginstitutionstocontinuetodriveconsumerstowardsdigitaltransactionswithoutacorrespondinginvestmentinthesecuritythatwouldberequiredinthe"physical"marketplace.
Thispaperwillexploretheunderpinningsandstateoftheseperniciousdynamicsinthecontextofidentitycrime,suggestlikelyconsequencesifnothingisdonetoalterthedynamics,andoffersomesolutionstobringamorewell-foundedsenseofstability,safety,andordertothisemergingandchaoticdigitalworld.
Inthethroesofanacceleratedperiodofchange,societyisstrugglingtomakerationalchoicesthatstrikeabalancebetweentraditionalcon-sumerexpectationsaboutsafetyandthegrimrealitiesoffraudandtheftthattheconsumerfacesonline.
Thefear,uncertaintyanddoubtsur-roundingpersonalinformationprivacyaretheprimarymanifestationsofthisdynamic.
Themosttangibleinstantiationofthisprivacyfear3hasarguablybeentheexplosioninbothallegedandactualIdentityTheftCrime("IDC").
4IDCexposestheriftbetweencitizens'expectationsofsta-bilityandsecurity,andtherealityofsociety'sinformationageinstitu-tions'managementofdigitaldata.
Thispaperattemptstodriveaproverbialzamboniacrossthedialogueabouttheidentitytheftproblem2.
Inthedigitalworldthese"devices"include,forexample,improperlyconfiguredfirewalls,continuoussoftwarepatchupdates,andanti-virus/malware/spamsoftware.
3.
SeePressRelease,TRUSTe,TRUSTeReportRevealsConsumerAwarenessandAttitudesaboutBehavioralTargeting(Mar.
26,2008),availableathttp://www.
truste.
org/about/press_release/03_26_08.
php.
4.
SeeU.
S.
Dept.
ofJustice,http://www.
usdoj.
gov/criminal/fraud/websites/idtheft.
html(lastvisitedAug.
27,2008).
Forourpurposeshere,andthroughoutthepaperthetermIdentityTheftCrime("IDC")means:"Identitytheftandidentityfraudaretermsusedtorefertoalltypesofcrime[ortortviolations]inwhichsomeone[orsomeentity]wrongfullyobtainsandusesorintendstouseanotherperson'spersonaldata[oridentifyinginforma-tionand/orsymbols]insomewaythatinvolvesfraudordeception,typically[butnotexclu-sively]foreconomicgain.
"\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:320-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS49ratherthantakingyetanotherswingatthiscomplextopicwithawhif-fle-ballbat.
Wewillhighlightthecompartmentalizedandimbalancedrolethatthefreemarketandlawenforcementplaysinresponsetothisemergingthreattoprivacy,theimplicationsofthisdynamic,andrecom-mendationsforimprovingthesocietalriskmanagementofIdentityCrime.
A.
THEQUESTIONSTHATWILLDEFINETHEANSWERSFundamentalquestionsthatmustbeaddressedinanyanalysisofIDCinclude:WhatisidentityintheanalogworldWhatisidentityinadigitalenvironmentHowisidentityunlawfullyacquiredandusedHowandwhendoesthisdynamicinvokelegalprotectionsHowareandshouldtheselegalprotectionsbemeasuredintermsofrecoverablelossand/ordamagesWhatisthenatureandscopeofIDC,andconse-quently,wherearetheriskallocationpointsduringthelifecycleofIDCwhereresponsibilityandliabilityforprevention,detectionandresponseshouldattachThispaperismotivatedinpartbywhattheauthorscon-tendtobealackofsatisfactory,objectiveanswerstothesequestions.
Whilethispaperdoesnotanswerthetotalityofthesequestionsitex-posestheshortcomingsofthepredominantdiscourseaboutIDC,whichisoftenassuperficialastheperceptionsitingrains.
Insodoing,thegoalistodirectsolution-focuseddialogueonthesecriticalissuesbyprovidingadeeperandmorecomprehensiveunderstandingoftheroleofkeyinsti-tutionalforcesonthestructureandfunctionsofIDC.
Anexaminationstartswiththecontentionthatthattherelation-shipsbetweencitizensandtheirinstitutionsareundergoing,atmini-mum,twosignificantroletransformationsinthedigitalenvironment.
5Specifically,wedissecttheIDCcrisis6asowingtothedominionofun-regulatedormisguidedfreemarketforces.
7Itisfurthersuggestedthatthesemisguided,orunbounded,freemarketforcesareforgingandman-5.
Bythistermwemeananyenvironmentwheredigitalinformation,informationus-ingaseriesofonesandzeros,isstored.
6.
SeePressRelease,FederalTradeCommission,FTCTestifiesonIdentityTheft(July12,2000),availableathttp://www.
ftc.
gov/opa/2000/07/identity.
shtm.
JodieBernstein,DirectoroftheFTC'sBureauofConsumerProtection,deliveredtheagency'stestimonybeforetheSubcommitteeonTechnology,TerrorismandGovernmentInformationoftheSenateJudiciaryCommittee,stating"Thefearofidentitythefthasgrippedthepublicasfewconsumerissueshave,"thetestimonysays.
"Consumersfearthepotentialfinanciallossfromsomeone'scriminaluseoftheiridentitytoobtainloansoropenutilityaccounts.
Theyalsofearthelonglastingimpactontheirlivesthatresultsfromthedenialofamort-gage,employment,credit,oranapartmentleasewhencreditreportsarelitteredwiththefraudulentlyincurreddebtsofanidentitythief.
"Id.
7.
SeeInvestorwords.
com,http://www.
investorwords.
com/2086/free_market.
html(lastvisitedAug.
27,2008)(defining"freemarket"as"Businessgovernedbythelawsofsupplyanddemand,notrestrainedbygovernmentinterference,regulationorsubsidy.
").
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:420-MAY-0913:3250JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIagingpeople'sdigitalpersonas.
8Secondly,wepositthatlawenforce-ment's("LE")roleinmaintainingorderinthedigitalenvironmentisacrippledorgreatlydiminishedversionoftheroleitplaysinthephysicalenvironment,alsoexacerbatingtheIDCproblems.
Inthephysicalrealm,Westernsociety'straditionalguarantoragainstchaosandcorruptionhasbeenthelegalsystem,withLEtaskedtoconveyandenforcesocialprotectionsmanifestedbylaws.
9Implicitun-derpinningsoftheseprotectionsandassurancesareIdentification10andAuthentication.
11Fewlawscanbeenforcedoraccountabilityeffectu-atedifviolatorsandvictimscannotbecrediblyidentified.
Likewise,credit-basedcommercedependsupondistinguishingbetweenbonafide"transactors"andimpersonators,inotherwords,citizen-consumersandidentitycriminals.
12Thistwo-stepprocessofidentificationandauthenticationhasbeeninternalizedandtakenforgrantedinthephysicalrealm,bothbysocietyingeneralandLEspecifically.
13Inthephysicalrealmaperson'sofflineidentitiesarerelativelyfixedanddirectlyperceivedthroughone'ssenses,andone'sinstitutionalcontrols,processes,andculturalconven-tionstoauthenticateidentityhavebeenbuiltaroundthesefeatures.
14Yetthenatureofthedigitalrealmrenderspeopleanonymousbydefault.
Thisisbecauseaperson's"online"identityishighlymediated(peopleexperienceeachotherthroughvarioushardwareandsoftwareinter-8.
SeeRogerClarke,TheDigitalPersonaandItsApplicationtoDigitalSurveillance,10INFO.
SOCIETY25(1994),availableathttp://www.
anu.
edu.
au/people/Roger.
Clarke/DV/DigPersona.
html("Thedigitalpersonaisamodeloftheindividualestablishedthroughthecollection,storageandanalysisofdata[andinformation]aboutthatperson.
Itisaveryusefulandevennecessaryconceptfordevelopinganunderstandingofthebehaviorofthenew,networkedworld.
").
9.
IncontrasttofederalLE,localLEistaskedtohandlefrontlinecriminallawenforcement.
10.
SeeTheFreeDictionary,identity,http://www.
thefreedictionary.
com/+Identity+(lastvisitedAug.
27,2008)(defining"identity"as"thecollectiveaspectofthesetofcharac-teristicsbywhichathingisdefinitivelyrecognizableorknown").
11.
SeeWikipedia,Authentication,http://en.
wikipedia.
org/wiki/Authentication("fromGreekauqentiko;realorgenuine,fromauthentes;authoristheactofestablishingorcon-firmingsomething(orsomeone)asauthentic,thatis,thatclaimsmadebyoraboutthethingaretrue.
")(asofMar.
17,2009,15:56GMT).
Authenticatinganobjectmaymeanconfirmingitsprovenance,whereasauthenticatingapersonoftenconsistsofverifyingtheiridentity.
Id.
12.
CharlesM.
Kahn&WilliamRoberds,CreditandIdentityTheft,55J.
MONETARYECON.
251(2008).
13.
Wearebynomeansunawarethatidentityabusehappensinthephysical/corporealworld.
Ratherwearguethatitismuchmoreefficientandthusscalableinthedigitalenvironment,thusmakingthedifferencewithdistinctionworthyofspecialattention.
14.
Forinstance,inacourtoflaw,awitnessmightauthenticatethattheDefendant,TylerDurden,wasthepersonwhopunchedthevictimbytestifyingthathesawtheeventoccurandbypointingtoDurdeninthecourtroom.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:520-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS51faces,anddataencodingandformatting),non-fixed(aperson'sidentityattributesaredynamicacrosstimeandeasytochange)andreferential(digitalidentifiersdonotstand-alone,butaredefinedbyreferencetothephysicalperson).
15Consequently,digitalidentificationandauthenticationhasprovedachallengingmatter.
16ThisisespeciallysoforaninstitutionalcontrollikeLEwhoseviabilityislargelypredicatedonbeingabletoidentifyandauthenticatepersons,andwhoseresponsibilityhasbeensidesteppedoroutrightrejectedassocietymigratestothedigitalenvironment.
Inaddi-tion,thisrejectionofthetraditionalsystemforestablishingorverifyingidentityandmaintainingorderhasbeenanamalgamationofunwittingandsubconsciousdecisions,deliberatemyopia,andintentionalabandon-mentbythoseveryentitieschargedwiththismandate.
17Consequently,thishasfacilitatedtheonlineequivalentofBeyondThunderdome,18anenvironmenthallmarkedbyrenegadejusticewheredenizensarelargelylefttofendforthemselvesintheabsenceofsocialorotherinstitutionalprotection.
Theinstitutionalcontrolthathasfilledthisgapisthefreemarket,andmorespecifically,thefinancialinstitutions,creditbureaus,creditcardcompanies,anddatabrokersinfluencingeconomicpolicyaswellascompanieswillingtoaccedetoandexploittheresultingenvironment.
1915.
SeeArthurAllisonetal.
,DigitalIdentityMatters(Aug.
2003)(unpublishedarticle),availableathttps://dspace.
gla.
ac.
uk/bitstream/1905/315/1/digiident-all.
pdf.
Also,anonym-ityisinherenttothestructureandfunctionoftheInternet,i.
e.
,theInternetprotocolisnotbuilttocorrespondtoaparticularperson'sidentity.
WhileeachdeviceattachedtotheNethasaspecificaddress,thisaddressandusersofthedevicecananddoeschange,andeveninsituationswhereafixedaddressisassociatedwithafixeddeviceandcoupledtoaspe-cificuseraccount,itiscommonknowledgethatanynumberofindividualscanbebehindthekeyboardand/oruseraccount.
16.
Hencetheresonanceofthecliche,"ontheInternettheydon'tknowyou'readog.
"17.
SeeSusanW.
Brenner,TowardACriminalLawforCyberspace:ANewModelofLawEnforcement,30RUTGERSCOMPUTER&TECH.
L.
J.
(2004),availableathttp://pega-sus.
rutgers.
edu/~rctlj/.
18.
MADMAXBEYONDTHUNDERDOME(KennedyMillerProductions1985).
Wechosetodepartfromtheoft-citedandantiquatedreferencetotheWildWest,coinedbyJohnPerryBarlowinTheEconomyofIdeas.
JohnPerryBarlow,TheEconomyofIdeas,WIRED,Mar.
1994,availableathttp://www.
wired.
com/wired/archive/2.
03/economy.
ideas.
html.
19.
TheOrganizationforEconomicCo-operationandDevelopmentdefinesfreemarketas:Afreemarketeconomyisonewherescarcitiesareresolvedthroughchangesinrelativepricesratherthanthroughregulation.
Ifacommodityisinshortsupplyrelativetothenumberofpeoplewhowanttobuyit,itspricewillrise,producersandsellerswillmakehigherprofitsandproductionwilltendtorisetomeettheexcessdemand.
Iftheavailablesupplyofacommodityisinaglutsituation,thepricewilltendtofall,therebyattractingadditionalbuyersanddiscouragingpro-ducersandsellersfromenteringthemarket.
Inafreemarket,buyersandsellerscometogethervoluntarilytodecideonwhatproductstoproduceandsellandbuy,andhowresourcessuchaslabourandcapitalshouldbeused.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:620-MAY-0913:3252JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIWhatpeoplearecurrentlyexperiencingisthepreliminaryconsequenceoftheprivatizingandoutsourcingoftheirdigitalidentities–thedigitalpersonae20anditscomponentartifacts–tothefreemarket.
Thisisincontrasttohowpeople'scarbon-basedpersonaeanditscomponentarti-facts21haveheretoforebeendefined;recordedandissuedbythegovern-mentdirectlyvialaw,policies,andregulationsandindirectlybythesocialnormsandexpectationsthatevolvefromthesemechanisms.
In-stead,freemarketforces,oftenbereftofregulation,aredefiningpeople'sdigitalpersonaeusingcode,thebrainstemandlanguageoftechnology,asitshandmaiden.
Theuseofcodetoimplementpolicyisnotundesirable.
ItisprudentandnecessaryinthecontextofanITsociety.
Thecriticalquestionisnotwhethercodeisthemechanismbywhichidentityisestablished.
Ratherthequestionis:whatistheunderlyingpolicythatispromulgatedviacodeCodethatisinformedbypolicyandintendedtoaddressthesecur-ityandwellbeingofcitizensisdesirable.
Butcode,drivenbyfreemar-ketpolicy(i.
e.
,maximizationofwealthforcorporateownersandmanagers),risksthecreationofanenvironmentwherepersonalidentityistreatedsimplyasacommodity.
Asaresultofthislatterdynamic,citizensareatriskofbeingplacedinagrosslyunequalbargainingposi-tionfromwhichtoexercisecontrolovertheirpersonhood.
Thiscontrolincludesestablishingandmaintainingintegrityinone'sdigitalpersona.
Atpresent,thereisaconflictbetweenthevaluesembed-dedinthefreemarketuseoftechnologyandthevaluescatalyzingthepublicpolicydebateregardingdigitalidentitymanagement.
22Whathasresultedisadichotomybetweentheuseoftechnologytofacilitateafreemarketpolicythatthrivesonthefreeflowofpersonalinformationwhereourdigitalidentitiesarethe"goods,"andtheuseoftechnologytosafe-TheOrganizationforEconomicCo-operationandDevelopment,FreeMarket,http://stats.
oecd.
org/glossary/detail.
aspID=6264(lastvisitedApr.
11,2009).
Theauthorsac-knowledgethatusageofthisterminsuchabroadsensethreatenstoencompasssomanyentitiesastoberenderedmeaninglessinthecontextofcriticismsandrecommendationscontainedherein.
However,webelievethatboththerelevantentitiesandpoliciescanbedistinguishedforpurposesofadvancingthedialogueadvocatedherein).
20.
Supranote8.
21.
SeeMerriam-WebsterOnlineDictionary,artifact,http://www.
merriam-webster.
com/dictionary/artifact(lastvisitedApr.
11,2009)(defining"artifact"as"somethingcre-atedbyhumansusuallyforapracticalpurpose").
Thisisthedefinitionweintendwhenweemploytheterm"traditionalartifacts"inthispaper.
Specificallywemean,amongotherthings,socialsecuritynumbers,birthcertificates,driver'slicense,passports,andsuch,aswellasfingerprints).
22.
Broadlyspeaking,DIMreferstotechnologies,methodologiesandpoliciesaroundthecreation,authentication,verification,security,andrevocationofidentityinthedigitalenvironment.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:720-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS53guardidentityinformationandallowindividualssomecontrolovertheintegrityofhisorherdigitalpersona,respectively.
ThisperniciousdynamicwascapturedbyHenryA.
Valetkinhislawreviewarticle,MasteringtheDarkArtsofCyberspace:23Fortoolong,theInternetandglobalpolicyhaveevolvedatstarklydif-ferentpaces.
Ontheonehand,communicationsandsoftwaredevelop-mentcompanies[andnow,governments]cavetomarketforcesinarushtointroducenewproductfeatures[aswellasnewservices]andwooanxiousinvestors.
Ontheother,policymakersputoffenactinganylegislativeproposalsthatmayimposeadditionaladministrativebur-denssoastonotupsettheircorporateconstituents.
Thiscripplingim-balancehascreatedanenormousgulfbetweenuserexpectationsandtechnology'struepotential.
Consumersremaintoovulnerableincyber-space,andoftenhesitate24beforeexperimentingwiththeInternet'sun-tappedpotentialtoreachaglobalaudience.
The"imbalance"Valetkreferstohascreatedapredicamentforciti-zenswhoengagewillinglyorbynecessityinthedigitalenvironment.
The"vulnerability"hasevolvedintothesocialissuedujour–IDcrime,25whichowesitsexistencetotheavailability,valueanddisproportionateprotectionofpersonaldatabythefreemarket,andinsomecases,thegovernment.
B.
UNRAVELINGTHEPUZZLEPALACEAmericancitizensareincreasinglyawareofthisemergingthreatastheyarebarragedbyseeminglyendlessreportsofdatabasetheftsandthesubsequentfearofIDCtheyrightlyraise.
26Citizensarenewlyawarethattheunlawfulorwrongfulacquisitionofidentityartifacts,whethertraditionalordigital,isnotonlywidespreadandpronounced,butameanstoacriminalorotherwisewrongfulend.
27That"end"isthemisuseofthosepersonalidentifiersandpossiblecorruptionofone'sdigi-talpersona.
Thisissignificantasthebulkofpeople'saffairsaremigrat-23.
HenryA.
Valetk,MasteringtheDarkArtsofCyberspace:AQuestforSoundIn-ternetSafetyPolicies,STAN.
TECH.
L.
REV.
2(2004),availableathttp://stlr.
stanford.
edu/STLR/Articles/04_STLR_2.
24.
Infactthereisagrowingdebateastowhetherornotconsumersare"waiting"orwhethertheyareignorantoftherisks.
Nonetheless,citizens'dependenceontheservicesofbusinessandgovernmentleaveslittleopportunityforchoosingwhethertoengageinthedigitalenvironment.
25.
Wehaveseenotheriterationsofthiscrisis:worm/viruscrisis,thespamcrisis,theinteroperabilitycrisis.
26.
SeePrivacyRightsClearinghouse,AChronologyofDataBreaches,http://www.
privacyrights.
org/ar/ChronDataBreaches.
htm(lastvisitedAug.
12,2008).
27.
SeePrivacyRightsClearinghouse,PublicAttitudesAboutthePrivacyofInforma-tion,http://www.
privacyrights.
org/ar/invasion.
htm(lastvisitedAug.
12,2008).
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:820-MAY-0913:3254JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIingtothedigitallandscapeandthedigitalpersonaisbecomingthesolemeansofinterfacingwithit.
Areweatacrisispointwithourdigitalpersonae,andifso,howdidwearrivehereWhathassociety'sinitialreactionbeentothiscrisisWhatshouldsociety'sresponsebeThisworkwillprovideaconceptualframeworkforunderstandingandaddressingthesequestionsinthefol-lowingthreesections.
SectionIdefinestheproblembydissectingcoreconceptsof"iden-tity"and"authenticity",andtheissuessurroundingthedefinition,sta-tisticsandanalysesofIDC.
SectionIIaddressesthecurrent,generalstateofdigitalsecurityandrelatedcybercrime,payingparticularatten-tiontotherelationshipbetweeninformationsecurityandfreemarketforces.
Thisexaminationexposestheradicallyshiftingroleandrisingmonetaryvalueofpersonalidentifyinginformation(PII),andhowthisrapidevolutionishavingaprofoundeffectonthedigitalpersonaasre-flectedinIDC.
Includedinthissectionisanassessmentofthelegisla-ture'shistoricalroleinaddressingdigitalsecurityandprivacyissues,includingthedirectandindirecteffectsandimplicationsofitspolicyde-cisionsonthecreationandprotectionofthedigitalpersona.
Further-more,SectionBwillbrieflyanalyzehowthejudiciaryhaswrestledwithIDC,anditsmostrecognizedderivate,IDtheft,inboththedatabasebreachandcivilcontexts.
Indoingso,thissectioncontendsthatcurrentjurisprudencehasdisincentivizeddigitalsecurityfordataholders,essen-tiallyturneditsbackonthevictimsofdatabreachesandIDC,andiscontributingtoagrowingchaoticdigitalenvironment.
TheexaminationculminatesinSectionIIIwhichunderscoresandsynthesizestheroleofLEinIDtheft("IDT")issues.
ThisfinalsectionfocusesonhowLEcanplayavitalandfundamentalroleinunderstand-ingthenature,scopeandextentoftheidentitycrimesthatembroilsoci-ety.
Indoingso,thissectionexaminesthecurrentroleLEplaysinaddressingunlawfulactivity,IDcrimeinparticular.
Basedonthisas-sessmentthatLE'sroleislargelypassive,disorganized,andunder-resourced,28thissectionconjectureswhatthefutureholdsifthisdy-namiccontinues.
Lastly,thissectionwillofferrecommendationsforasignificantchangeinpolicyandproceduretobetterenableLEtoad-vanceitsvalueandcapabilitiesinaddressingidentitycrime.
28.
Thisincludesbothashortageoffundingandinadequatetraining,whichmostcer-tainlycorrelateswiththerelativepassivityanddisorganization.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:920-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS55II.
DEFININGTHEPROBLEMA.
IDENTITYANDAUTHENTICITYINCYBERSPACE–WHOISSUESANDSTAMPSTHE"PASSPORT"Morerobustresponsestotheopeningquestionsaredevelopedbycomingtotermswithcoreconcepts:identityandauthenticityinthedigi-talenvironment.
First,agreeingthatdigitalobjectshavedifferentpropertiesthanphysicalobjects(i.
e.
,mycarbon-basedpersonisnotthesameasmydigitalperson)identityinthedigitalenvironmentisbasedonassertionsofone'sphysicalidentity.
Theseassertionsarethe"digitalpersona"–theindividualizing,socially-meaningfulattributesofpersonalidentitiesuponwhichindividualsandentitiesassesswhotheyaredeal-ingwithinthedigitalenvironment.
29Thedigitalpersonaisasetofattributes–suchasrealname,physi-caladdress,telephonenumber,usernameandpassword,PIN,accountnumber,IPaddress,birthdate,SocialSecurityNumber("SSN"),pass-portnumber,behavioralpatterns,andbiometricinformation–thatformone'sexpectationsofthephysicalentitybehindthedigitaltransactionorcommunication,anduponwhichdigitalcommunicationandtransac-tionaldecisionsarebased.
30Themeaningofdigitalpersonaisevolvingpiecemealandoftentimesunconsciouslyorimplicitlybylegislation,reg-ulation,jurisprudence,businesspractices,andculturalexpectations.
Similartoidentityinrealspace,digitalidentityattributesaretheprog-enyoftheconfluenceofthelaw,informationtechnology,andsocialinsti-tutionsandnorms,allvehiclesthatcontrolrelationshipsbetweenpeople,organizationsandobjects.
Therefore,acrimeagainstidentitynecessarilyindicatesdiscordancebetweenthesecontrolsthatdefineper-sons.
Assuch,IDCisamanifestationoftheconflictbetweenthefreemarketpoliciesandpublicgoodpoliciesembeddedintheusesofITtomanagedigitalidentity.
31ThesecondcoreconceptuponwhichtoaddresstheproblemofIDCisauthenticity.
Tobackintothisunderstanding,themorefamiliarnotionofcredibilitymustbethestartingpoint.
Credibilityinone'sdigitalenvi-ronment–thecorpusofone'selectronictransactions,communicationsandotherrelationships–hingesontheestablishmentofatrustworthydigitalpersona,whichinturnispredicatedonreliable,digital,artifacts.
29.
SeeStanKaras,Privacy,Identity,&Databases,52AM.
U.
L.
REV.
393(2002)(dis-cussinghowassertionsgainvalueiftheircompromiseleadstodamagestoanyofthepar-tiesinvolved-thesubjectandothersinvolved,thepartiesconsuming/relyingonthedata,orthepartiesvouchingfor).
30.
Incomparison,ourofflineidentityismanifestbyphysicalappearance,behaviorandlocationattributeswhichwerelyonoursensesandperceptions,andinstitutionalas-sertionstodistinguishbetweenpersons.
31.
Notethatpoliciesareareflectionofunderlyingvalues.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:1020-MAY-0913:3256JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVITechnology-basedcreditsystemsandcommercialtransactionsandser-vicesbetweenandamongpersonsandorganizationsdependonreliableinformation,ofwhichtrustworthypersonaeandartifactsareamajorpart.
32Totheextentthatartifactslackauthenticity,thegreatertheriskthatsocialandlegalfictionswillbecreatedtomaintaintheperceptionoftrustandstability.
Afundamentalcharacteristicofatrustworthy33digitalpersonaisauthenticity34–theprovablelinkbetweentheidentifierscomprisingthedigitalpersonaandthephysicalpersona.
35Theinformationcomprisingthedigitalpersonaisthatwhichisexpressiveandexploitativeofiden-tity,anditsauthenticityisthedegreeofcorrespondencetoone'scarbon-basedbeing.
36Sowhilepersonsmayhavemultipledigitalpersonas,au-thenticityisanobjectivereferencetowhichanynumberofdigitalper-sonaecanattach.
Inturn,relationshipsthatformwithinthisdigitalenvironmentarebasedonassertionsaboutthesepersonas,andmoreim-portantly,onpresumptionsandexpectationsabouttheirtrustworthi-ness.
Theserelationshipsarecommercial,personaland/orpurelyutilitarianinnature.
37Themoreauthenticthepersona,themorethe32.
Personalandbusinesstransactionsandcommunicationsaremorefrequentlyoc-curringacrossopennetworkswithinthelargerInternet,oftentimesinvolvingnoprior,es-tablishedphysicalworldrelationships.
33.
SeeAnnKeith,TrendsinIdentityTheft,FutureTrendsinStateCourts(2005),availableathttp://contentdm.
ncsconline.
org/cgi-bin/showfile.
exeCISOROOT=/criminal&CISOPTR=175;PhillipHunt&PrateekMishra,OracleIdentityGovernanceFramework(2006),availableathttp://www.
oracle.
com/technology/tech/standards/idm/igf/pdf/IGF-Overview-02.
pdf.
Trustisnotabinarycharacteristic,butrather,istunable.
Id.
Theleveloftrustwithwhichanidentifierreferstoaspecificpersonmayvarybasedonthepurposeofthetransaction/communication/relationship.
Id.
34.
SeeMerriam-WebsterOnlineDictionary,authentic,http://www.
merriam-webster.
com/dictionary/authentic(lastvisitedApr.
11,2009)(statingthat"authenticimpliesbeingfullytrustworthyasaccordingwithfact.
.
.
[and]itcanalsostresspainstakingorfaithfulimitationofanoriginal").
35.
Somemaypositthatthedigitalpersonaandthephysicalpersonaarejustdifferentcontextsof"identity.
"Weusephysicalidentityasthereferential,foundationalidentitybecauseitisthecontextaroundwhichsocietyhasstructureditsnorms,lawsandrelationships.
36.
SeeMatthewD.
Ford,IdentityAuthenticationand"E-Commerce",3J.
INFO.
LAWANDTECH.
(1998),availableathttp://www2.
warwick.
ac.
uk/fac/soc/law/elj/jilt/1998_3/ford/("Identityauthenticationistheprocesswherebysomechosenattributeofareal-worlden-tity("thedistinguishingcharacterorpersonalityofanindividual")isdemonstratedtobe-longtothatentity.
").
Itisbasedonone/moreofthefollowingprinciples:somethingtheclaimantknows;somethingtheclaimantowns;somethingtheclaimantis;andmayincludethattheclaimantisataparticularplaceataparticulartime.
Id.
Commonidentityau-thenticationsystemsincludepasswords,physicaltokens,biometricsanddigitalsignatures.
Id.
37.
Forinstance,interactionswiththegovernment.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:1120-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS57relationshipispredictable,beneficial,andtheriskofdeceptionisminimized.
Conversely,themoredubiousthepersona,thegreatertheriskofdeception,accompaniedbyaninefficientavoidanceofrisk.
Adigitalen-vironmentwroughtwithheightenedriskwillinevitablyresultinsomedegreeofuncertainty,contemptforsocialinstitutions,corruptionandcounter-productivity.
38B.
UNDERSTANDINGTHESCOPEANDPREVALENCEOFIDTHEFT:TACKINGJELL-OTOAWALLItwaspreviouslysuggestedthatsociety'sperceptionsabouttheIDCcrisisflowfromitsknowledgeandbeliefsonthesubjectmatter.
Thissectionwillbeginexaminingthe"facts'"andthesocietaldialoguewhichgiverisetotheknowledgeandbeliefsaboutIDCwhichsocietyisinter-nalizingand/ortakingforgranted.
Theconfusionssurroundingthedefinitions,statisticsandtracking/analysesofIDChaveconvergedtomakeunderstandingthenatureandscopeoftheproblemarduousatbest.
Thereisnoshortageofmediaac-countshighlightingtheIDCproblem,nottheleastofwhicharethesatir-icalprimetimetelevisionadsthatanthropomorphizeidentitydatamuggings.
39IDCself-helptipsabound,andatelltaleindicatorthattheissuehashitprimetimeisthefactthatthemarketnowoffersidentitytheftprotectionservicesandinsurancepolicies.
40Yetthesearesecon-darysymptomsratherthanfirstsourceevidenceoftheIDCproblem.
Therealindicatoriswhatunderliesthesesurfacewarningsforonlyherecanonebegintounderstandthescope,extentanddynamicsofIDC.
Societylacksobjective,reliable,andcomprehensivestatisticsoncybercrimeingeneral,andIDCinparticular.
Thistruthraisesquestionsaboutthevalidityoftheunderlying"knowledgeandfacts"aboutIDC.
Take,forexample,somenotesofcautionpresentedintheGeneralAc-38.
Deceptionisdefinedhereastheexploitationofcognitiveassumptions.
39.
SeeCitibankIdentityTheftCommercials,http://www.
identitytheftsecrets.
com/videos/citibank_identity_theft_commercial.
html(lastvisitedAug.
13,2008).
In2007-2008CitibankranaseriesofhumoroustelevisionadvertisementsthatuniquelypersonalizedtheIDTproblem.
Id.
Intheads,identitythievesspeakthroughtheirvictimsinanoverdubbedvoicetrack,anddescribetheirillicitpurchases.
Id.
Thehumorcomesfromthedissonancebetweenthepersonaeofthevictimandthethief.
40.
See,e.
g.
,CNANetProtect,http://www.
cna.
com/portal/site/cna/menuitem.
489f2511a757a1a1df88e0f2a86631a0/vgnextoid=2c9f65683c2fe010VgnVCM1000008f66130aRCRD(lastvisitedAug.
15,2008);AIGnetAdvantage,http://www.
aig.
com/Network-Security-and-Privacy-Insurance-(AIG-netAdvantage)_20_2141.
html(lastvisitedAug.
15,2008);LifeLock,http://www.
lifelock.
com(lastvisitedAug.
15,2008);Debix,http://www.
debix.
com/(lastvisitedAug.
15,2008);TrustedID,https://www.
trustedid.
com/(lastvisitedAug.
15,2008).
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:1220-MAY-0913:3258JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIcountingOffice's("GAO")initial,groundbreaking1998reportonIDC:41"Identityfraudisdifficulttotrackbecausethereisnostandard-izeddefinition.
""Generally,thelawenforcementofficialswecontactedtoldusthattheirrespectiveagencieshistoricallyhavenottrackedidentityfraud.
""Wefoundnocomprehensivestatisticsontheprevalenceofiden-tityfraud.
.
.
"In2005theDepartmentofJustice,engagedtwoexperiencedcrimi-nologiststopreparethedocument,oneofthemostcomprehensivelitera-turereviewseverdoneonidentitytheft.
42Thepurposeoftheworkwasto,"[review]availablescientificstudiesandavarietyofothersourcestoassesswhatweknowaboutidentitytheftandwhatmightbedonetofurthertheresearchbaseofidentitytheft.
"43Hereareafewofthecon-clusionsfromthe2005Review:"Thispaperdepartsfromtheusualformatofaliteraturereviewbecausethereisverylittleformalresearchonidentitytheftperse.
""Thebiggestimpedimenttoconductingscientificresearchoniden-titytheftandinterpretingitsfindingshasbeenthedifficultyinpreciselydefiningit.
""Thereisnonationaldatabaserecordedbyanycriminaljusticeagencyconcerningthenumberofidentitytheftcasesreportedtoit,orthosedisposedofbyarrestandsubsequentlyprosecution.
""Falseatpresentnowaytodeterminetheamountofidentitytheftconfrontedbythecriminaljusticesystem.
""Mostpolicedepartmentslackanyestablishedmechanismtore-cordidentitytheftrelatedincidentsasseparatecrimes.
"44Further,inaSummer2006publicationintheJournalofEconomicCrimeManagementtitledTheOngoingCriticalThreatsCreatedbyIden-tityFraud:AnActionPlan45authorsGaryR.
GordonandNormanA.
Willoxraise,amongothers,thefollowingpoints:41.
U.
S.
GENERALACCOUNTINGOFFICE,IDENTITYFRAUD:INFORMATIONONPREVA-LENCE,COSTANDINTERNETIMPACTISLIMITED(1998),availableathttp://www.
gao.
gov/docdblite/info.
phprptno=GGD-98-100BR.
42.
GRAEMER.
NEWMAN&MEGANM.
MCNALLY,IDENTITYTHEFTLITERATUREREVIEW(2005),http://www.
ncjrs.
gov/pdffiles1/nij/grants/210459.
pdf.
ThereportwaspreparedforpresentationanddiscussionattheNationalInstituteofJusticeFocusGroupMeetingtodeveloparesearchagendatoidentifythemosteffectiveavenuesofresearchthatwillim-pactonprevention,harmreductionand.
Id.
43.
Id.
at5.
44.
Id.
ativ-vi.
45.
GaryR.
Gordon&NormanA.
Willox,Jr.
,TheOngoingThreatsCreatedbyIdentityFraud:AnActionPlan,4J.
ECON.
CRIMEMGMT.
1,1(Summer2006).
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:1320-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS59"Whiletherehasbeensignificantattentionfocusedonidentitytheftissues,littleprogresshasbeenmadetoquantifythesizeandscopeoftheproblem.
""Littleprogresshasbeenmadeindevelopinganationaldatabaseofidentityfraudincidents.
"46Andfinally,thelatestGAOreportonIDTanddatabreachnotifica-tionpublishedinJune2007indicatedthatlittlehaschangedregardingthelackofcomprehensible,reliabledataonIDtheft.
Thetitleisperhapsthegiveawayhere:PersonalInformation:DataBreachesAreFrequentbutEvidenceofResultingIdentityTheftIsLimited;However,theFullExtentisUnknown.
47Essentially,whiletherehavebeensomeminorimprovementsatthestatelevel,industry,policymakers,andlawen-forcementarebasically"flyingblind"whenitcomestoanaccuratemea-surement,andthereforelackunderstandingofthescopeandnatureofIDCinAmerica.
48ThislackofobjectiveandreliablemethodstomeasureIDCisoneofthehallmarksofthebroaderissueconcerningcybercrimeanddigitalse-curity.
Simplyput,thereisinsufficientaccuratedataoncybercrime(ofwhichIDCisasubset)uponwhichtodrawreliableconclusionsandmakeinfluentialeconomicandsocialdecisions.
49Forthemostpart,thedataavailableandmostquotedisanecdotalandthereforeoflimitedutility.
1.
ACrackedDefinitionalFoundationPinpointingthedefinitionofwhatconstitutesIDtheftisaprerequi-sitetodeterminingliabilityforitsoccurrence,craftingincentivesforpreventingandrespondingtoIDC,developingreliablemeasurementsofitsscope,andascertainingwhetherornotsocietyisinthemidstofanIDC"crisis.
"WesuggestthatstakeholdersaredefiningwhatIDtheftis,andwhenitoccurs,basedonincomplete,orattimesinaccurateormis-leadinginformation.
Theadequacyandquestionqualityoftheinforma-tionwastoucheduponintheprevioussection.
46.
Id.
at1-2.
47.
U.
S.
GOVERNMENTACCOUNTABILITYOFFICE,PERSONALINFORMATION:DATABREACHESAREFREQUENTBUTEVIDENCEOFRESULTINGIDENTITYTHEFTISLIMITED;HOW-EVER,THEFULLEXTENTISUNKNOWN(2007),availableathttp://www.
gao.
gov/new.
items/d07737.
pdf[hereinafterPERSONALINFORMATION].
48.
Id.
at4(reportingthatNorthCarolinaandNewYorknowmaintaincentralizeddatabasesondatabreaches).
Thisisasignificantstepinfirmingthereliabilityofdigitalcrimedata.
49.
SeeFriedrichvonHayek,TheUseofKnowledgeinSociety,35AM.
ECON.
REV.
519(1945),availableathttp://www.
virtualschool.
edu/mon/Economics/HayekUseOfKnowledge.
html(characterizingtheeconomicproblemas"aproblemoftheutilizationofknowledgewhichisnotgiventoanyoneinitstotality").
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:1420-MAY-0913:3260JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIUntilthedefiningofIDTevolvesfromaself-serving,discretionaryexercisetoonethatanchorsonexistingstatutorydefinitionsorsomeotherauthoritativeconsensus,measurementsandresponseswillcon-tinuetobedivergentand/orcontradictory.
ImplicitinanydefinitionofIDTistheelementofwhenthetheftisdeemedtohaveoccurred,therebycarryingsignificantconsequencesforwheretoallocatetheresponsibilitytopreventIDTaswellaswheretoassignliabilityforanyrecoverabledamagesorlossesduetoIDT.
AmajorreasonfortheconfusionsurroundingIDTisthedisagree-mentoveritsdefinition.
Thatdefinitionbreaksdownalongtwobroadplayingfields:criminallawandcivillaw.
Fromacriminallawperspec-tivethereareinvestigatoryandprosecutorialchallengeswhenchargingsomeonewithIDT,whichcertainlyaffectIDTcrimestatistics.
50How-ever,theprosecutionofidentitytheftislargelyministerialinsofarasitisanchoredaroundtheplainlanguageofacriminalstatute.
WhenanindividualiscriminallychargedwithIDTthecourtswillsimplylooktotherelevantstatuteforthedefinition.
Theelementsarelaidoutandthencomparedtoasetoffactsintheparticularcase.
WhiletherearetwomaintypesofcriminalstatutesdefiningIDtheft,onethatistrig-geredbythesubsequentuseofthedatataken,andtheothertriggeredbytheintenttousethedatainanunlawfulmanner,thispapersuggestsinthecriminalcontextthatthisisarelativelystraightforwarddecisionalprocess.
Whiletheremaybetheusualstrategizingandevidentiarychal-lengesinprovingtheelements,thereislittletonoconfusionthattheplainlanguageofthestatuteisthecontrollingauthorityfordefiningthecrimeofIDT.
5150.
Forinstance,anidentitythiefmaybechargedwithanynumberofcriminalviola-tionsthatmaybeasubsetorsupersetofthespecificIDTpenalcodesection,nottomentionthatstatsonlyreferencethehighestcharge.
InCalifornia,therearesome66chargeswithinthePenalCodethatcanbe/havebeenrelatedtoIDT.
Examplesinclude:ForgeryofCheck;PossessionofaForgedInstrument;Making,Possessing,andUtteringFictitiousInstruments;AcquisitionofaStolenCard;SaleorReceiptofanAccessCardtoDefraud;AcquiringAccessCard;AcquiringAccessCardAccountInformationwithoutPermission;ChangingAccessCardsoOtherThanCardholderisBilled;PretendingtobeaCreditCardHolderwithoutConsent;PettyTheft–UsingFictitiousAccessCard;PossessionofIncom-pleteAccessCard;FalsePersonation;UsePersonalIdentifyingInformationofAnother.
51.
DEL.
CODEANN.
tit.
6,§12B-102(2008)(effectiveJune28,2005).
Forinstance,Delaware'slawreads:"iftheinvestigationdeterminesthatthemisuseofinformationaboutaDelawareresidenthasoccurredorisreasonablylikelytooccur,theindividualorthecommercialentityshallgivenoticeassoonaspossibletotheaffectedDelawareresident.
"ButCalifornia'sCivilCode,section1798.
29reads:"(a)Anyagencythatownsorlicensescomputerizeddatathatincludespersonalinformationshalldiscloseanybreachofthese-curityofthesystemfollowingdiscoveryornotificationofthebreachinthesecurityofthedatatoanyresidentofCaliforniawhoseunencryptedpersonalinformationwas,orisrea-sonablybelievedtohavebeen,acquiredbyanunauthorizedperson.
"CAL.
CIV.
CODE§1798.
29(2008).
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:1520-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS61Understandably,thedefinitionalproblemhasthusfarbeenpor-trayedasalackofuniformitybetweenandamongthedefinitionsintheforty-ninestatestatutesandthetwoprimaryfederalstatutes.
52But,isthatcurrentlythedefinitionalmaladythatisobstructingone'sabilitytoaccuratelyassessthenatureandscopeofIDTOnenovelcontentionisthattheoverlookedproblemwithdefiningIDTfestersoutsideofthecriminalarena.
Thekeybattleonthedefinitionalfrontoccursonthecivilturf,andmorespecifically,withintheemergingworldofdatabreachnotificationjurisprudence.
Foritisherewheresocietyiscon-frontedwiththerealityofoverseventy-ninemillionbreachedfiles53oc-curringasaresultofdatabreaches.
Howinstitutionshandlethesebreachesinfluencesthecitizens'andlegislators'beliefsandperceptionsabouttheprevalenceofIDCintheU.
S.
Theforemostshapingofthoseperceptionslaywithsociety'ssystemofjurisprudence,wheretheIDTisimplicitlybeingdefinedinlawsuitswithinthecontextofperhapsthegreatestthreattoPII–databreaches.
Whathasemerged,therefore,aretwopoolsofIDTdata–traditionalcrimestatisticsfromlawenforcementreportsandinvalidatedreportsandclaimsseekingcivilremediesforidentitymisappropriations.
OnthecivilturfthepartiesinvolvedarenotattemptingtocollartheperpetratorforcommittingthecrimeofIDTagainstthem,rather,theyareseekingtoholdPIIholdersresponsibleforharmtothemthatresultsfromtheun-authorizedaccessofthatPII.
Theissueisnotwhoisatfault,butwhoshouldbearresponsibility,andspecifically,whenthatresponsibilityistriggered.
ThesignificantnuanceisthatinseekingcivilliabilityforIDT,partiesarenotreferenc-inganyofthoseplainstatutorydefinitionstomakethefirstorderdeter-minationofwhenandifIDToccursinordertosupporttheirclaimsthatthedataholdersshouldbeheldresponsible.
ThisdisregardofstatutorydefinitionsandrelianceonanargumentthatIDthefthasnotoccurredvia"unauthorizedaccessandtransferofpersonallyidentifyinginforma-tionbysomeonewiththeintenttousethedatainanunlawfulorwrong-fulmanner,"forcesvictimstoremainvirtuallyfrozeninareactionaryposture.
54Policy(whetherviajudicialrulings,legislationorregulation)52.
SeeNEWMAN,supranote42.
53.
ThisfigureistheestimateprovidedbytheSanDiego-basedIdentityTheftRe-sourceCenter('ITRC").
MarkJewellap,RecordNumberofDataBreachesin2007,Dec.
30,2007,availableathttp://www.
msnbc.
msn.
com/id/22420774/.
Attrition.
org,ontheotherhand,claimsthefigureis162million"records.
Id.
"Attrition.
organdtheIdentityTheftResourceCenteraretheonlygroups,governmentincluded,maintainingdatabasesonbreachesandtrendseachyear.
"Id.
Weemploythewords"files"and"records"heretoconnoteinformationheldinadatabasecontainingpersonally-identifiableinformationdi-rectlyrelatingtoanindividual.
54.
NEWMAN,supranote42.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:1620-MAY-0913:3262JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIthatmakescitizen-victimswaitfortheirPIItobeactuallymisusedinordertoclaimthetheftoccurredandrecoverdamagesreinforcesalegalregimethatdisincentivizesresponsibilityforpreventingtheharmfromthelossofPII.
SowecannotcompareandaccrueapplestoapplesacrossthecivilandcriminalIDTcases,butinadditiontoongoingchallengesandfailurestoresolveIDTcriminally,55wehaveapoorinventoryofthe"apples"inthecivilorchardsthatcomprisethemajorityoftheIDTharvest.
a.
StatutoryDefinitionsofIDTheftTheIdentityTheftAssumptionandDeterrenceActof1998("ITADA"),56thefirstfederalstatutetodefineIDtheftasa"standalone"crime,definesitas:[to]knowinglytransfer[],possess[],oruse[],withoutlawfulauthority,ameansofidentificationofanotherpersonwiththeintenttocommit,ortoaidorabet.
.
.
anyunlawfulactivitythatconstitutesaviolationofFederallaw,orthatconstitutesafelonyunderanyapplicableStateorlocallaw.
.
.
57Wearguethatthe"intent"standardarticulatedinthisstatutemustsignalaconcernonthepartoftheCongresswiththesimpleaccesstoandtransferofthedatainquestion,asopposedtoarequirementofmis-useofthedata.
ThislanguageintheITADAisproofthatCongresswasawareoftheharmfulandperniciouseffectsofthisdatasimplybeinginthewronghands,irrespectiveoftheeventualuseornon-usethedatainquestion.
Ifthispostureiscorrect,theITADAdefinitionofwhenIDtheftoccurscallsintoquestionnumerouscourtdecisionsinnegligenceclaimswhichfoundthatlossessustainedforheightenedcreditmonitor-ingservicesandotherclaimedharmsarenotrecoverablebecausetheyareincurredforfearoffutureinjuryfromfutureIDtheft.
58Regardlessofhowthelossesarecharacterizedorhowlittletimehaspassedsincethebreach,ifthefederalstatutecarriesanyauthoritativeguidance,andifthedatacanbeshowntobethetargetofthebreach,IDthefthasalreadyoccurredandtheindividualsinquestionarevictimsofanIDtheft.
55.
SeevonHayek,supranote48.
ItisbynoaccidentthatIDTiswell-acceptedasalowrisk,highrewardcrime.
56.
IdentityTheftandAssumptionDeterrenceActof1998,Pub.
L.
No.
105-318§5,1998(112Stat.
)3010(codifiedas18U.
S.
C.
§1001)[hereinafterITADA].
57.
18U.
S.
C.
§1028(a)(7)(2006)(emphasisadded).
58.
See,e.
g.
,Am.
Fed'nofGov'tEmployeesv.
Hawley,543F.
Supp.
2d44(D.
D.
C.
2008).
Thisincludesbutisnotrestrictedto:emotionaldistress,legalfeesincurredasaresultofreceivingnotificationofadatabreach,futurefinancialharm,damagetocreditrecord.
Id.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:1720-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS63Ontheotherhand,TheFairandAccurateCreditTransactionsAct("FACTA"),whichamendedtheFairCreditandReportingAct("FCRA"),59definedidentitytheftinacivilratherthancriminalcontextnotingthat:Theterm"identitytheft"meansafraud60committedusingtheidentify-inginformationofanotherperson,subjecttosuchfurtherdefinitionasthe[FederalTradeCommission]mayprescribe,byregulation.
Itislogicaltoexpectthatinanegligenceclaim,giventhatitisacivilmatter,thecourtandstakeholderswillemploytheFACTAdefini-tion.
Asmentioned,therearestrongpolicyargumentsthatsuggestthecourtsandstakeholdersshoulddootherwise.
Thereasonfornotingthis"definitionalpurgatory"isnottoarguewhichstatutorydefinitionshouldgovern,aspolicyisdiscussedlaterinthepaper.
Thepointhereistoadvocatethatwhateverdefinitiongovernsindatabreachcases,thera-tionalesanddecisionalunderpinningsshouldbeexplicitlyandtranspar-entlypresentinthediscussionofIDtheft.
Itisthelackoftransparency,andindeed,lackofanydebateontheissuethatthispaperlaments.
61Longoverdue,suchadebatewouldhaveaprofoundimpactonhowdatabreachesarepreventedandrespondedtosincethedefinitionisvitaltotheallocationofresponsibility.
Suchadebate,whenunderstoodbytheacademicsinquestion,willgoalongwaytosubstantiatingandclarifyingtheIDtheftliteraturethatservestoraisepublicawarenessandinformpolicyrelatedtodatabreaches.
Thethreemanifestationsofthiscrackeddefinitionalfoundationinthecivilturfare:1.
Courtsandattorneysindatabreachnegligencelawsuitsthatgrap-plewithwhatwilltriggerrecoverabledamages/lossesforthevictimswhoseidentitiesarecompromisedfromthebreach.
2.
Organizationschallengedtocomplywithstatutorily-imposeddutiestosafeguardPIIwhichhasbeencompromisedinadatabreach.
3.
ResearchersandpolicyanalystsintheprivateandpublicsectorswhoaretaskedwithprofilingtheextentandnatureofIDtheftacrossvariousdemographics.
Thecurrentprocessesemployedbyallthreestakeholdersidentifiedaboveareacauseandeffectofthecrackeddefinitionalfoundationin59.
FairandAccurateCreditTransactionsActof2003,Pub.
L.
No.
108-159,2003(117Stat.
)1952(codifiedasamendedat15U.
S.
C.
§§1681a-1681x)[hereinafterFACTA],availa-bleathttp://www.
ftc.
gov/os/statutes/031224fcra.
pdf.
60.
Wesuggestitisworthkeepinginmindthattherearetwotraditionalandcontra-dictorylegaldefinitionsoftheword"fraud.
"Themorerestrictivedefinitionlimitsthetermtofinancialwrong.
Themoreexpansivedefinitiondefinesthetermas,ingeneral,some-thing"wrongful"donetothevictim.
Employingthelattertermcouldmeanthattheunlaw-fultransferofaperson'sPIIisenoughtotriggertheFACTAdefinition.
61.
Thedebatedoesthreatentobreakoutinonecase,Pisciottav.
OldNat'lBancorp,discussedinfra.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:1820-MAY-0913:3264JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIthatthepartiesinvolvedemployspeciousdecisionsguidedbyopaquereasoningandofteninconsistentorincompletemethodologies.
Thiscon-fluencecreatesresponsibilityshifting,misplacedliabilitydetermina-tions,andcontradictorypublicpolicydecisions.
i.
CourtsandAttorneysItisinbothindividuals'andsociety'sintereststhatproactivestepsaretakentopreventIDC.
Responsibilitycanbeallocatedforproactivemeasuresinavarietyofways,rangingfromleavingindividualstobeartheriskofthetheftoftheirpersonallyidentifiabledata,tospreadingtheriskacrosssociety.
Currently,whenanindividualwhoseidentityiscom-promisedinadatabreachreceivesnotification,heisinitiallychallengedtoascertainhowlikelyheisatriskoffurtherinjuryandcontemplatetakingreactiveandproactivesteps.
Shouldheengageproactivestepssuchascreditfreezing,ifinfactheiseligibleforsuch,ortakereactivestepssuchascreditfraudmonitoringtoatleastlimitthepotentialforsufferingharm62Whenshouldthesemeasuresbeundertaken63Indi-vidualsmaybereluctantorincapableofbearingthecostofmeasuresnecessarytodiminishrisksthatarecreatedbyeventsoutoftheircontrolandthroughnofaultoftheirown.
Or,theymaysimplybeconfusedbyhowtorespondandthereforehireprofessionalstoprovideguidanceandservices.
Traditionallyinthecurrentlegalsystem,victimscanrecoverforharmstheyincurundernegligenceorstrictliabilitytheories.
However,thevictimofadatabreachisconfrontedwithaconundrumthatpitsthestricturesofthelawagainsttherealitiesofIDTvictimization.
Thelawdemandsashowingofactualinjuryasaresultofthebreach.
64Isthe62.
SeeWikipedia,Creditfreeze,http://en.
wikipedia.
org/wiki/Credit_freeze(explaining"[a]creditfreeze,alsoknownasacreditreportfreeze,acreditreportlockdown,acreditlockdown,oracreditlock,allowsanindividualtocontrolhowaU.
S.
consumerreportingagency[alsoknownascreditbureau:Equifax,Experian,TransUnion]isabletosellhisorherdata.
")(asofApr.
7,2009,22:40GMT).
Theissueofeligibilitytofileacreditfreezestemsfromthatfactthatthereareseverallegalhurdlesonemustnavigatearoundbeforeonecanseekacreditfreeze.
63.
Thisinformationisbased,amongmanyotherthings,ontheauthors'combinedexperiencewithdozensofprospectiveclientswhohaveconsultedtheauthorsinthewakeofreceivingaletterinformingthattheirinformationmayhavebeencompromisedasaresultofasecurityincident.
Thelanguageinthenotificationlettersoftenresemblesome-thinglikethelanguagepostedonaVAwebsite.
Forexample,"TheDepartmentofVeteransAffairsbelievesitisgoodpracticeforallveteranstobeextravigilantandtocarefullymoni-torbankstatements,creditcardstatements,andanystatementsrelatingtorecentfinan-cialtransactions,andtoimmediatelyreportanysuspiciousorunusualactivity.
"LatestInformationonVeteransAffairsDataSecurity,http://www.
usa.
gov/veteransinfo.
shtml#should(lastvisitedApr.
11,2009).
64.
SeeANDREWSERWIN,PRIVACY3.
0–THEPRINCIPLEOFPROPORTIONALITY,(WestPublications2008).
Theauthorstates:\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:1920-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS65compromiseofPIIandtheconsequentneedforpreventivemeasuresin-jury,inandofitself,oristhatonlyspeculativeinjuryfrompotentialfuturemisuseofthedataDoesIDtheft,thetortiousinjury,occurwhenthedatawastakenoronlyifthedataissubsequentlymisusedThisisacrucialdistinctionforvictimsofIDCandofficersofthecourtwhoservethem,fortheanswerhassignificantconsequenceforin-dividuals'recoveries,preventivesafeguardsforfuturevictims,andpub-licpoliciesabouthowIDClossesareamortized.
IfIDCinjury(actualinjury)occurswhenthedataistaken,thecostsshouldbebornebythepartywhocouldmoreefficiently65preventtheharmfromthebreach.
66Ifontheotherhand,theIDtheftinjuryisdeemednottohaveoccurreduntilsomespeculativetimeinthefuturewhenthedataismisusedinamannerthatcanbespecificallytracedbacktothebreach,thenitislessclearwhoshouldbearthecostofprevention.
Surprisingly,inasmuchasthepublishedopinionsshedanylightonthematter,victims'attorneysindatabreachclassactionlawsuitshavedisregardedthestatutorydefinitionguidanceandhaveinsteadframedtheissueasamatterofpreventionoffutureinjuryfromIDtheft.
67IntheimmediatewakeofadatabreachwhichexposesvictimsPII,andintheabsenceofIDtheftstatuteswhichdefineitotherwise,itmayseemcommonsensicalforattorneystocrafttheircasearoundthepresupposi-tionthatIDthefthasnotyetoccurred.
68However,inthefaceofexistingstatutorydefinitionsthatassertotherwise,andifrelieduponwouldeliminatetheneedtopersuadethecourttoembraceinnovativedamagesBothWarrenandBrandeis,aswellasProsser,explicitlyrelyupontortenforce-mentforprivacyviolations.
However,amodelthatreliesupontortenforcementisdoomedtoinconsistentresultsbecauserelyingupontortenforcementignorestherealitythatmanyprivacybreachesthatshouldgiverisetoaremedyofsomesort,particularlyinthecaseoftrulysensitiveinformation,donotbecausethereisno"damage"sufferedbytheindividualasaresultofthebreach.
Asdiscussedbelow,thishasbeenanissueforcourts,andwillcontinuetobeoneaslongaswerelyuponcommonlawmodels.
Id.
65.
By"efficiently"wemeanthebestresultforthelowestcost.
66.
ClaytonP.
Gillette,Rules,Standards,andPrecautionsinPaymentSystems,82VA.
L.
REV.
181,184(1996)("Wheremultipleparties[i.
e,eithercustomersorfinancialinstitu-tions]couldtake.
.
.
precautions,regulations,should,therefore,placetheobligationinthepartywhocanavoidthelossatthelowestcost.
")(citingRobertD.
Cooter&EdwardL.
Rubin,ATheoryofLossAllocationforConsumerPayments,66TEX.
L.
REV.
63(1987)).
67.
Inallofthecaseswehavereviewed,itappearstousthattheplaintiffs'attorneyshaveoperatedpursuanttoatheorythattheunauthorizedacquisitionofcompromiseddataisnot,initself,IDtheft.
68.
Havingnotaccessedthebriefsthatwouldshedlightonthisdecisionweareonlylefttoinferthattheattorneysreachedthisdecisiongiventhatthejudgesinquestionas-sumethematterhasbeenputtorest.
Hadthisnotbeenso,onewouldexpecttoseemoreofanargumentfromthejudgeregardingwhytheattorneyshadreachedthewrongconclu-sionsregardingwhatisIDtheftandwhenhaditoccurred.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:2020-MAY-0913:3266JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVItheory,commonsensebedamned.
AsrevealedbelowinanexaminationofcaseswherethedefiningofIDtheftwasseminal,theplaintiffswouldhavebeenbetterservedbyavailingthemselvesofanexistingdefinitionandnottheonetheyultimatelyadvocated.
Unsurprisingly,courtshaveacceptedvictims'counsel'spresentationoftheissueandhavethusconcludedthatsinceactualinjuryhasyettooccur,thecostsincurredtopreventfutureharmarenotrecoverable.
69Theresultisusuallycasedismissalonthegroundsthattherequirementtoshowharm,anecessaryelementinanytortcase,hasnotbeenmet.
Thereasonsforthejudiciary'spassiveacceptanceofthisdefinitionalframingarehardtoascertain.
Tobesure,itisnotthejudge'sroletoraisetheissuesandmakethecasegivenvictims'counsel'sfailuretopre-senttheIDTasacurrentinjuryunderastatutoryreadingofthedefini-tionofIDT.
However,itiscertainlynotunheardofforcourtstousediscretionandtakeanactiveroleinissueswherepublicpolicyconsidera-tionsdemandthatdeterminationsofresponsibilitybeembraced.
Wead-vocatethatthepublicpolicyissuesraisedbyIDTjustifysuchengagement.
Itisnownecessarytoshiftfromofficersofthecourttoorganizationsincurringadatabreachtofurtherillustratewhereindividualsaremak-ingdecisionspredicatedonunfoundedassumptionsaboutthedefinitionofIDtheft.
ii.
EntitiesThatHaveExperiencedaDataBreachInthewakeofdetectingadatabreachtheorganizationsoftenhavealegallyimposedduty,viadatabreachnotification("DBN")statutes,todeterminewhethertheymustdisclosethebreachtotheindividualswho'sPIIhasbeencompromised.
70Thishasthepracticaleffectofalert-ingthegeneralpublicofthebreach.
Initially,thisdeterminationdidnotallowformuchdiscretion.
71Ifthedatawasunencryptedandbreached,thenotificationrequirementsweretriggered.
However,asnumerousstatesfollowedCalifornia'slead69.
Wesay"unsurprisingly"becauseourlegalsystemispredicatedonanadversarialbasiswhichmeansthecourtleavesittothetwopartyadversaries,theplaintiffandthedefendant,throughtheirlawyerstoraiseandframeissues.
Ifonesidewantsto'giveaway'apointthatmaynotbeintheirultimateinterest,thecourt,totheextentitcanspotthegiveawayinthefirstplace,willclearlyobligethepartyinquestion.
70.
Foralistingofstatedatabreachnotificationlaws,seeStateBreachandFreezeLaws,http://www.
pirg.
org/consumer/credit/statelaws.
htm#breach(lastvisitedApr.
11,2009).
71.
Forexample,California'sdatabreachnotificationlawappliesastrictstandardfornotification.
Asidefromexceptionsforgoodfaithacquisition,encrypteddata,anddelaytofacilitateinvestigationbylawenforcement,thelawrequiresnotificationafterunautho-rizedacquisitionofPII.
S.
B.
No.
1386,2002CalAdv.
Leg.
Serv.
915(Deering)(codifiedasamendedinCAL.
CIVILCODE§§1798.
29,1798.
82(Deering2002)).
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:2120-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS67inpassingDBNstatutes,thestatutorydutytonotifybecamemoreintri-cate,allowingforconsideredjudgmentbybreachedorganizations.
72Somestatesbegantorequireaself-determinedfindingthattheindividu-alswereatriskofsomefutureharm,sometimesexplicitlyfromIDtheft,beforethedutytonotifywastriggered.
73ProposedfederallawwhichincludesaprovisiontopreemptallstateDBNlawswouldrequirethisdeterminationoftheriskoffutureharmfromIDtheftbemadebeforetriggeringthenotificationduty.
74SuchstatutesimplicitlyobligatethebreachedentitiestodefineIDtheftinordertoassesswhetherthereisriskthatithasorwilloccurasadirectresultofbreach.
75NotethatnocriminalchargesforIDtheftagainstabreachedcompanyaretriggeredasaresultofthebreach,andthereforenospecificstatutegovernsthedefinitionalassessmentuponwhichthenotificationisbased.
76Inessencethen,thebreachedorgani-zationisfreetouseitsownstandardsinreachingadecision.
Thisisclearlyadecisionfraughtwithconflictofinterest.
Ononehand,ifitconcludesthatthetriggerhasbeenmet(thatthereisariskofharmtotheindividualsinquestion)theentityexposesitselftosignificantex-penses.
Thesemayinclude,atminimum,negativepublicityandlossofpublicconfidence,notificationcostsandcustomerattrition.
77Ifthecom-panyispubliclytraded,additionalcostsmayinvolvestockdevaluation72.
FACTA,supranote59.
73.
See,e.
g.
,CONN.
GEN.
STAT.
§36a-701b(2008)(effectiveJan.
1,2006)(applyingalikelihoodofharmstandard);WASH.
REV.
CODE§19.
255.
010(LexisNexis2008)(effectiveJuly24,2005)(usingastandardofreasonablelikelihoodofriskofcriminalactivity);DEL.
CODEANN.
tit.
6,§12B-102(2008)(effectiveJune28,2005)(usingalikelihoodofmisusestandard).
74.
SeeUnitedStatesSenatorDianneFeinstein,California,ProtectingYourIdentity,http://feinstein.
senate.
gov/public/index.
cfmFuseActionsueStatements.
View&Issue_id=5b8dc16b-7e9c-9af9-7de7-22b24a491232(lastvisitedAug.
29,2008).
75.
Supranote70.
Thevariousstatedatabreachnotificationstatutesaredistinctfromtherespectivestateidentitytheftstatutes.
Nevertheless,thetriggerfornotificationin-volvesassessingwhetherthethresholdhasbeenmet.
Thisthresholdisquiteoftenbasedupontheexistenceorlikelihoodofidentitytheft.
Therefore,coveredentitiesanchornotifi-cationtriggersaroundthedefinitionofidentitytheft.
Forexample,Arizona'snotificationrequirementistriggeredwherethebreachofsecurity"causesorisreasonablylikelytocausesubstantialeconomiclosstoanindividual.
").
Id.
76.
Theremaybecriminalactionstriggeredconcerningtheunauthorizedaccessandtakingofdata,butnofirstpartycriminalIDTliabilityforthebreachedcompany.
77.
PONEMONINSTITUTE,LLC,2007ANNUALSTUDY:U.
S.
COSTOFADATABREACH2(2007).
Morespecifically,costsmayinclude:consultingcostsforinvestigation,attorney'sfees,andcrisismanagement;notificationletterssendviacertifiedmail;establishingacallcenter,includingincidentmediaexpenseforthenotification/crisismanagement;creditmonitoringcosts;and,fines,fees,complianceexpensesanddefensecostsrelatedtoregula-toryinvestigationandcompliance.
Id.
ResearchbythePonemonInstituteestimatesthatin2007theaveragecostofadatabreachwas$197perrecord,withanaveragetotalcostpercompanyofmorethat$6.
3million.
Id.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:2220-MAY-0913:3268JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIrelatedtopotentiallegalproceedings,SecuritiesandExchangeCommis-sionquarterlyreportingandgeneralshareholderconcernsrelatedtotheaforementioneddatabreachexpenses.
78Ontheotherhand,ifthebreachedentityconcludesthatthereislittleornocurrentorfutureriskofIDtheftasadirectresultofthebreach,theentitycanlawfullyburyknowledgeofthebreachandthepersonswhoseidentitieshavebeenexposedarenonethewiser.
Insuchcases,thereisnopublicawarenessthattheeventoccurred,letalonehowtheriskdecisionwasmade.
Inlieuofknowledgeabouthowthesefirstorderdefinitionaldecisionsleadtostatutorycompliance,itcanbesurmisedthatorganizationsutilizesome"methodology"toguidetheirriskanalysisofthelikelihoodofIDtheftinthewakeofadatabreach.
AcademicandpolicyresearchliteratureonIDtheftisareasonablebet,yetasdescribedbelow,itisthethirdarenathatperpetuatesandreflectsunarticulatedassumptionsaboutthedefinitionofIDtheft.
iii.
ResearchersandAnalystsThevastmajorityofacademicliteratureonIDTaccuratelyrecountswhatIDTisandwhenitoccursinrelationtothepanoplyofstateandfederalstatutes.
79Insodoing,whiletheyarecorrectinattributingtheinconsistencyindefinitionsacrossstatutesasahurdletounderstandingthescopeoftheproblem,theyalsoneglecttoaccountforthenon-statestatutorychargedinstancesofIDTincivildatabreachcases.
Similartothejudicialapproach,itmustbeinferredthattheirdefinitionofIDTisbasedonause-manifestationofdamagesgenreoftheIDTdefinition.
Thisistobeexpectedbecauseacademicandpolicyresearchliteratureanchoroffofstateidentitytheftcriminallawsandstatisticalreportingrelatedtosame.
Therefore,researchers'andanalysts'portrayalsofthedefinitionalissuesfocusnarrowlyonsquaringthelabelinginconsisten-ciesthatarosewhenthecrimeofidentitytheftwasaffordeditsownchargeinthemidstoflegacylawenforcementpracticesthatdealtwithIDTunderahostofexistingcrimesinvolvingtheuseorabuseoffinan-cialinstrumentsand/oranother'sidentity.
Forexample,IDTwasoftenchargedacrossaspectrumofcrimes,includingcheckfraud,forgery,theft(robbery,burglary)andotherspe-ciesoffraud.
80InfocusingonthisonesliceofthepiecomprisingIDT,78.
Ifthereisalikelihoodofa"materialloss"tothecompany,basedonthecompany'stotalcapitalizationandannualrevenues,thatcompanymustreportitPursuanttoSection13or15(d)oftheSecuritiesExchangeActof1934.
15U.
S.
C.
§78m(2006);15U.
S.
C.
§78o(2006).
Whilewedonotclaimthatthereautomaticallywillbereasontoassumeacompanywillsufferalikelihoodofa"materialloss"asaresultofadatabreach,wedothinkitpossibleand,insomecases,probable.
79.
SeeGordon&Willox,supranote45,at1;NEWMAN,supranote42.
80.
Newmancharacterizedthedefinitionalproblemasfollows:\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:2320-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS69existingresearchliteraturefailstoacknowledgetheintent-to-misusedefinition,81whichisgroundedinlawotherthanstatepenalcodes.
ThispresuppositionofthedefinitionofIDToverlooksvastnumbersofcases,suchasthosenotedaboveindatabreachsituations,andpaintsapictureofthescopeandprevalenceofitsoccurrencethathasquiteadifferentaffectondecisionsconcerningliability,responsibilityandpublicpolicyregardingIDT.
Forexample,IDAnalytics'oft-quotedwhitepaperonIDtheftisref-erencedinthewakeofadatabreach.
82ItpurportstoputaprobabilityonthenumberofIDtheftsthatoccurinthewakeofabreach,butneverdoesitspecifyoraccountforthedefinitionofIDtheftuponwhichtheseprobabilisticconclusionsarecalculated.
83Decisionmakersandtheciti-zenryatlargeareblissfullyunawareofwhomakesthesedefinitionaldecisions,whatthecriteriaareforthedecisions,andwhattherationaleisforfloutingtheintent-baseddefinitionespousedinauthoritativestat-utes.
Theconsequenceisthatopaqueconclusionsarerenderedonissuesthatareofprofoundimportancetosociety.
Whatismoredisconcertingisthatindividuals,institutionalstakeholders,policymakersandcourtslikelyrelyontheseacademicandpseudo-academicconclusionsasabasisfortheirperceptions,beliefsandactionsinaddressingIDTintheirre-spectivecapacities.
Discussionnowturnsfromaddressingthedefini-tionalissuesinanabstractmannertodemonstratinghowtheyplayoutinmoreconcretenegligencecasesresultingfromseveralnotoriousdatabreaches.
b.
TheDepartmentofVeteransAffairsDataBreachof2006InJune2006,closetotwenty-fivemillionmilitaryveterans'dataThebiggestimpedimenttoconductingscientificresearchonidentitytheftandin-terpretingitsfindingshasbeenthedifficultyinpreciselydefiningit.
Thisisbe-causeaconsiderablenumberofdifferentcrimesmayoftenincludetheuseorabuseofanother'sidentityoridentityrelatedfactors.
Suchcrimesmayincludecheckfraud,plasticcardfraud(creditcards,checkcards,debitcards,phonecardsetc.
),immigrationfraud,counterfeiting,forgery,terrorismusingfalseorstolenidentities,theftofvariouskinds(pickpocketing,robbery,burglaryormuggingtoobtainthevictim'spersonalinformation),postalfraud,andmanyothers.
NEWMAN,supranote42,at5.
81.
Asdiscussed,theITADAdefinesIDthefthashavingoccurredatthetimeoftheunauthorizedaccessandtransferofidentifyingdata,ifaccompaniedwithanintentbytheindividualwhotookthedatatomisuseitinsomeunlawfulmanner.
SeeITADA,supranote56.
82.
SeePressRelease,IDAnalytics,Inc.
,DataBreachHarmAnalysisfromIDAnalyt-icsUncoversNewPatternsofMisuseArisingfromBreachesofIdentityData(Nov.
7,2007),availableathttp://www.
idanalytics.
com/news_and_events/20071107.
html;CarlWeinschenk,StudyofStolenIdentityUsePatternsOffersSurprises,ITBusinessEdge,Aug.
13,2008,http://www.
itbusinessedge.
com/item/ci=46755.
83.
IDAnalytics,supranote82.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:2420-MAY-0913:3270JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIwasaccessedandtransferredinanunlawfulmanner.
84Thebreachoc-curredasaresultofadaytimebreak-inatthehomeofaVAemployeewhohadthedatastoredonanexternalharddriveapartfromitsaccom-panyingcomputerhousing.
85DidtheveteransinquestionsufferIDtheftasaresultofthebreachThereisastrongcasesupportinganaffirmativeanswergiventhatiden-tifyinginformationabouttheVeteranswas'transferred"—(removedfromtheemployee'spossessionandcontrolinhishome,bysomeonewholacked"lawfulauthority")byahomeintruder,withthe"intent"tousethedatatoperpetuatefutureunlawfulactivity.
Thisisespeciallytrueinlightoftheunlikelihoodthatthebreakinandabscondingwiththeharddrivecouldbetiedtoalegitimatepurpose.
Criticsmaychallengetheintentelementbyarguingthatthebur-glarsmayhaveonlybeentargetingthecomputerhardwareandnotthedatacontainedtherein.
Ahostoffactsfrombothfirstsourceandmediareports,however,supporttheintentelement.
86Specifically,theharddrivecontainingthedatawastwiceremovedfromthecomputerencasing–itwaslocatedinabedroomnightstand,separatedfromthebodyofthecomputerwhichwaslocatedinanotherroomonanentirelydifferentfloorinthehome.
87Further,theexternaldrivewasprimarilycomposedofavasttreasuretroveofPII,andtherewerefewitemsstolenduringtheburglary,ifanyatall.
Ataminimum,arebuttablepresumptionhasbeenestablishedthattheintrudersbrokeintoobtainthedatainthehard-drivebecauseitcouldbeusedtoprovidethembenefit.
SincethelegitimateusesofthatstolenPIIarehardtoimagine,theintendedun-lawfulnessofitsuseisaneasysell.
Underthislineofreasoning,theveteranswhosedatawascompromisedareindeedthevictimsofIDtheft(injury)asaresultofthenegligenceoftheVAandtheemployeeinques-tion,andthereforeareentitledtoreimbursementforanycoststheymayhaveincurredattemptingtopreventfutureharmfromthisIDtheft(injury).
ItisimportanttoreiteratethatthefederalstatuteonIDtheftisnotcontrollinghere.
Thatis,therearenoindividualsintheVAcasechargedwiththecrimeofIDtheft.
Ifthatwerethecase,thestatutorydefinitionwouldcertainlybecontrolling.
Nevertheless,incaseswheretherele-vant,controllingstatute(s)donotofferprecisedefinitionalguidance(suchasthecasewithnegligenceclaimsforidentitytheft)itisreasona-bletoturntothefederalstatuteasanauthoritativeguideindetermin-84.
SeePrivacyRightsClearinghouse,AChronologyofDataBreaches,http://www.
privacyrights.
org/ar/ChronDataBreaches.
htm(lastvisitedAug.
17,2008).
85.
Id.
86.
KenMcClain,GeneralCounselfortheU.
S.
DepartmentofVeteransAffairs,Ad-dressattheIAPPPrivacyAcademy(Oct.
26-28,2005).
87.
Id.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:2520-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS71ingwhetherIDtheft(injury)hasoccurred.
88ThestandardsfordefiningwhenIDtheftoccurscanbecharacter-izedasdetectionversusmanifestation,withtheformerbasedon"intenttouseunlawfully"andthelatterpredicatedon''provableunlawfuluse.
"Thedetectionstandardistriggeredbytheexistenceofnoticeonthepartoftherelevantentitiesandindividualsinquestionthatthedatahasbeentakeninanunauthorizedmannerwiththeintenttouseitinthefutureforanunlawfulactivity.
89Themanifestationstandard,ontheotherhand,istriggeredonlybysubsequentnoticeandconfirmationthatthedatainquestionhasbeenusedinsomewrongfulmanner,usuallyresultinginharmtothevictim,andthatsuchusehasalegallysufficientcausalrelationshiptotheinitialtheftofthedatainquestion.
90Thedetectionstandardisapreemptivestandard,inthatitpermitsandcallsforactiontopreventoratleastlimitanysubsequentharmandplacestheburdenforpreventingtheharmontheshouldersofthepartyresponsiblefortheharminthefirstplace.
Thisisthepartywhosenegli-gencewasfoundtobeacontributorycauseforthebreach.
Themanifes-tationstandard,ontheotherhand,isareactivestandardinthatitrequiresthevictimstowaituntiltheharmexplicitlymanifestsitself,andcanbeproventohavebeendirectlyrelatedtothetheftinquestion.
Thisputstheonusforpreventinganyfurtherharmonthevictim,sincesomeharmfromthemisuseofthedatahastooccurfirstbeforeliabilityistriggered.
Thisisstandarduponwhichthevastmajorityofcourtshavesettled.
ThisexaminationoftheVAdatabreachexemplifiestheconsequent-ialsignificanceoftheunstateddefinitionalbattleintheimmediateafter-mathofadatabreach.
Thispapernowturnstoacasethatcontained88.
WeacknowledgethatintheVAcasetheissueoflossesincurredforheightenedcreditmonitoringwouldbemootheregiventhattheVAofferedtopayforanysuchcosts.
Notablythiswasinexchangeforthecompromisedindividualsagreeingtogiveupallothercivilclaimstheymayhavehad.
89.
KenMcClain,GeneralCounselfortheU.
S.
DepartmentofVeteransAffairs,Ad-dressattheIAPPPrivacyAcademy(Oct.
26-28,2005.
'Notice"inlegaltermscanbeactualorconstructive.
BLACK'SLAWDICTIONARY484(2dPocketed.
2001).
Actualnoticeis"noticegivendirectlyto,orreceivedpersonallyby,aparty.
"Id.
Constructivenoticeisnoticethatariseswithoutregardtoactualnotice,butasa"presumptionoflawfromtheexistenceoffactsandcircumstancesthatapartyhadadutytotakenoticeof.
Id.
90.
See,e.
g.
,RESTATEMENT(SECOND)OFTORTS§281cmt.
(1965).
Legalcausationisatwo-partanalysis.
Id.
Thefirstquestioniswhetherthereisafactuallinkbetweenthedefendant'sact[orfailuretoact],andtheplaintiff'sharm.
Id.
Thesecondquestionismoreofapolicyquestion,andconcernswhetheritisintheinterestsofpublicpolicytoholdthedefendantliableunderthecircumstances.
Id.
Ifthelinkbetweenthecauseandtheharmistooattenuated,orthechainofcausationisbrokenbyaninterveningevent,thedefen-dantwillgenerallybefoundnotliable.
Id.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:2620-MAY-0913:3272JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVImanyofthesameelementsofthedefinitionalbattleinthewakeofnegli-genceclaimemanatingfromadatabreach.
c.
TracyL.
KEYv.
DSW,Inc.
91Thefactpatternisfamiliarenough.
Thecourtnotedthat:BetweenNovember2004andMarch2005,Defendant,DSW,collectedandmaintainedcreditcard,debitcard,andcheckingaccountnumbersandotherconfidentialpersonalfinancialinformationofapproximately1.
5millionconsumerswhopurchasedmerchandiseatDSWretailout-lets.
.
.
.
BecauseofDSW'sallegedimproperretentionandfailuretosecurethisinformation,onoraboutMarch2005unauthorizedpersonsobtainedaccesstoandacquiredtheinformationofapproximately96,000customers.
92TracyL.
Key("Key"),theleadplaintiffintheclassactionsuit,claimedthatasaresultofthebreachshe,andtherestoftheclass:.
.
.
havebeensubjectedto'asubstantiallyincreasedriskofidentitytheft,andhaveincurredthecostandinconvenienceof,amongotherthings,canceling[sic]creditcards,closingcheckingaccounts,orderingnewchecks,obtainingcreditreportsandpurchasingidentityand/orcreditmonitoring.
93Thisexcerpt,takenfromtheplaintiffs'complaint,thusimpliesitslawyersdecidedthatIDthefthadnotoccurredinthiscase.
Thecourtand,onewouldconclude,thedefendant'sattorneys,wereonlytooreadytoworkwithinthecrackeddefinitionalframeworktheplaintiffs'lawyersprovidedit.
Noreasonsareprofferedforthisratherstartlingstipulationontheplaintiffs'part.
Thejudge,asaresult,feltfreetoaddresstherelevantdamagesasissuesoffearoffutureharm,asmanifestbyhisuseoftheword"future"twenty-onetimesthroughoutthefive-pageopinion.
94Specifically,citingForbesv.
WellsFargo,95asomewhat96similardatabreachcase,thecourtnotedthattheplaintiffsinForbes,liketheplaintiffsinKey,contendedthatthetimeandmoneytheyspentmonitor-ingtheircreditsufficedtoestablishdamages.
97TheForbescourtre-jectedthatcontentionandgrantedsummaryjudgmenttothedefendant91.
Keyv.
DSW,Inc.
,454F.
Supp.
2d684(S.
D.
Ohio2006).
92.
Id.
at687.
93.
Id.
at688-89.
94.
Id.
95.
Forbesv.
WellsFargoBank,420F.
Supp.
2d1018(D.
Minn.
2006).
96.
Thiscasewasonly"somewhat"similar.
Wewouldarguethereisasubstantialdifferencebetweenstealinghardware,wherethetargetmaybethehardwareand/orthedataonthehardwareversusaremoteintruderwhohacksintoacomputerornetworklookingonlyforthedataonthesystem.
Inthelattercaseweassumethereisindicationofintenttousethedatainsomewrongfulmanner.
97.
Forbes,420F.
Supp.
2dat1020.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:2720-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS73onallcounts.
98LiketheForbescourt,thecourtinKeyemphasizedthattheplaintiffshadoverlookedthattheirinjuriesweresolelytheresultofa"perceivedriskoffutureharm.
"99Thecourtstatedthatthe"[plaintiffs]overlookthefactthattheirexpenditureintimeandmoneywasnottheresultofanypresentinjury,butrathertheanticipationoffutureinjurythathasnotmaterialized.
"100Consequently,thecourtruledthatthe"plaintiffsfailedtoestablishtheessentialelementsofdamages.
"101HowisthecourtdefininginjuryfromIDtheftthenCertainlynotbyreferencetotheIDtheftDeterrenceActastheterm"injury"iscom-monlyunderstood.
ThecourtwentontoexpoundatlengthwhythiscasewasbestunderstoodundertheForbesdefinitionofharmandinjuryab-sentanydiscussionofwhyitdeemedtheForbesrationalevalidandap-plicabletoKey.
102Suchopaquediscussionofimportantpublicpolicydoesnotservesocietywellsinceitperpetuatespoorlyarticulated,defini-tionalassumptions.
Thisruling,anditslike,whichadheretothe"mani-festation"standarddiscussedsubsequently,willdolittletoreducethe"futureharm"thecitizensmaysufferfromachaoticdigitalenvironment.
Indeed,itmayverywellexacerbatetheriskofharminadigitalenviron-ment,wherebecauseofthetightcouplingofactionsandcascadingdam-ages,thecostofpreemptingdamagewillbelessthantryingtoidentifyandremediateharmsafterwards.
2.
QuantifyingtheProblem–GroundhogDayAnotherconsequenceofthedefinitionalquandaryisthelackofem-piricaldataabouttheincidenceofIDT.
Asnotedintheprecedingsec-tion,expertshavepointedoutthedifficultiesinquantifyingIDC,andspecifically,IDT,arecompoundedbythelackofaprecisedefinitionofthecrime,and/oract,itself.
103Thevastmajorityof"statistics"onIDCandIDTisinformationgleanedfromwhatareoftentimesself-servingsurveysorself-reportingquestionnaires.
104Toagreatextentsocietyis"flyingblind"withregardtocybercrimeandIDTheft.
105Thismethodofcollectingdataoncybercrimeisadramaticshiftawayfromthemoretraditional,brick-and-mortarcrimeproblems.
Ex-aminingthelatter,societyhasaplethoraofacademic,scientificallybased,firstsourceliterature.
Thisacutelackofknowledgeregarding98.
Id.
99.
Key,454F.
Supp.
2dat690.
100.
Id.
101.
Id.
(emphasisadded).
102.
Id.
103.
Gordon&Willox,supranote46.
104.
Id.
105.
Thisisbynomeanstoimplythatwearebereftof"information.
"Rather,wehaveabountyofwhitepapersand"peerreviewlite"articlebasedonfeebleunderlyingdata.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:2820-MAY-0913:3274JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIcybercrimemetricsisnotnew.
106Itinitiallymanifesteditselfin1982atthefirstCongressionalhearingsthatleadtopassingthefirstcompre-hensivefederalstatueaddressingcybercrime,theComputerFraudandAbuseAct("CFAA").
107Abriefexaminationofthishistoryiscalledfor.
Atthosehearingsa1982DepartmentofJusticeReport,entitled"ElectronicFundTransferSystemsandCrime,"wascitedassayingthat"novaliddataformeasuringandunderstandingthenatureandextentofEFTcrime[electronicfundstransfers]"existed.
108Atthesesamehear-ingstheDepartmentofHealthandHumanServicespublisheda1983Reportwhichconcludedwiththefollowing:"[a]lthoughoriginallychargedtodiscoverthescopeofcomputerfraudandabuseingovern-mentprogramsthetaskforcerapidlybecameawarethiswasnotpossi-ble"duetolackofcrediblestatistics.
109Thisdidnotstopthepassageofthelaw.
110Furthermore,atthosehearings,suggestionsofamandatoryreportingsystemforcybercrimewerediscussedbutultimatelyre-jected.
111Now,twenty-fiveyearslater,littlehaschangedwiththisissueinthecontextofcybercrimereporting.
Wearestilldebatingtheneedformorereliablecybercrimestatisticsandbetterreportingregimes.
Thatverylittlehaschangedwithregardtotheconcernsarticulatedatthe1982hearingscontributestothehaphazardreactiontotheper-ceivedIDtheftcrisistoday.
Whiletherewerejustifiableexcusesforlackofreliabledataaquarterofacenturyago,thesamecannotbesaidfortoday.
TheallegedIDtheftcrisisisaspecificexampleofhowthislackofknowledgeaffectsustoday.
Nexttothedefinitionalquandary,there-latedlackofreliablestatisticsisthesecondcontributortothecrippledabilitytoknowthenatureandscopeofIDT.
a.
IDTheftStatistics–BattleoftheNumbersNomatterhowonetriestosquareit,citizen-victimsarecaughtbe-tweenmultiplestakeholders:onegroup,lawenforcement,doesnotwanttobestuckwithcollectingandstudyingthedata.
Asecondgroup,busi-ness,ishesitanttoprovidethedatainthefirstplace.
Thethirdgroupis106.
EncartaEnglishDictionary,metric,http://encarta.
msn.
com/dictionary_/metric.
html(defining"metric"as:"astandardorastatisticformeasuringorquantifyingsome-thingelse").
107.
18U.
S.
C§1030(2008).
108.
SeeDoddS.
Griffith,TheComputerFraudandAbuseActof1986:AMeasuredResponsetoGrowingProblem,43VAND.
L.
REV.
453,459n.
41(1990).
109.
Id.
at460n.
43.
110.
Wearenotarguingthatitshouldhave,butitshouldhavesentaflareupastowhatoneofthemajorproblemswasincybercrime,atatimewhentheUnitedStateswaspoisedtomoveintocyberspaceinameaningful,widespread,androbustmanner.
Verylittlehasbeendonetorectifythisissue.
111.
Griffith,supranote108,at460n.
43.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:2920-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS75well-intentionedgovernmentandconsumeradvocateorganizationstaskedwithmarshallingcitizenvictims'concerns.
Lastly,wehavethecommercialvendorswhoarequicktoexploittheknowledgegapandin-formationinefficienciesastheytrumpettheir"musthave"productsandservicestoaddressIDC.
AllofthesestakeholdershavevestedinterestsincapturingandportrayingIDTstatistics.
ThissectionbeginswiththethirdgroupbyturningtotheConsumerSentinel,theFederalTradeCommission'snationaldatabaseforcollect-ingIDTheftcomplaintsfromcitizen-victims.
Itscreationwasmandatedbysection5oftheIdentityTheftandAssumptionDeterrenceActof1998("ITADA").
112Itactsasthecentralrepositoryforconsumerstoreportincidencesof"online"consumerfraudaswellasIDtheft.
TheFTC'sfirst,andthusfaronly,comprehensive,multi-yearsurveyonIDtheftisanexampleofthereliabilityissuesincybercrimereporting.
113The2003surveyreportestimatedthattwenty-sevenmillionpeoplehadbeenvic-timsofIDtheftinthepreviousfiveyears.
114CoupledwiththeFTC-estimated9.
9million(4.
6percentofthepopulation)between2002and2003alone,thegrandtotalwas38.
9millionvictims.
115Thatisasmidgenshortofoneinfouradultsinthepublicatthattime.
Byjustaboutanystandardofmeasure,onecouldsafelyarguethisisabreath-takingfigure.
SurveysdebunkingoratleastclaimingtodebunktheFTC2003numberswerenotlongincoming.
116JavelinResearch117profferedthat"inadditiontotheFTC'sclaimof9millionvictimsofidentitytheftin2004,thevastmajorityofcomplaintsdealtwithtraditionalformsoftheftsuchasstealingwalletsorcheckbooks,asopposedtoInternet-basedfraud"andthereforeFTCnumbersweremisleading.
118In2004theFTC112.
ITADA,supranote54.
113.
FEDERALTRADECOMMISSION.
,IDENTITYTHEFTSURVEYREPORT(2003),availableathttp://www.
ftc.
gov/opa/2003/09/idtheft.
shtm.
114.
Id.
115.
ThisestimatewasbasedonacombinationofphonesurveysandcomplaintsfromSentinel.
Id.
OperatingundertheassumptionthatxamountofpeoplewhoarevictimsofIDtheftneverreportedtheirthefttotheFTCandcomparingthenon-reportingnumberwiththetotalnumberofpeoplewhodidrespond,theFTCcameupwiththefinalfigureof38.
9million.
Id.
116.
Gartner's2003SurveyhaditatsevenMillion.
SeePressRelease,Gartner,Inc.
,GartnerSaysIdentityTheftisupNearly80Percent:7MillionU.
S.
AdultsWereIdentityTheftVictimsinthePast12Months(July21,2003),availableathttp://www.
gartner.
com/5_about/press_releases/pr21july2003a.
jsp.
117.
FormoreontheJavelinReportcited,seePrivacyRightsClearinghouse,IdentityTheftSurveysandStudies:HowManyIdentityTheftVictimsAreThereWhatIstheIm-pactonVictims,http://www.
privacyrights.
org/ar/idtheftsurveys.
htm(lastvisitedOct.
17,2008).
118.
"Mostthievesstillobtainpersonalinformationthroughtraditionalratherthanelectronicchannels.
Inthecaseswherethemethodwasknown,68.
2%ofinformationwas\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:3020-MAY-0913:3276JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIreportedthattherewereninemillionvictimsofIDtheftfraud.
Thiswasdownapproximatelyonemillionfromthefinal2003figureof9.
9mil-lion.
119However,aDepartmentofJusticeSurveythesameyearcameinat3.
6million.
120The2003studyiscitedbecauseitwasbilledasthemostcomprehensivestudyofIDtheftdonebytheFTC,theagencyman-datedbyCongresstocollectstatisticsonIDtheft.
However,therearecertainlymorerecentfindings,thoughtheyfailtobringclaritytotheissuesofquantifyingIDtheft.
MarketresearchfirmsJavelinandGartnerreleasedstudiesin2007featuringcontradictoryclaimsthatidentitytheftisbothontheriseanddecline.
121TheGartnerstudyclaimedthatIDtheftinAmericahadin-creasedby"morethan50percentsince2003.
"122OntheotherhandJavelinStrategyandResearchcitedthat"fraudusingpersonaldata"wasonagradual[eightpercent]declinefrom2003.
123Thefactthattwoofthemostcitedstatisticalreportscanreachsuchnearlyoppositefind-ingsspeaksvolumesaboutthedisparityanddisagreementoverIDTnumbers.
Inthemidstofthisbattleofstatistics,theFederalTradeCommissionreportedthatidentitytheftcontinuestobethetopcom-plaintreceivedbytheagency.
124In2006,thirty-sixpercentofcom-plaintsreceivedbytheagencywereaboutidentitytheft.
125obtainedoff-lineversusonly11.
6%obtainedonline.
"Id.
Theauthorscontendthatthispremise,offeredasanexampleofmeaninglessnessofmanyfiguresbeingbandiedabout,isutterlyuseless.
GiventhatagonizingfewdatabasebreacheswereacknowledgedpriortothepassageofSB1386in2003,theannouncementshavebeennearlynonstopsincethen.
Howdoweaccuratelyascertainwhere,oversay,thelasttenyearsthieveshavegottentheirbooty119.
SeeConsumerSentinel,NationalandStateTrendsinFraud&IdentityTheftJanu-ary-December20044,availableathttp://www.
ftc.
gov/bcp/edu/microsites/idtheft/downloads/clearinghouse_2004.
pdf.
120.
SeePressRelease,U.
S.
DepartmentofJustice,3.
6MillionU.
S.
HouseholdsLearnedTheyWereIdentityTheftVictimsDuringaSix-MonthPeriodin2004(Apr.
2,2006),availableathttp://www.
ojp.
usdoj.
gov/bjs/pub/press/it04pr.
htm.
121.
JavelinStrategyandResearch,U.
S.
IdentityTheftLossesFall,http://www.
javelin-strategy.
com/2007/02/01/us-identity-theft-losses-fall-study/(lastvisitedAug.
17,2008);PressRelease,Gartner,Inc.
,GartnerSaysNumberofIdentityTheftVictimsHasIncreasedMorethan50PercentSince2003(Mar.
6,2007),availableathttp://www.
gartner.
com/it/page.
jspid=501912.
122.
PressRelease,Gartner,Inc.
,GartnerSaysNumberofIdentityTheftVictimsHasIncreasedMorethan50PercentSince2003(Mar.
6,2007),availableathttp://www.
gartner.
com/it/page.
jspid=501912.
123.
MSNBC.
com,Study:9.
3MillionIDTheftVictimsLastYear,http://www.
msnbc.
msn.
com/id/6866768/(lastvisitedOct.
14,2008).
124.
PressRelease,FederalTradeCommission,FTCReleasesTop10ConsumerFraudComplaintCategories(Jan.
25,2006),availableathttp://www.
ftc.
gov/opa/2006/01/topten.
shtm.
125.
Id.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:3120-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS77b.
IDTheftRiskAnalyses–ADataSausageFactoryItisreasonabletoexpectthatalackofdata(thepreviouslyde-scribedporousfoundationofill-fittingandinconsistentdefinitionsandsuspectstatistics)hasengendereddubiousanalyticalconclusions.
Strainedmetaphorsaside,thesausageisonlyasnutritiousasthepartsfedintothegrinder.
126Thissectionarguesthatthedefectsassociatedwithsecondorderanalyses(attribution,victimizationanddamages)areillustrativeofachaoticinformationframeworkperpetuatedbythepre-dominanceoffreemarketpolicy.
127Freemarketpolicy,whichiscontemplatedasanacutedeficiencyingovernmentalregulationmandatingthecollectionandreportingofIDCdata,hasbothexploitedandfacilitatedtheknowledgegapbetweenac-tualoccurrencesofIDTandrecordingofsame.
Thevaluesdrivingthecurrentfreemarketpolicyarenotalwaysadvancedbypromotingrelia-bleanalyses.
Reliableanalysisisnotfree.
Reliableanalysisistheprod-uctofcascadingcoststhatcomefromknowledge-managementandaccountabilitycosts,andliabilityandcompliancecosts,allofwhichevokeriskcontrolsthatcancertainlybeviewedasbarrierstothefreeflowofinformationgoodsandbusinessmodels.
Forthesenonexclusivereasonsthemarketdoesnotnecessarilyin-centivizedeterminationofcausesandeffectsofpast,currentandfutureharmsfromIDC.
Information,especiallyPII,isbothacommodityandcurrencyinoureconomy.
Untilthecostsofunreliableinformation(viadubiousattribution,damagesandvictimizationanalyses)growbeyondthebenefitsofthefreeflowofdata,themarketwillnotclosethatIDCknowledgegap.
Sections2(B)and(C)describedtheill-fittingpuzzlepiecesofstatisticsonthesizeandscopeofIDC.
Thesquabblingoversecondorderanalysesbasedonthesestatisticsbothfurtherperpetuates,andisfueledbyachaoticinformationenvironment.
128126.
Thisalsopresupposesthatthe"grinder"is"clean,"i.
e.
,thereisnoself-servingagendaoperatingontheempiricalfactsanddata.
127.
SeeAsherShkedi,Second-orderTheoreticalAnalysis:AMethodforConstructingTheoreticalExplanations,17INT'LJ.
QUALITATIVESTUD.
EDUC.
627(2004).
Asusedherein,second-orderanalysesarethosethatinterpretqualitativedatagatheredmainlyfromfirst-orderaccounts:thedirectdescriptionsandexplanationsofIDTinformants(victims,perpe-trators,investigators,orotherpartieswhoparticipatedintheIDCevent).
Second-orderanalyses,suchasattribution,damagesandvictimization,areusedintheabsenceofafulldescriptionandexplanationoftheIDCeventandthusinvolvevaryinglevelsofinferenceonthepartofthepartyproducingtheanalysis.
128.
Forexample,accordingtoChrisHoofnagle,anexpertindatasecurity,andanat-torneyatBerkeley'sCenterforLawandTechnology:TheFTC'sOpiniononJavelinrejectsJavelin'sfindingsas'misleading:'InanemailtoWallStreetJournalreporterRobinSidel,obtainedundertheFreedomofInformationActconcerningtheJavelinReport,anFTCemployeewrote:"Sincemostsurveyed–74percent–couldnotidentifythepersonwhostoletheiridentity,\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:3220-MAY-0913:3278JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIThemarketnotonlyfacilitatestheknowledgegap,butexploitsitaswell.
Specifically,thegapallowsandencouragessocietytoover-genera-lizeabouttherelativeriskspresentorabsentinthedigitalenvironment.
Thisovergeneralization,inturn,fuelsthehumandesiretoseekcontrolanddeterminisminthefaceofchaosordanger.
Thisistosay,itisatruismacrossallofhumanactivitythatinthefaceofinformationchaos,wheredeterminismisseverelydeficient,humansseektoachieveafeel-ingofcontrol,whetherrealorperceived.
So,individualsandinstitutionsoftentimescreatesocialfictionstofulfillthatneedtocopeandperceivethemselvesassecure.
Copingmechanisms,tobesure,arenotinherentlybad.
Theyareundesirable,however,totheextentthatthesesocialfic-tionsarepredicatedonselective,incompleteand/orunverifieddataandareweavedtopainta"truth"thatpromotesoneparty'sfortunetothedetrimentofmanyothers.
ThefollowingtypesofIDCanalysesareillus-trationsofsocialfictionsinsofarastheyclaimtobringdeterminismtotheIDCknowledgegap–attribution,damages,andvictimization.
Totheextentthatanyoftheseanalysesarebasedonimpartialdataand/orareintentionallymanipulativeintheirmotivations,theyperpetuateandem-bedfalseandultimatelycounter-productiveperceptions.
i.
AttributionProblemOneconsequenceofthedatachaosisanobfuscationofthecausesofillegalacquisitionsandusesofidentityartifacts,adynamicwhichallowsblametobeshiftedtotheentitieswithaweakcollectivevoice.
Inthissituation,itisthecitizenvictims.
Stateddifferently,thislackofaggre-gate,first-orderIDCdatadisincentivizestheprivatesectorfromtakingrightfulownershipoftheproblem.
Tobesure,ultimateresponsibilityforIDCresideswiththecriminalactor(s)andundoubtedlythereisaheight-enedthreatfromthecriminalelement,includingstate-sponsoredandandhalfthe26percentwhocouldidentifythethiefeitherdidn'tpersonallyknowthethieforsaiditwassomeoneotherthanafriendorrelative,itwouldbemis-leadingtosuggestthatthe'Culpritislikelyafriendorrelative.
'"CommentsofChrisHoofnagle,reprintedinRyanSingel,IdentityTheftNotDown,It'sDif-ferent,ExpertSays,WIREDBLOGNETWORK:THREATLEVEL,Feb.
2,2007,availableathttp://blog.
wired.
com/27bstroke6/2007/02/identity_theft.
html.
SeeMartinH.
Bosworth,FTCFindingsUndercutIndustryClaimsthatIdentityTheftisDeclining,Feb.
9,2007,http://www.
consumeraffairs.
com/news04/2007/02/ftc_top10_folo.
html.
Thearticlestates:TheFTCcomplaintfindingsserveasacounterpointtoindustryclaimsthatiden-titytheftissomehowlessofathreatthesedays.
AstudyrecentlyreleasedbyJavelinResearchclaimedthatidentitytheftinstancesdeclinedby11.
5percentbetween2005and2006,with2006lossesdecliningto$49.
5billion.
TheJavelinstudywasfundedbyVisa,WellsFargo,andcheck-printingcompanyCheckFree.
Id.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:3320-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS79enterprisecrime.
129However,becauseoftechnical,investigativeandle-galdifficultiesidentifying,tracing,prosecutingandobtainingrestitutionfromperpetrators,lossesareshiftedandspreadamongsecond-order"causes"ofIDC.
Attributionclaimsandassociatedrecommendationsabound.
WhilethereiscleardisagreementaboutthecausesofIDC(theillegalacquisitionandusesofidentityartifacts)thereisconsensusthatallthevestedinterestshaveanopinion.
Ambiguityinidentifyingthesourceofdatainsecurityorresponsibil-ityfordatastewardshipfacilitatesthejustificationofanystakeholder'spositionwhenidentitiesarecompromised.
AslongasthisIDCdatainef-ficiencyisallowedtoflourish,socialfictionsandfalseperceptionswillholdsway.
Companiessuchasinformationbrokers,merchants,financialinstitutions,andthecreditreportingbureaustakingadvantageofthesefictionsandperceptionswillbeallowedtoabsorbandshiftlossesassoci-atedwithIDC.
Thiswillbedoneabsentaccountabilityforthewrongfulpartyortransparentdebateaboutwhoshouldbearthecostsandwhoshouldimplementthesafeguards.
Responsibilityfortheinevitableleakinthedykeanditsnecessarypatcheswillneverbeaccuratelyoreffi-cientlyaddressed.
Thisismadedifficultsincecomputersecurityincidentsinanetworkedenvironmentoftenhavecascadingandmultipliereffects.
SobreachesandattributionforresultingIDCdoesnotbreakdownlinearlyorcleanlybetweenthepurported"causes,"orpotentiallyresponsibleen-tities.
Asaresult,responsibilityandliabilityisasharedobligationwhenitcomestosecurityinaninterconnectedsociety.
Giventhiscon-text,areasonableaccountabilityschemeshouldfocusonentitiesattheupperendofthebenefit-controlcontinuum,wherethereisbalancedpro-portionalitybetweenthebenefitsgainedfromhavingidentitydataandtheabilitytocontrolthesecurityandintegrityofthatdata.
Whilethispropositionisnotsparkingrampantdebate,thisislessareflectionofagreementthanitisthefactthatthereisscantmeaningfuldialogueatall.
Asaresult,IDCaccountabilitywillcontinuetobeagameofhotpotatoaslongasdatarelatedtorealcausesremainsobscured.
Hereisasamplingofsomeofthepredominantviewpointsonthatattributionanalysis:(a)Blamingthecitizen-victimIncreasingly,reportsandaccountsfromdefraudedbusinessescitevulnerablehomeusersystemsasbeingamajorreasonwhycriminalsandmiscreantsareabletoaccess,acquire,andusedatatocommit129.
SeePressRelease,Dep'tofJustice,ProsecutionPrioritiesforIDTheftWorkingGroup1,availableathttp://www.
atg.
wa.
gov/uploadedFiles/Another/News/Press_Releases/2006/IDTheft-Priorities.
pdf.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:3420-MAY-0913:3280JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIIDC.
130Theclaimsarethatcitizen-victims'negligenceinpracticingse-curecomputingrendersthemasignificantcauseoftheIDCproblem.
131Corporate-sponsoredstudiesarequicktopointoutestimatesofthesig-nificantnumberofhomeusers'machinesthatarenotoriouslyladenwithmalware,thusimplicatingusersthemselvesasthreatvectorsintocorpo-ratedatabases.
132AstudybyMorganStanleyConsumerBankingal-legedincreasingfraudlevelsdueinparttounsafedatahandlingandInternetpractices.
AJavelinstudyallegedthat"consumer-controlled"unlawfulacquisitionsofidentitydataoutpacedthosebybusinesssev-enty-ninetotwenty-ninepercent,respectively.
133Notcoincidentally,thisreportwasfundedbyVisa,WellsFargoandCheckFreeCorporation,financialinstitutionswhichhaveastronginterestinchampioningthetrustworthinessofonlinebankingaswellasshiftingblameforanyunre-liabilitytocitizen-victimssoastoavoidtheregulatorycostsofresponsi-bilityforsecuritybreaches.
Specifically,Javelinwentontopronounce:"[o]urgreatestvulnerabilityarisesfrominformationstolenbyfamily,friendsandin-homeemployees,thosewhomwetrustmostandallowthegreatestaccesstoourprivateinformation.
ThereisnosimplefixtothisproblemFalse".
134(b)Blaminginstitutionshandlingpersonaldata–lackofincentivesandaccountabilitytosafeguard.
ThisviewpointmaintainsthatIDCproliferatesbecausecompaniesarenoteffectivelyincentivizedtoprevent,detectand/orrespondtoIDC.
Thisincludesimplementingmorestringentdatasecuritysafeguards,identifyingbreachesofidentitydata,andreportingfraudincidents.
As130.
DanCollins,HomeInternetSecurityisWoeful,CBSNews.
com,Oct.
25,2004,http://www.
cbsnews.
com/stories/2004/10/25/tech/main651163.
shtml.
131.
DivisionofSupervisionandConsumerProtection,CyberFraudandFinancialCrimeReport(Nov.
9,2007),availableathttp://tinyurl.
com/4dx4bg.
132.
See,e.
g.
,EdSkoudis,EnterpriseSecurityin2008:MalwareTrendsSuggestNewTwistsonOldTricks,SEARCHSECURITY,http://searchsecurity.
techtarget.
com/tip/0,289483,sid14_gci1294085,00.
html(reportingthattherearemultiplebotnets,eachcom-prisedofmorethan1millioninfectedmachines);AlexanderGostev,KasperskySecurityBulletin2007:MalwareEvolutionin2007,VIRUSLIST,Feb.
26,2008,http://www.
viruslist.
com/en/analysispubid=204791987(claimingthat2007was"themostvirus-riddenyeartodate");NickFarrell,OneinFourUSComputersInfected,THEINQUIRER,June2,2008,http://www.
theinquirer.
net/gb/inquirer/news/2008/06/02/four-computers-infected.
133.
SeeJavelinReport,supranote117.
SeealsoTomPullar-Strecker,BanksMayEaseLineonNetCode,THEDOMINIONPOST,July9,2007(reportingthatsomebanksin[coun-try]areproposingtoholdcustomersliableforlosingallthemoneyintheiraccountsuptotheoverdraftlimitiftheyviolatea"codeofpractices"whichentailstakingreasonablestepstoprotecttheircomputers,includingimplementing"appropriateprotectivesoftware"suchasfirewalls,ant-virusandanti-spyware,andpatchedoperatingsystems).
134.
IdentityTheft911,MazeofContradictoryDataCloudsIdentityTheftLandscape,http://identitytheft911.
org/articles/article.
extsp=918(lastvisitedApr.
11,2009).
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:3520-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS81discussedmorethoroughlyinothersections,thediscretiontoreportbreachesandcompromisestobothvictimsandlawenforcement,theal-lowanceofsecurityself-assessmentstandards,andthefailuretorecog-nizedamagestoindividualswhoseidentitiesarebreached,createaregimethatsupportsthe"antelopeherd"mentality.
Herecompaniesknowthatthelion(atargetedassaultforidentitydata)isreadytopounce,theyjustdon'twanttobetheantelopeunluckyenoughtobepickedoff.
Sothestrategyistostickwiththeherd–implementjustenoughsecuritysoastonotappearrecklesswhenthebreachoccursandthenunderwritethelossesasacostofdoingbusiness.
Toraceaheadofthepackwouldmeanincreasedcostsfromheightenedsecuritysafe-guardsatthefrontend,whichdoesnotnecessarilytranslateintoacom-petitiveadvantageinthesavannahthatisthemarketplace.
Inthecurrentmarketdynamic,racingaheadofthepackinthiswaywouldberegardedasaprofitmarginkillerthatwouldposeaformidablethreattoinstitutionalsurvival.
WhatarethemanifestationsthatincentivesandaccountabilityforprotectingdataarelackingInamacrosense,wecaninferthebreak-downviathenear"breach-a-day"reports.
Thenumbersspeakforthem-selves,ashighlightedbythetopbreachessince2000:1.
TJXCompanies,Inc.
-94,000,000breachedidentities2.
AmericanExpress,Visa,Mastercard-40,000,0003.
AmericaOnline-30,000,0004.
U.
S.
DepartmentofVeteransAffairs-26,500,0005.
HMRevenueandCustoms-25,000,000.
135Todrilldown,familiarsymptomsoflackofindustryaccountabilityinclude:weakidentityauthenticationprotections,deficientinternalcon-trolsandineffectiveauditingsafeguards.
Forone,supportersofinstitu-tionalaccountabilitypointtothefundamentallyflawedauthenticationregimesusedindustry-widebymostorganizations.
136Forexample,somebusinessessendand/orstorePIIinclear-text,makingitexponen-tiallymoresusceptibletoIDtheft.
137Also,industryreliesalmostexclu-sivelyonSecureSocketsLayer("SSL")andsingle-factorauthenticationtoconducte-commercewithindividualcustomers.
WhileSSLprotects135.
10LargestDataBreachesSince2000,http://flowingdata.
com/2008/03/14/10-larg-est-data-breaches-since-2000-millions-affected/10-largest-data-breaches-since-2000/(lastvisitedOct.
16,2008).
136.
See,e.
g.
,MichaelT.
Goodrich,R.
Tamassia&D.
Yao,NotarizedFederatedIdentityManagementforWebServices,16J.
COMPUTERSEC.
399,418(2008),availableathttp://www.
cs.
brown.
edu/cgc/stms/papers/notarizedFIM.
pdf.
137.
Id.
SeealsoPostingofDavidNevettatoInfoSecComplianceblog,LegallyMan-datedEncryption(Nov.
14,2008),http://infoseccompliance.
com/2008/11/14/legally-man-dated-encryption/(providingasummaryofrecentstatelawspassedmandatingencryptionofPIIdatatransmittedacrosstheInternet).
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:3620-MAY-0913:3282JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIdataintransitbyencryptingitoverthewire,itdoesnotaddressvulner-abilitiesattheendpoints:theusers'homesystemsandattherecipientbusiness'databases.
138ThereiswidespreadknowledgeoftheprolificthreatsposedbyTrojanhorses,keystrokeloggers,andspywareoncon-sumers'homesystems,whichallowthievestocompromiseloginaccesstocorporateaccounts.
139OnlinefinancialfraudhasgrownsoseriousthattheFederalFinancialInstitutionsExaminationCouncil,agovernmententitythatestablishesstandardsforbanks,setdeadlinesforU.
S.
finan-cialinstitutionstotightenauthenticationmeasuresforaccessingonlineaccounts.
140Yet,despitethisknownthreat,businessesareimplement-ingauthenticationprotocolsbasedonalowest-common-denominatormentality,knowingthatmorerigorousmeasuresareavailablebutchoosingnottoapplythem,absentapressingincentivetoincurtheaddi-tionalexpenses.
Forexample,arecentdatatheftscaminvolving"clickfraud"targetedGooglesearcherswhoclickedonpaidads,towhichGooglere-spondedbyimplementingmorestringentauthenticationforpremiumadvertisersgiventhecostinvolvedinimplementingitforallofitsmem-beradvertisers.
141Certainlythosewhobearthecostsofstrongersecur-ityshouldreapthebenefits,sothosecompanieswhopayforameasureshouldbenefit.
However,therealityisthatbyallowingalowest-com-mon-denominatorauthenticationregimetoexist,adigitalinterloperwhobreachesthecorporatedatabasesfromapoorlyauthenticatedac-countwillcompromisethesameunderlyingdatathatsomeentitiespaidmoretosafeguard.
Similarly,somebankschoosenottoimplementmorerigorousauthenticationcontrolswhichwouldreduceillegaluseofpil-138.
Id.
139.
DanielGeer,KeynoteAddressatSOURCEBoston2008(Mar.
13,2008),availableathttp://www.
sourceconference.
com/2008/sessions/dan-geer-keynote.
html.
Geer,oneoftheforemostcomputersecurityspecialist'sintheworld,said:Inthefallof2006,Ididsomebackoftheenvelopecalculationsthatresultedinaguessthat15-30%ofalldesktopshadsomedegreeofexternalcontrolpresent.
Igotabitofhatemailoverthatbutintheinterveningmonths[Vinton]Cerfsaid20-40%,Microsoftsaid2/3,andIDGsaid3/4.
Itdoesn'tmatterwhichisright;whatmattersisthatthischangesacorefeatureoftheecosystem-andchangingacorefeatureistheverydefinitionofapunctuatingevent.
Inthiscase,itactuallywasnotstandingupaprofessionalclassofattackersanymorethaninthefirstgo'rounditwasaspikeinthesecondderivativeofthereportedattackrate.
Whatitwasthatafundamentalassumptionofnetworksecurityhasnowbeenbreachedandthereisnoputtingitbacktogetheragain.
Id.
140.
CYBERSECURITYINDUSTRYALLIANCE,FFIECGUIDANCEONAUTHENTICATIONFORONLINEBANKING:GETTHEFACTS4(2006),availableathttp://www.
csialliance.
org/publica-tions/csia_whitepapers/CSIA_FFIEC_Get_Facts_November_2006.
pdf.
141.
SeeDataTheftScamTargetsGoogleSearchersWhoClickonPaidAds,INT'LHER-ALDTRIBUNE,Apr.
26,2007,availableathttp://www.
iht.
com/articles/ap/2007/04/27/busi-ness/NA-TEC-US-Google-Paid-Ad-Scam.
php.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:3720-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS83feredidentitiesforcitizencustomerswhiledoingsoforcorporatecustom-ersbasedoncostconsiderations.
142Oneofafewindustry-wideincentivestoenhancesecurityisthePay-mentCardIndustry("PCI")requirements.
Previouslycompanieswhocouldaffordto(largecompanieswhohavecomparablesecuritybudget)simplypaidafineiftheywerefoundtobenoncompliantwithastatute.
TheTJXdatabreachstandsasahallmarkillustration.
143Intheory,PCIputteethbehindtheimplementationofsecuritystandardsunderthethreatthatVisaorMastercardcouldissueadeathknellanddenythemtheabilitytoprocesscards,thusputtingthemoutofbusiness.
However,itisdubiousastowhetherthisisbeingenforcedinanyappre-ciableway.
Infact,thereissomeevidencetosupportthecontentionthatcompaniesaremanifestlynotabidingbythePCIstandards.
144Asecond,oft-citedsymptomofaflawedincentiveregimeisthepoorinternalcontrolsthatallowtrustedinsiderstobecomeaburgeoningthreatvectorinIDC.
TheFDICreportedthatsixty-fivetoseventyper-centofIDtheftiscommittedwithconfidentialinformationstolenbyem-ployeesorparticipantsintransactionsorservices.
145In2006,aCSOMagazinestudyfoundthatwhenbusinessescouldidentifysourcesofat-tacksonconsumerrecords,fifty-sixpercentwereattributabletoinsid-ers.
146Symantecsimilarlyfoundthattheftorlossofanemployee'scomputeraccountedforfifty-fourpercentofidentitytheftbreachesina142.
RemarksattheFTCAuthenticationWorkshop(Fall2007)(onfilewithauthor).
143.
SeeJennAbelson,BreachofDataatTJXisCalledtheBiggestEver,BOSTONGLOBE,Mar.
29,2007,atA1,availableathttp://www.
boston.
com/business/globe/articles/2007/03/29/breach_of_data_at_tjx_is_called_the_biggest_ever/.
SeealsoEvanSchuman,WhatWasBehindtheTJXSettlement,EWEEK,Sept.
24,2007,http://www.
eweek.
com/c/a/Enterprise-Applications/What-Was-Behind-the-TJX-Settlement/.
Schumanreportedthat:WhenTJXannouncedSept.
21thatithadworkedoutasettlementforalloftheconsumerlawsuitsthathadbeenfiledagainstit,itprovidedananticlimacticend-ingtomuchofthisdatabreachsaga.
Butinmanyways,thisresolution—withasettlementofferthatwillcauseTJXverylittlematerialpain—wasinevitable.
De-spitethebackgroundofthemostmassivedatabreachinretailhistory,wherecreditcarddataofsome46millionconsumersfellintounauthorizedhands,TJXhadvirtuallynothingtofearfromtheU.
S.
judicialsystem.
Id.
(emphasisadded).
144.
SeeDivisionofSupervisionandConsumerProtection:CyberFraudandFinancialCrimeReport,http://blog.
washingtonpost.
com/securityfix/FDIC%20INCIDENT%20RE-PORTR2Q07r.
htm(lastvisitedOct.
16,2008).
145.
FED.
DEPOSITINS.
CORP.
,PUTTINGANENDTOACCOUNT-HIJACKINGIDENTITYTHEFT10(2004),availableathttp://www.
fdic.
gov/consumers/consumer/idtheftstudy/identity_theft.
pdf.
146.
PressRelease,CSOMagazine,SurveyShowE-CrimeIncidentsareDecliningYetImpactisIncreasing(Sept.
6,2006),availableatwww.
cert.
org/archive/pdf/ecrimesurvey06.
pdf.
SeealsoJeremyKirk,HackersSellingIDsfor$14,SymantecSays,INFOWORLD,Mar.
19,2007,http://www.
infoworld.
com/article/07/03/19/HNhackerssellids_1.
html;TomYoung,SecurityThreatsareStartingtoMerge,COMPUTING,Mar.
19,2007,availableathttp://www.
computing.
co.
uk/computing/news/2185766/threats-begin-blend;BrianKrebs,StolenIdenti-\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:3820-MAY-0913:3284JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIsix-monthperiodbetweenJulyandDecemberof2006.
147Torounditout,Javelinreportedsimilarthreatsemanatingfromthecitizen-victimcontingent.
148Andfinally,theFDICComputerIntrusionReportleakedtoTheWashingtonPost,andpublishedbythatentityonMarch5,2008notedthat".
.
.
lending-relatedinsiderabusecausedthemostlossesfol-lowedbytheftfromdepositoraccounts.
"149Theseassertionsthattheinsiderthreattoidentityinformationissignificantandincreasingsup-portareasonableinferencethatcompaniesarenotincentivizedtoimple-mentpreventativecontrolsthatwouldadequatelyaddressthisthreat.
Athirdfamiliarspeciesofthecorporateattributiontheorypointstothelackofincentivesandaccountabilityforensuringthequalityofthedatalinkingpersonstofraudulenttransactions.
150ThisdimensionofIDCisbysomeaccountsmorenefariousthanthedirectleakingofPIIintothecriminalmarketplace,oreventhederelictionofsecuritycon-trols,insofarasitspawnsalineageofinaccurateinformationwithinthelegitimatemarketplace.
Financialinstitutionsarenotliableforsendingerroneousinformationtocreditreportingbureausbasedonfraudulenttransactions.
151Inotherwords,thereisnoaccountabilityforreportingthetransactionsofidentitythievesasthetransactionsofconsumervic-tims.
Infact,industryhasbeenthestaunchestopponenttothecon-sumercreditfreezelaws,whichprovidecitizenswithoneofthefewtooltoolstopreventIDtheft.
152Furthermore,thereisallegedlycomplicityifnotoutrightcollusionwithinformationintermediariessuchascreditre-portingbureausanddatabrokers.
153TheseorganizationshavenodirecttiesSoldCheapontheBlackMarket,WASHINGTONPOST,SECURITYFIX,Mar.
19,2007,http://blog.
washingtonpost.
com/securityfix/2007/03/stolen_identities_two_dollars.
html.
147.
SYMANTEC,SYMANTECINTERNETSECURITYTHREATREPORT:TRENDSFORJULY-DE-CEMBER065(2007),availableathttp://eval.
symantec.
com/mktginfo/enterprise/white_pa-pers/ent-whitepaper_internet_security_threat_report_xi_03_2007.
en-us.
pdf.
148.
SeeJavelinReport,supranote108.
149.
SeeDivisionofSupervisionandConsumerProtection:CyberFraudandFinancialCrimeReport,http://blog.
washingtonpost.
com/securityfix/FDIC%20INCIDENT%20RE-PORTR2Q07r.
htm(lastvisitedOct.
16,2008).
150.
Qualityherereferstocoreattributesofaccuracy,completeness,authenticityandtimeliness.
151.
BruceSchneider,MitigatingIdentityTheft,CRYPTO-GRAMNEWSLETTER,Apr.
15,2005,http://www.
schneier.
com/crypto-gram-0504.
html#2.
Counteringclaimsthatthislia-bilityschemewillnotwork,Schneiderpointsoutthatcreditcardcompanieshavemanagedtothrivedespitebeingheldaccountableforallbutthefirst$50offraudulenttransactions.
Id.
Thisisanillustrationwheretheliabilityhasincentivizedthemtodevelopanddeploysecuritytechnologiestodetectandpreventfraudulenttransactions.
Id.
152.
FairandAccurateCreditTransactionsAct,Pub.
L.
No.
108-159,117Stat.
1952("FACTA")(codifiedat15U.
C.
S.
§1601(2003)).
FACTAdidprovidesomerelieftothecon-sumer(ataprice,ofcourse).
SeealsoNAT'LCONSUMERLAWCTR.
,ANALYSISOFTHEFAIRANDACCURATECREDITTRANSACTIONSACTOF2003(2003),availableathttp://www.
con-sumerlaw.
org/issues/credit_reporting/nclc_analysis.
shtml.
153.
Seeinfranote161.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:3920-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS85relationshipordutytocitizen-consumers,sofromtheirviewensuringdataqualityandremediatingincorrectdataimposescostsforwhichthereisnoReturnonInvestment("ROI").
154AccordingtoLeonardBennett,"[t]heCRAssimplyparrotwhatevertheyreceivefromthefurnisher.
Atthesametime,thefurnishersarerelyingheavilyonthefactthatthereisnoprivatecauseofactionunderSection1681s-2(a)andnostandardforthefurnisherinvestigationunderSection1681s-2(b).
Nearlyallinstitutionalfurnishershavethesameprocedures.
"155Further,asJeffSovernnotesinhisarticle,TheJewelofTheirSouls:PreventingIdentityTheftTroughLossAllocationRules:156creditbureausmayactuallyhavedisincentivestotakestepstopreventidentitytheft.
.
.
Iftheycandevelopmechanismstoreducetheincidenceofidentitytheft,theycanmarketthosemechanismsseparatelyforanadditionalfee.
If,ontheotherhand,theymakethosemechanismsavailablewithoutextracharge,theygiveuppotentialincome.
TheNewYorkTimesreinforcedthisdynamicinanarticlestatingthat"thebiggestbeneficiariesfromidentitythefthavebeenthethreecreditbureaus"andthatthecredit-monitoringservicessoldbythebigthreecreditbureausarenearlyabillion-dollarbusiness.
157Thiscom-plicitycriticismhasalsoextendedtotheUnitedStatesgovernmentasitrelatestounclaimedpaymentsmadeintotheSocialSecurityandMedi-careprograms.
Stolenidentityinformation,includingSSNs,isusedtoobtainemploymentforillegalandundocumentedimmigrants.
TheSo-cialSecuritywithholdingscollectedfromworkersusingfalseorunveri-fiedidentificationgointotheEarningsSuspenseFile.
158ItisestimatedthathundredsofbillionsofdollarsoverthepastfiftyyearshaveflowedintothisfilefromunidentifiedormisfiledSSNsresultingfromIDtheft.
159ThisfactbuttressesthenotionthatIDthefthasincentivizedcomplicityatworst,andbenignneglectatbestwithinthegovernment.
154.
Thatis,asdiscussedinthenextsection,unlessdataqualitycanbeofferedupasaserviceuponwhichtoprofit.
155.
TestimonyBeforeSubcomm.
onFinancialInstitutionsandConsumerCreditoftheComm.
onFinancialServicesRegardingFairCreditReportingAct:HowitFunctionsforConsumersandtheEconomy,108thCong.
8(2003),availableathttp://financialser-vices.
house.
gov/media/pdf/060403lb.
pdf(testimonyofLeonardA.
BennettonbehalfofNa-tionalAssociationofConsumerAdvocates).
156.
JeffSovern,TheJewelofTheirSouls:PreventingIdentityTheftThroughLossAllo-cationRules,64U.
PITT.
L.
REV.
343,362(2003).
157.
SeeEricDash,Protectors,Too,GatherProfitsFromIDTheft,N.
Y.
TIMES,Dec.
12,2006,at28,availableathttp://www.
nytimes.
com/2006/12/12/business/12credit.
html.
158.
See,e.
g.
,JuliaPreston,AfterIowaRaid,ImmigrantsFuelLaborInquiries,N.
Y.
TIMES,Jul.
27,2008,at1,availableathttp://www.
nytimes.
com/2008/07/27/us/27immig.
htmlpagewanted=2&_r=1.
159.
MartinH.
Bosworth,PersecutionofImmigrantWorkersWon'tStopIdentityTheft,Dec.
22,2006,http://www.
consumeraffairs.
com/news04/2006/12/swift_raids.
html.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:4020-MAY-0913:3286JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIHowhasthisframeworkofinsufficientincentivesandmutableac-countabilitybeenmoldedWhileprevioussectionsaddressthepathol-ogyofIDC,itbearsrepeatingbecauseitisarguedthatattributionfortheIDCproblemshouldfallsignificantlyontheshouldersoftheorgani-zationsmanagingPII.
Oneviewisthatthepoliciespromotingthein-stantcreditfinancialregimenotonlylowerthebarriersforfraudstersseekingeconomicgain,butalsoincentivizecompaniestoissuemorecreditatthefrontendratherthaninstitutingmorerigorousidentitydataprotectionsatthebackend.
Thisispatentlyobviouswhenonecom-paresthecurrenteasewithwhichonecanobtaincreditwithvirtuallynoidentityauthentication,versusthetimeandlaborrequiredtoproveidentitypost-fraudinordertoremediatelossesorputaholdorfreezeonone'scredit.
160Inotherwords,thereisnolegislativestickorfinancialcarrottoincentivizebusiness,asPIIintermediaries,toeffectivelypre-ventIDtheftortolimitthedisseminationoforamelioratetheconse-quencesofinaccuratedata.
OnemightconcludethattodosowouldundercutthedemandfortheirgrowingproductsandservicessectorthatfocusonIDCissues.
161There'snobetterwaytoassuredemandforaproductsolutionthanbyperpetuatingtheunderlyingneed.
(c)ChangesinreportingandincreasedawarenessoftheproblemAthirdIDCattributiontheorymaintainsthatIDtheftislessaboutsignificantactsoromissionsbyeithercitizens,institutions,orperhapsevencriminalsthanitisanartifactofchangesinawarenessandreport-ing.
SincelawsprohibitingIDtheftarelessthantenyearsold,theclaimisthatweareexperiencingthesyncingofoursocialvaluesandinstitu-tionalcontrols–lawsandpractices.
Thiscanbelikenedtodomesticvio-lence,wherestatisticsonapreviouslyunder-reportedsocialproblem-turned-crimeseemedtoskyrocketrelativetoanon-existentbaselineofreportingpractices.
Fromthelawenforcementperspective,numberjumpscanbeexplainedbychangesinrecording.
162SinceIDtheftisoftenassociatedwithotherfinancialanddrug-relatedcrimes,itwasnotalwaysrecordedorchargedasaseparateoffense.
163ThisistrueaswellwiththeadditionofIDtheft-specificoffenseswhichhavespawnedwiththenewlaws,providingthepossibilitythatpreviousIDtheftsmayhavebeenretrofittedintobroadfraudcharges.
Also,fromanaggregate,na-tionwideperspective,notallLEagenciescooperatedwiththenational160.
SeeNancyJ.
Perry,HowtoProtectYourselffromtheCreditFraudEpidemic,Aug.
1,1995,http://money.
cnn.
com/magazines/moneymag/moneymag_archive/1995/08/01/205197/index.
htm.
161.
SeeTimWilson,AmidConfusion,MarketforIDTheftServicesGrows,DARKREAD-ING,Dec.
19,2007,http://www.
darkreading.
com/document.
aspdoc_id=141762.
162.
SeeNEWMAN,supranote42,at59.
163.
Id.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:4120-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS87reportingstandards,makingcompletenessofthosenumbersamovingtarget.
164Regardlessofthetruthoftheseclaims,theveryreasonssupportingtheincreasedreportingtheoryarebasedoninsufficientIDtheftdata.
Likewise,whetherandtowhatdegreeIDtheftcanbeattributedtociti-zens,institutions,orreportingchangeswillforeverbeagameofhotpo-tatoorabreedinggroundforsocialandlegalfictionuntilmoreempiricalIDCdataisobtained.
ii.
DamagesConundrum:FictionsCreatedandPerpetuatedintheWakeoftheDataBreaches.
Thenextdefective,second-orderanalysisresultingfromthedearthofIDTdataisthedamagesassessment,anditfallsalongtwoaxes.
First,damagesas"legalfictions"referstodamagesinthetraditionalle-galsense,whichistosayjudicially-recognized,recoverabledamages.
Second,damagesas"socialfictions"denotesIDTdamagesinthefamiliarpublicvernacular–theaggravationandstressfeltbyIDTvictims.
Forexample,thiswouldincludethecostsassociatedwithtimespentclearingupproblemsresultingfromotherswrongfullyusingPII.
Thisisrecog-nizedbythepublicasdamageresultingfromIDtheft,yetsuchdamagesmightnotbedeemedrecoverableunderanyprevailinglegaltheory.
(a)CurrentPostureonDamages:TheoriesandLegalFictionsHumansfinditnecessaryattimestocreatelegaland/orsocialfic-tionswhichprovidetheillusionofcontrolinthefaceof"informationchaos.
"Thefictionsinquestionserveasacopingmechanism,andbe-causeoftheindeterminismassociatedwithIDC,damagesjurisprudenceindatabreachcasesisanexerciseinweavinglegalfictions.
Thislegal-fictioningservestwopurposes.
One,itdefinesboundariesaroundnovelissuespresentedbyIDCanddatabreacheswithinwhichtheefficientadministrationofjusticecanoccur.
Second,itusesthejudiciaryasafirewalltoinstitutionalizetherestrictionofliabilityriskforthoseenti-tiesthatprofitfromtheaccumulationandmanipulationofPIIintheformofdigitaldata.
Thelandscapeformedfromdamagesanalysis,post-wrongfulPIIac-quisition,isamajorhurdletoaccuratelyscopingIDT,whichultimatelycontributestomisinformedpolicyrelatedtoIDT.
Bydamagesanalyses,weincludethefollowingdeterminations:whenactualinjuryoccurs,whatandwhendamageisdone,andwhenindividuals'informationhasbeenstolenbythosewhointendaharmfulactwiththeinformationin164.
UNITEDSTATESGENERALACCOUNTINGOFFICE,IDENTITYFRAUD:INFORMATIONONPREVALENCE,COST,ANDINTERNETIMPACTISLIMITED22-23(1998),availableathttp://www.
gao.
gov/cgi-bin/getrptGAO/GGD-98-100BR.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:4220-MAY-0913:3288JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIquestion.
Stollenwerkv.
Tri-WestHealthcanbecitedasthefirstdatabreachcasetoaddresstheissueofdamagesunderanegligenceclaiminthewakeofadatabreach.
165Thevastmajorityofcivillitigation166de-cidedinthewakeofadatabreachcanbeseenasStollenwerkprogenyinthatcourtshaveinlargemeasureconsistentlyembracedthelackofac-tualinjuryholdingemanatingfromStollenwerk,whichinturnleadstofindingnorecoverabledamagesorloss.
167Therefore,companiessuffer-ingthedatabreacharenotbeingheldliable.
Civillawsrequireanarticulationofdamage,loss,andharmpriortofilingacivilclaim.
168Thiscanbeanonerousandcapriciouschallengeforvictim-plaintiffsinthecivilcontext.
Theplaintiff,asillustratedinouranalysisofKeyv.
TRW,hastoprovethatanactualinjuryoccurredasaresultofthedatabreach.
169Otherwise,recoverabledamagesandlossbecomeamootpoint.
Thishurdleismadeallthemorechallengingbythedynamicsofclassactionlawsuits,whichareespeciallyattractivegiventhefeaturesofdatabreaches(i.
e.
,largenumbersofsimilarlysituatedplaintiffs).
Specifically,classactionsuitsplacesubstantialfinancialpressuresonplaintiffs'attorneystomovequicklyinthewakeofperceivedtortorbreachofcontract.
170However,whatarecommonlythoughtofasdam-165.
Stollenwerkv.
Tri-WestHealthCareAlliance,No.
CIV03-0185-PHX-SRB,2005U.
S.
Dist.
LEXIS41054(D.
Ariz.
2005).
166.
See,e.
g.
,Forbesv.
WellsFargo,420F.
Supp.
2d1018(D.
Minn.
2006);Giorandov.
WachoviaSec.
,Civ.
No.
06-476JBS,2006WL2177036,at*1(D.
N.
J.
July31,2006);Guinv.
BrazosHigherEduc.
Serv.
Corp.
,Inc.
,No.
Civ.
05-668,2006WL288483(D.
Minn.
Feb.
7,2006).
167.
Lackofactualdamageshasalsobeenthestumblingblockunderothertheoriesofrecoverybesidesnegligence.
Further,inthepre-notificationerawherethefactscenariogivingrisetoanexposureofPIIwasnotnecessarilyfromadatabasebreach,actualdam-agesposedabarrier.
Forinstance,courtshavefoundnorecoveryundertheFederalPri-vacyActfordisclosureofaSSN.
See,e.
g.
,Doev.
Chao,306F.
3d170(4thCir.
2002)(notingthatwhileBuckDoehadsworninanaffidavitthathewas"embarrassed","de-graded",and"devastated,"bythedisclosureofhisSSN,thiswasinsufficienttoraiseanissueoffact).
Hedidnotallegetherequisitemanifestationsofemotionaldistress,suchas"medicalorpsychologicaltreatment,""purchaseofmedications,"and"physicalconse-quences"tomeettherequirementforprovingactualdamagesunderthestatute.
Id.
168.
SeeLowev.
PhilipMorrisUSA,Inc.
,142P.
3d1079(Or.
Ct.
App.
2006).
Althoughplaintiffclaimedthatshehada"significantlyincreasedriskofdevelopinglungcancer,"thecourtobservedthatshedidnotclaimthatherriskoffutureharmwas"allbutcertain"orevenprobable.
Id.
at1081.
Thecourtheldthatallowingaclaim"foramereincreaseinthepossibilityoffutureharm"wouldbeinconsistentwiththe"fundamentalpremise"ofOregonlaw"thattheplaintiffmusthavesufferedactual,physicalharm.
"Id.
Thecourtconcludedthatactualharm"isthesinequanonofnegligenceliability.
"Id.
at1088.
169.
SeeKeyv.
DSW,Inc.
,454F.
Supp.
2d684(S.
D.
Ohio2006).
170.
Thefirsttofileisoften,butnotalways,deemedbythecourttobetheleadlawyerinthesuit.
Thisequatestolargerfeesifthecaseissuccessful.
Whilethis"firsttofile"dynamicwasdeemedtobeeliminatedbythefederal,socalled,ClassActionFairnessActof\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:4320-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS89agesresultingfromthetheftofdataoftenhavealatency,andthusmaytakeasubstantialamountoftimetomanifestthemselves.
171Ifthecaseisadjudicatedpriortotherevelationofthemisuse,thejudgemayreasonthatshehasnochoicebuttodismissthecase.
GiventheinfluencethatStollenwerkhaswieldedonthejudicialrecognitionofidentitytheft,andtheramificationsofthejudicialposture,furtherdissectionisinorder.
(i)Stollenwerkv.
Tri-WestHealthCareAlliance.
172PlaintiffsStollenwerk,DeGratica,andBrandtsuedTri-Westfor"negligentlyfail[ing]tosecuretheirpersonalinformationmaintainedonTri-West'scomputers.
"173Plaintiff'sinformationhadbeenstolenasaresultofanon-siteburglaryatTriWest.
174Thethievesbrokeinandstolethecomputerserversthatheldtheinformationinquestion.
175Plaintiffsallegeddifferentgroundsfortheirrespectivecausesofaction.
StollenwerkandDeGraticaclaimedtheywereentitledtorecoverdam-agesforthecostsincurredasaresultofhavingtoobtainheightenedcreditmonitoringservicestoprotectthemselvesagainstthefraudulentuseoftheirpilferedPII.
176PlaintiffBrandt,ontheotherhand,claimeddamagesallegedlyresultingfromtheburglary.
177Thesedamagescame2005,theauthorscanstillfind,anddofind,classactiontriallawyerswhotellthemthisisnotaccurate.
Theypointoutthatthefirsttofilecanleadtothe'firsttosettle,'andthefirsttosettlemeansyoucandrawinmoreclassactionplaintiffs.
SeeWikipedia,ClassActionFairnessActof2005,http://en.
wikipedia.
org/wiki/Class_Action_Fairness_Act_of_2005(asofMar.
11,2009,14:11GMT).
171.
"76%ofallidentitytheftisdiscoveredbefore24monthsafterthetheft.
Only12%isdiscoveredmorethan48monthsafterthetheft.
"Bellv.
AcxiomCorp.
2006U.
S.
Dist.
LEXIS72477at*4n.
22(E.
D.
Ark.
2006)(citingFEDERALTRADECOMMISSIONIDENTITYTHEFTVICTIMCOMPLAINTDATA200511(2006),http://www.
ftc.
gov/sentinel/reports/idt-an-nualoverall-figures/idt-cy2005.
pdf)(emphasisadded).
NotethatonesurveydonebytheChubbInsuranceGroupestimatedthatoneinfiveAmericanswassubjecttoIDtheftintheyear2005.
Survey:OneinFiveAmericansHaveBeenVictimsofIdentityFraud,INS.
J.
,July8,2008,availableathttp://www.
insurancejournal.
com/news/national/2005/07/08/57054.
htm.
So,basedonthatsurvey,the"only"referredtobythecourtmightbeinthetensofmillions,dependingontheparametersofthesurvey.
172.
Stollenwerkv.
Tri-WestHealthCareAlliance,No.
CIV03-0185-PHX-SRB,2005U.
S.
Dist.
LEXIS41054(D.
Ariz.
2005),aff'dinpart,rev'dinpart,254Fed.
Appx.
664(9thCir.
2007).
173.
Id.
at665.
174.
Stollenwerk,2005U.
S.
Dist.
LEXIS41054(D.
Ariz.
2005).
PlaintiffsclaimedTri-Westtooknostepsintheweeksfollowingthefirstburglarytoupgradetheirdefensesforthebuilding.
Id.
at*2.
175.
Itisnotclearfromthecourtopinionwhetheranythingelsewastakeninthebur-glary.
Id.
176.
Stollenwerk,2005U.
S.
Dist.
LEXIS41054at*6.
177.
Id.
at1("ThismatterarisesoutoftheburglaryofDefendantTriWestHealthcareAlliance's("Triwest")corporateofficeonDecember14,2002.
").
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:4420-MAY-0913:3290JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIintheformoffraudulentuseofhisPIItoopenand/orattempttoopencreditaccounts.
Inbothcasesthefederaldistrictcourtdeniedtheclaims.
PlaintiffsStollenwerkandDeGraticacomparedthetheftoftheinformationandpossibleresultingharminthefuturetotoxictortcaseswheremedicalmonitoringforfutureharmwasheldtobenecessaryasaresultoftheexposure.
178PlaintiffsarguedthatinthewakeofhavingtheirPIIsto-len,somethingakintomedicalmonitoringwascalledfor(i.
e.
creditmon-itoringservicesandthecosttoobtainthemshouldberecoverablelosses).
Thecourtrejectedthisargument.
Itdidacknowledgethatinsomecasesdatatheftisnot"entirelydissimilar"from"exposuretotoxicsub-stancesandunsafeproducts,"butfeltthatforotherreasonsitwasnotnecessarytoreachadecisiononthatissueinthepresentcase.
179That"importantdistinction"wasbasedontherationalethattoxictortandproductsliabilitycasesraiseissuesofpublicsafetywhich,thecourtnoted,arenotpresentwithdatabreachcases.
180Further,thecourtseemedtobeconcernedwiththelackofquantifiablemetricsthatmightdemonstratearelationshipbetweenheightenedcreditmonitoringser-vicesandanypotentialimpactthoseservicesmayhaveonreducingtheriskoffuturedamagesfrommisuseofthepersonaldata.
181Unintentionallyaddinginsulttoinjury,thecourtheldthatwhileplaintiffBrandtdidindeedsuffersomeactualinjuryasaresultofhisdatabeingstolen,namelythatcreditaccountswereactuallyopenedinhisnameinthewakeofthetheftofthedata,thecausalrelationshipbetweenthetheftandthesubsequentopeningoftheaccountswastooattenuated,andthereforelackedtheelementsnecessarytoestablishacauseofaction.
182ThecourtreasonedthatwhileBrandtdidprovideenoughadmissibleevidencetoestablisha"reasonableinference"thattheburglarywasthedirectcauseoftheopeningofthesubsequentunau-thorizedcreditaccounts,theevidencewassimplyaresultof"speculationandconjecture"183onthepartoftheplaintiff.
184178.
AsdidplaintiffsinKeyv.
DSW,Inc.
,454F.
Supp.
2d684(S.
D.
Ohio2006).
179.
Stollenwerk,2005U.
S.
Dist.
LEXIS41054at*9-10.
180.
Id.
181.
Id.
at*14.
182.
Id.
at*20-21.
183.
Id.
at*20.
184.
Itshouldbenotedthat9thCircuitCourtofAppealsoverturnedthispartofStol-lenwerk,254Fed.
Appx.
664(9thCir.
2007)(holdingthatplaintiffBrandt'sclaimcouldgoforwardonthegroundsthatacausalrelationshipbetweenthedatabreach,andthesubse-quentmisuseofthedatahadbeenestablished).
Unfortunately,forreasonsnotspecifiedtheopinionwasdeclaredanunpublishedopinion,meaningithasnoprecedentialvalueandthereforecannotbecitedasauthorityforfuturecases.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:4520-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS91(ii)StollenwerkProgenyandAnalogousLaw.
MostcourtsdealingwithfactpatternssimilartoStollenwerkhavefolloweditsholding,sometimescitingitdirectlyandothertimessimplyadoptingthespiritofStollenwerk.
185Weexamineseveralofthesetohighlightthetrendinjudicialopinions.
Kuplav.
OhioUniversityisacasewheretheStollenwerkholdingpredominatedbutwasnotcited.
186Kupla'sfactpatternissimilarinthatdatawastaken,albeitasaresultofahackandnotaburglary.
TheOhioUniversitysystemwassubjecttoanongoinghackthatlastedap-proximatelyoneyear.
KulpawasoneofthestudentswhoclaimedthatasaresultofthehackhesufferedaheightenedriskofIDtheft,amongotherclaims.
DefendantOhioUniversity,citingtheholdinginKahlev.
LittonLoanServicing187andKeyv.
DSWInc.
,askedforthecasetobedis-missedforfailuretostateaclaim.
BothofthesecasescitedbytheKuplacourtfavorablyreferencetheStollenwerkholdings.
Withonenotableex-ception,188theKulpacourtruled,consistentwiththeStollenwerk,thatthethreatof"futureinjuryisnotanactualorimminent189injury.
"190Thereforethecostsforcreditmonitoringserviceswerenotrecoverable,aspertheStollenwerk,KahleandKeycases.
This,wesuggest,issamerationaleprofferedtodismissmostifnotallofthedatabreachnotifica-tioncasesbroughtintheUnitedStates.
Thusfar,courtshavebeenrelativelyconsistentinnotrecognizingwhatisanalmostorganic,orinherentdelaybetweenunauthorizedac-cessandexposureofidentityartifactsandtheirmanifestedmisusebya185.
Bysimilarpatternswemean"datatheft,"whetherasaresultofburglary,ahack,alostlaptop,etc.
186.
SeeKulpav.
OhioUniv.
,No.
C2006-04202(OhioCt.
Cl.
Sept.
13,2007),availableathttp://www.
cco.
state.
oh.
us/scripts/ccoc.
wsc/ws_civilcasesearch_2007.
rmode=5&CaseNo=200604202.
187.
Kahlev.
LittonLoanServicingLP,486F.
Supp.
2d705(S.
D.
Ohio2007).
188.
Kulpav.
OhioUniv.
,No.
C2006-04202,at5(OhioCt.
Cl.
Sept.
13,2007),availa-bleathttp://www.
cco.
state.
oh.
us/scripts/ccoc.
wsc/ws_civilcasesearch_2007.
rmode=5&CaseNo=200604202(emphasisadded)(citingKahle,thecourtnotedthat"withoutdirectevidencethattheinformationwasaccessedorspecificevidenceofidentityfraudthisCourtcannotfindthatthecostofobtainingcreditmonitoringtoamounttodamagesinanegli-genceclaim.
").
OnewouldbehardpressedtoexplainhowhackingintoasystemwhereKupla'sinformationwas—asthefactpatternmakesthatoccurred—isnot"directevidencethattheinformationwasaccessed".
AndyetthatisexactlywhattheKuplacourtfound.
So,theKahlecourt,citedinKuplawasactuallyrejectingStollenwerkontheissueofcreditmonitoring.
Itcouldbegroundsforrecoveryofdamages.
Instead,thecourtscrambledtocomeupwithacausationissuebytwistingthedefinitionofaccess.
189.
WethinkmanyofelementsofthisdefinitionmatchthesituationKuplaetal.
werefacing.
190.
Kulpa,No.
C2006-04202(citingKeyv.
DSW,Inc.
,454F.
Supp.
2d684(S.
D.
Ohio2006)).
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:4620-MAY-0913:3292JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIthirdparty.
191Instead,courtshaveforthemostpartinsistedonrequir-ingcurrent,actualharminordertomeetthedamageselementofthevariousbreach-relatedcausesofaction.
192Wesuggestthatthis"injuryinfact"interpretationmaybeundulynarrowatbestandfactuallyincor-rectatworst.
Acomparativeanalysisofanotherlegaldomainwhereactualinjury(inthelegalsense)hasbeenanissueupmaybeinstructive.
Insurancelawhasconfrontedananalogousissue,delayedmanifestationillness.
ThequestionatissueinKeeneCorp.
v.
InsuranceCo.
193washowtoes-tablishstandardstomeasurewhenanexposuretoaharmfulsubstance–asbestos–manifestsitselfinactual,legallyrecognizableinjury–mesothelioma.
194Wedulyacknowledgethedistinctionbetweenclaimsinaninsurancecontextversusatortcontextinthattheyinvolvecon-191.
TheexceptionisBellv.
Mich.
Council25,No.
246684,2005Mich.
App.
LEXIS353,(Mich.
Ct.
App.
Feb.
15,2005).
Thecourtheldthat:However,withtheadvancementsintechnology,holdersofsuchinformationhavehadtobecomeincreasinglyvigilantinprotectingsuchinformationandthesecur-itymeasuresenactedtoensuresuchprotectionhavebecomeincreasinglymorecomplex.
Asdemonstratedbytheproblemsplaintiffs'facedaftertheiridentitieshadbeenappropriated,theseverityoftheriskofharminallowingpersonalidenti-fyinginformationtobetakentoanunsecuredenvironmentishigh.
Theinstantplaintiffswereveryfortunateregardingthelimitedextentofthefraudperpe-tratedusingtheiridentities.
Butitisthepotentialseverityoftherisk,nottheactualriskencountered,thatmustbeconsideredindecidingtoimposeliability.
Id.
at*3-14(emphasisadded)).
Thecourtisrejectingthetone,ifnotthespecificonpointholdinginStollenwerk.
192.
AswebelievePisciottav.
OldNat'lBancorpmakesclear:Finally,withoutIndianaguidancedirectlyonpoint,wenextexaminethereason-ingofothercourtsapplyingthelawofotherjurisdictionstothequestionposedbythiscase.
AllstateIns.
Co.
,392F.
3dat952.
Inthisrespect,severaldistrictcourts,applyingthelawsofotherjurisdictions,haverejectedsimilarclaimsontheirmer-its.
Inadditiontothosecasesinwhichthedistrictcourtheldthattheplaintifflackedstanding,aseriesofcaseshasrejectedinformationsecurityclaimsontheirmerits.
Mosthaveconcludedthattheplaintiffshavenotbeeninjuredinamannerthegoverningsubstantivelawwillrecognize.
See,e.
g.
,Kahlev.
LittonLoanSer-vicing,LP,486F.
Supp.
2d705,712-13(S.
D.
Ohio2007)(enteringsummaryjudg-mentforthedefendantbecausetheplaintiffhadfailedtodemonstrateaninjury);Guinv.
BrazosHigherEduc.
Serv.
Corp.
,Inc.
,2006U.
S.
Dist.
LEXIS4846,2006WL288483(D.
Minn.
Feb.
7,2006)(unpublished)(same);Stollenwerkv.
Tri-WestHealthcareAlliance,2005U.
S.
Dist.
LEXIS41054,2005WL2465906,at*5(D.
Ariz.
Sept.
6,2005)(unpublished)(grantingsummaryjudgmentfordefendantsbe-causetheplaintiffshadfailedtoprovideevidenceofinjury);seealsoHendricksv.
DSWShoeWarehouse,444F.
Supp.
2d775,783(W.
D.
Mich.
2006)(dismissinganactionwhere"[t]hereisnoexistingMichiganstatutoryorcaselawauthoritytosupportplaintiff'spositionthatthepurchaseofcreditmonitoringconstitutesei-theractualdamagesoracognizableloss").
Pisciottav.
OldNat'lBancorp,499F.
3d629,639(7thCir.
2007).
Thevastmajorityofcaselawonthedatabreachclassactionshasrequired,forafindingofrecoverabledamages,afindingof,asthePisciottacourtnoted,"aharmthatthelawispreparedtoremedy.
"Id.
193.
KeeneCorp.
v.
Ins.
Co.
N.
Am.
,667F.
2d1034(D.
C.
Cir.
1981).
194.
Id.
at1038n.
3.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:4720-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS93tractualissuesratherthannegligenceissues,respectively.
However,thecomparativeanalogyisstillinstructivetoviewhowsomecourtshavegrappledwithaprocessofmarkingamomentintimewhentheoccur-renceofinjuryisrecognizedinalegalsenseforpurposesofrecoveringdamages.
Forinstance,theFifthandSixthCircuitshaveheldthatstatecourtscouldadoptan"exposure"theory.
195Whendealingwithinjuriesrelatedtoasbestos,the"exposure"theoryholdsthatthefirsttimetheasbestosfibersweredepositedintothelungstheactualinjuryhadoccurred,how-everlongitmayhavetakentomanifestitselfuponthevictim.
Ontheotherhand,otherjurisdictionshaveheldthatstatecourtscouldadopta"manifestation"theorywhenthefirstconfirmationisfoundthatexposurehadmaturedtoadisease.
196TheKeenecourtrejected195.
SeeIns.
Co.
ofN.
Am.
v.
Forty-EightInsulations,633F.
2d1212,1281(6thCir.
1980).
TheCourtnotedthat:Asidefromthis,however,webelievethatthepolicylanguageitselfisbestcon-struedalongthelinesoftheexposuretheory.
Weneedonlylookatthedefinitionof"bodilyinjury"inthepolicy.
Bodilyinjuryisdefinedas"bodilyinjury,sicknessordisease.
.
.
"Itistautologicalthatbodilyinjurycanbe"bodilyinjury"andisnotnecessarilyjusta"disease".
Themedicalevidenceisuncontrovertedthat"bodilyinjury"intheformoftissuedamagetakesplaceatorshortlyaftertheinitialin-halationofasbestosfibers.
Thus,itrequiresonlyastraightforwardinterpretationofthepolicylanguageforustoadopttheexposuretheory.
Indeed,forinsurancepurposes,courtshavelongdefinedtheterm"bodilyinjury"tomean"anylocalizedabnormalconditionofthelivingbody.
"SeeAppleman,InsuranceLawandPrac-tices§355(1965).
Id.
SeealsoPorterv.
Am.
OpticalCorp.
,641F.
2d1128,1145(5thCir.
1981).
Held:WemightprolongthisalreadylengthyopinionbyparaphrasingorrephrasingtheSixthCircuitopinion.
Wearecontenttosaythatweagreewithitsreasoningandresult.
Underthetermsofthepoliciespresentlybeforeuswerejectthe"manifes-tation"theory.
Weacceptthe"injuriousexposure"theoryandthelogicallyconse-quentruleofprorationofliabilityforinsurancecarrierswhowereonthecoveragewhiletheinjuredpartywasexposedtotheasbestoshazardswhichresultedinillnessanddeath.
Id.
196.
KeeneCorp.
,667F.
2dat1042-43.
Thecourtobservedthat:INA,Liberty,andAetnaadvancethe"manifestation"theoryofcoverage.
Theyar-guethatcoverageistriggeredonlybythemanifestationofeitherasbestosis,mesotheliomaorlungcancer.
Theyassertthattheirinterpretationofthecontractsissupportedbytheordinarymeaningoftheterms"bodilyinjury,sicknessordis-ease.
"Theyclaimthe"bodilyinjury"doesnotoccuruntilcellulardamageadvancestothepointofbecomingarecognizabledisease.
INAandLibertyrelyoncasesinotherareasofthelaw—workmen'scompensation,healthinsurancecoverage,andstatutesoflimitation—thatsupporttheirinterpretationoftheterm"injury.
"E.
g.
,TravelersInsuranceCo.
v.
Cordillo,225F.
2d137(2dCir.
),cert.
denied,350U.
S.
913(1955)(workmen'scompensation),citedinLiberty'sbriefat42-44andINA'sbriefat28;Reiserv.
MetropolitanLifeInsuranceCo.
,262App.
Div.
171,28N.
Y.
S.
2d283(1941)aff'd,289N.
Y.
561,43N.
E.
2d534(1942)(healthinsurance),citedinLiberty'sbriefat45andINA'sbriefat26;Uriev.
Thompson,337U.
S.
163(1949)(statuteoflimitations),citedinINA'sbriefat27.
Id.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:4820-MAY-0913:3294JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIboththesetheoriesonthegroundsthatinthecontextofasbestos-re-lateddisease,theterms"bodilyinjury,""sickness"and"disease,"stand-ingalone,simplylacktheprecisionnecessarytoidentifyapointinthedevelopmentofadiseaseatwhichcoverageistriggered.
197Finally,theDistrictofColumbiaCircuithasheldthatstatescouldadopta"multipletrigger"theory198andPennsylvaniastatecourts199have,infact,adoptedamultipletriggertheory.
The"multipletrigger"theoryinparticularmighthavespecialrele-vancetoIDtheftanddatabreachjurisprudence.
ThereismuchinJudgePatriciaWald'sconcurrenceinKeenethathasrelevanceforvictimswhosedatahasbeenstoleninadatabreachcases.
200JudgeWaldopinedinreferencetothe"multipletrigger"rational:Theapproachtakeninthepanelopinionhereisdifferentfromtheap-proachesofothercourtsintwosignificantrespects.
First,itdefinesthe"injury"thattriggersinsurancecoveragenotmerelyasexposuretoas-bestosfibersormanifestationofthesymptomsofasbestosis,mesothe-liomaorlungcancer,butalso—atleastinthecaseofasbestosis—astheprocessbywhichthevictim'sbodyresists,adapts,andtriestoaccom-modateitselftoaforeignmatter—aprocess,whichweunderstandfromthemedicaltestimonyelicitedattrial,isamajor,ifnotprimary,factorinthedevelopmentofasbestosis.
Inshort,the"injury"istakingplaceeveryyearthattheasbestosfiberremainsinsituuntiltissuedamageinthelungsissignificantenoughtobedetectedbyX-raysortoproducesymptomaticeffectsofasbestosis,mesotheliomaorlungcancer.
Iagreewiththismorecomprehensivedefinitionof"injury,"encompassingtheperiodfrominitialexposuretomanifestation,becauseitcomportswithwhatweknowanddonotknowabouttheetiologyandprogressofthediseases.
Thisprocess-orienteddefinitionnotonlyprovidesaflexible197.
Id.
at1043.
198.
EliLilly&Co.
v.
HomeIns.
Co.
,794F.
2d710,716(D.
C.
Cir.
1986).
Thecourtnotedthat:Thus,contrarytothecontentionofappellants,seeJointPost-CertificationSupple-mentalMemorandumofDefendants-AppellantsfiledNovember27,1985at16,theIndianacourtapparentlydidnotthinkextrinsicevidenceshouldbeusedtodeterminethecharacterofsuch"reasonableexpectations.
"Insteadthecourtseemedtohavedeterminedthecontentofsuchexpectations—themultipletrig-gerthesis—asamatteroflaw.
Id.
199.
J.
H.
FranceRefractoriesCo.
v.
AllstateIns.
Co.
,534Pa.
29,37(Pa.
1991).
Held:Insimilarfashion,theSuperiorCourtreachedtheconclusionthattheterm"bodilyinjury"alsoencompassestheprogressionofthediseasethroughoutandaftertheperiodofexposureuntil,ultimately,themanifestationofrecognizableincapacita-tionconstitutesthefinal"injury,"andthatthesestagesinthepathogenesisofasbestos-andsilica-relateddiseasesalsotriggertheliabilityofJ.
H.
France'sin-surancecarriers.
Wefindnoerrorinthisanalysisandconclusion.
Theinsurancepolicylanguageandtheevidenceoftheetiologyandpathogenesisofasbestos-re-lateddiseasecompelustoreachthisresult.
Id.
200.
KeeneCorp.
,215U.
S.
App.
D.
C.
at56.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:4920-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS95formulaforadjudicatingthelegalissuesassociatedwithasbestos-re-lateddiseases,butalsosetsausefulprecedentforotherproduct-exposureinjuries,asofyetunknowninorigin.
Further,themorecomprehensivedefinitionwillgivemuchneededcertaintytotheinsuranceindustry,currentlyrentasunderbyadvocatesofexposureandmanifestation,whosefluctuatingpositionsoftendependupontheireconomicinterestsinaparticularcase,andbydifferingjudicialrulingswhichseemtode-pendatleastpartiallyupontheequitiesofeachcase201WhileitisintimatedthattheriskofIDtheftequatestothegravehazardsofmesotheliomaorlungcancer,itisadvocatedthatborrowingthelatter's"process-oriented"definitionofinjuryisusefulinIDTdatabreachcases,particularlysinceitisanundevelopedareaofthelawaswellasalittleunderstoodareaofcommerceandfinance.
Onlyveryre-cently,andwithanotablelackofreliabledata,hassocietybeguntoun-derstandhowPIIdataisusedandmisusedinoursociety.
KeepinginmindJudgeWald'scautionaboutwhatweknow"anddonotknowabouttheetiologyandprogress.
.
.
"ofdisease,thecourtsmightblowaslightlylesscertainnoteontheirrespectivetrumpetswithregardtodamagesanalysesindatabreachcases.
Thisisespeciallysoatatimewhensocietyhasmovedtoriskbasedpricingschemeswhicharepredicatedontimelyaccesstoaccuratedata,tosaynothingofourincreasingrelianceondatabaseanalyticswhichareincreasinglythegatewaytocitizens'opportunitytotransact,travelandconductcommercewithoutundueinterference.
202AsJudgeWaldrecounted:[T]hisisacaseoffirstimpressionand,irrespectiveofhowitisresolved,requiresa"leapoflogic,"fromexistingprecedent,foritconcernsdis-easesaboutwhichthereisnomedicalcertaintyastopreciselyhoworwhenthey"occur.
"Wedoknowtheprerequisite—exposuretoasbestosfibers—andthesymptomsthatmanifestthemselves,generallytoolateforeffectivetreatment.
Whathappensinbetweenisstillsomethingofamystery;whydoesoneexposedpersonfallvictimtothediseaseswhileanotherdoesnot203MovingfrominsurancelawbacktoIDT,Pisciottav.
OldNationalBancorpistheonedatabreachcasethatcomesclosesttomarshallingallthepreviouslyhighlightedstandards:exposure,multipletrigger,anddiagnosis/presumptivepresentharm.
204ThiscaseengagesinoneofthemostintelligiblediscussionsofthedamagesanalysisofwhenIDTheft201.
Id.
at1057-58(emphasisadded).
202.
SeeWikipedia,Risk-basedPricing,http://en.
wikipedia.
org/wiki/Risk-based_pricing(asofNov.
19,2008,13:12GMT).
203.
KeeneCorp.
,667F.
2dat1057.
204.
Pisciottav.
OldNat'lBancorp,499F.
3d629(7thCir.
2007).
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:5020-MAY-0913:3296JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIoccurs.
205PisciottawasacustomeroftheOldNationalBancorp.
Heusedthebank'sonlinebankingservice.
Thebank'swebsitewashackedandthePIIinquestionwasstolen.
Plaintiffsfiledaclassactionnegligencelaw-suitclaimingactualinjuryfromthetheftofthedata,anddamagesforcreditmonitoringcostsincurredtopreventfurtherharmfrom"future"IDtheft.
206WhileIndianadidnothaveaDataBreachnotificationstat-uteatthetimeofthehackandthesubsequentfilingofthecomplaint,thestatedidpassoneshortlythereafter.
207Thecourt,whileacknowl-edgingtheIndianastatutewasnot"directlyapplicabletothepresentdispute,"nonethelessusedittoguideitsdecision.
208Thecourtfoundthatthestatuteprovidednoprivaterightofaction,nordiditcreateadutyonthepartofthebreachedentity"tocompensateaffectedindividualsforinconvenienceorpotentialharmtocreditthatmayfollow.
"209Theplaintiffsmaintainedthat"thestatuteisevidencethattheIndianalegislaturebelievesthatanindividualhassufferedacompensableinjuryatthemomenthispersonalinformationisexposedbecauseofasecuritybreach.
"210Indeed,thecourtindicatedthattheythoughtthiswasthechallengetheyfaceinPisciottawhentheynotedthat:WemustdeterminewhetherIndianawouldconsiderthattheharmcausedbyidentityinformationexposure,coupledwiththeattendantcoststoguardagainstidentitytheft,constitutesanexistingcompensa-bleinjuryandconsequentdamagesrequiredtostateaclaimfornegli-genceorforbreachofcontract.
211Inarticulatingthischallenge,thePisciottacourtindicatedthereweretwodistinct,butperhapsrelated,elementstothechallenge.
212First,thereistheissueof"exposure.
"Thesecondelementwasthe"costs"associatedwithpreventingfutureIDtheft.
Thesetwoelements,205.
Thediscussioniscouchedinmurkyterminology,again,attimes,unstated,regard-ingwhatactualinjury,ifany,occursatthemomentthedatainquestionistransferred,inanunauthorizedmannerbysomeoneintentonusinginanunlawfulmanner.
206.
Plaintiffsfiledabreachofcontractactionaswell.
207.
Ind.
Pub.
L.
125-2006,§6(Mar.
21,2006)(codifiedasIND.
CODE§24-4.
9etseq.
).
208.
Pisciotta,499F.
3dat637(notingthat"[w]eneverthelessfindthisenactmentbytheIndianalegislatureinstructiveinourevaluationoftheprobableapproachoftheSu-premeCourtofIndianatotheallegationsinthepresentcase.
").
209.
Id.
at637(emphasisadded).
210.
Id.
Whilelackingaccesstotheplaintiffsbriefinthiscase,itmaybetheplaintiffsreachedthisconclusiononthefactthatitisaviolationofthesamestatutetodisposeofPIIinapublicareaiftheinformationhasnoencryptionorotherprotection.
Dumpthehardcopydatainadumpster,andatthatmoment,youhavecommittedaviolationofIndianalaw.
211.
Id.
at635.
212.
Id.
at635.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:5120-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS97twopotentialharmsorinjuriesasthecourtnoted,are"coupled"butdistinct.
Theplaintiff'stheorywasthat"analogousareas"ofIndianalawheldthatplaintiffshadindeedsufferedaninjuryatthemomentofdatatransferandwereentitledtodamagesasaresult.
213ThePisciottacourt,asnoted,definedthismomentas"identityinformationexpo-sure.
"214Plaintiffofferedcaselawwherethecourtruledthatunautho-rizedtransferofinformationwasan"actualinjury.
"215However,thecourtdifferentiatedthesecasesofferedbynotingthat:Whateverthesecasessayabouttherelationshipofbanksandcustom-ersinIndiana,theyareofmarginalassistancetousindeterminingwhetherthepresentplaintiffsareentitledtotheremedytheyseekasamatterofIndianalaw.
Thereputationalinjuriessufferedbytheplain-tiffsinAmericanFletcherandIndianaNationalBankweredirectandimmediate;theplaintiffssoughttobecompensatedforthatharm,ratherthantobereimbursedfortheireffortstoguardagainstsomefuture,anticipatedharm.
WethereforedonotbelievethatthefactualcircumstancesofthecasesreliedonbytheplaintiffsaresufficientlyanalogoustothecircumstancesthatweconfrontinthepresentcasetoinstructusontheprobablecoursethattheSupremeCourtofIndianawouldtakeiffacedwiththepresentquestion.
216Thelanguagefromthecourtappearstobearejectionofthechal-lengethecourtsetupforitself.
Thecourtnotedtwodistinctelements:oneoccurringdirectlyandimmediately,the"exposure"moment;and,oneoccurring,ifatall,inthe"future.
"217However,noteinthequoteabovethecourt'scontentionthattheplaintiffsharmedintheAmericanFletcherandIndianNationalBankcasessuffereddamagethatwas"di-rectandimmediate.
"Wasnotthe"informationexposure"whichtheplaintiff'sinPisciottacomplainedof"directandimmediate"Yetthecourt,whichinitiallyacknowledgedthatitschallengewastoaddresstwodistinctelements,coupledtogether,jettisonedamajorcon-tentionoftheplaintiffsbyconcludingthatplaintiffsonlysoughtreim-bursementfortheireffortstopreventfutureharm.
Thatwas,asthecourtnoted,onlyonepartoftheplaintiff'stheoryofrecovery.
Theyalsosoughtrecoveryfor"directandimmediate"damageatthemomentoftransferandthecourtsimplyside-steppedthisargumentintheiropin-ion.
218Finally,thecourtnotedthat:Althoughnotraisedbytheparties,weseparatelynotethatinthesome-whatanalogouscontextoftoxictortliability,theSupremeCourtofIn-213.
Id.
at637.
214.
Piscotta,499F.
3dat635.
215.
Id.
at637-38.
216.
Id.
at638(emphasisadded).
217.
Id.
218.
Id.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:5220-MAY-0913:3298JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIdianahassuggestedthatcompensabledamagerequiresmorethananexposuretoafuturepotentialharm.
Specifically,inAlliedSignal,Inc.
v.
Ott,785N.
E.
2d1068(Ind.
2003),theSupremeCourtofIndianaheldthatnocauseofactionaccrues,despiteincrementalphysicalchangesfollowingasbestosexposure,untilaplaintiffreasonablycouldhavebeendiagnosedwithanactualexposure-relatedillnessordisease.
Id.
at1075.
Initsdecisionthatnocompensableinjuryoccursatthetimeofexposure,thecourtreliedonprecedentfrombothstateandfederalcourtsingeneralagreementwiththeprinciplethatexposurealonedoesnotgiverisetoalegallycognizableinjury.
219Thecourtfacedaconundrum.
Beingthatitwasafederalcourthav-ingtointerpretIndianalaw,forproceduralreasonsitwas"loath"toap-proveandimpose"noveltheories"ofrecoveryontoIndiana.
220Thecourtnotedthat"courtsareencouragedtodismissactionsbasedonnovelstatelawclaims.
"221Whenfacedwithsuchtheoriesthecourtsshouldtake".
.
.
theapproachthatisrestrictiveofliability.
"222Inthefaceofthisconundrum,thecourtcreatedalegalfictionthattherewerenodam-agesoccurringfrom"immediate"injury,theexposureoftheinformation,inordertoquellanyindeterminismarisingfromtheconflict.
(iii)CriticismsoftheDamagesAnalysesNotsurprisingly,thePisciottacasecitedStollenwerkandsomeofitsprogeny.
223ThepracticaleffectsofStollenwerkanditsprogenyareclear.
Itisverydifficulttoassignliabilitybacktotheoriginalholderofthedata,thepartythatsufferedthebreach.
Thisseeminglyneuteredliabilityriskcreatesdisincentivesfortheholderofthedata,thepartythatprofitsfrompossessingthedata,fromimplementingstrongersecur-ityassurances.
Morespecifically,thereasonsforcriticizingthisholdingareasfollows:1.
Itplacesalloftheresponsibilityforpreventingharmontheshouldersofapartywhohasnoresponsibilityorcapabilitytoen-surethedatawassecureinthefirstplace,orpreventitsacquisition;2.
Itputstheresponsiblyoftakingresponsivemeasuresonapartymostlikelyunfamiliarwiththesubtleties,nuances,anddynam-icsofthemisuseoftheirPII;3.
Itdoesnotencourage,orinsomecaseswherethevictimsdonothavetheresourcestopayfortheservicesinquestion,discour-ages,victimstoseekprofessionalhelpinpreventingfutureharm;219.
Id.
at639.
220.
Piscotta,499F.
3dat636.
221.
Id.
222.
Id.
at636(citingHomeValuInc.
v.
PepBoys,213F.
3d960,965(7thCir.
2000)).
223.
Pisciotta,499F.
3dat639.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:5320-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS994.
Itinstillsanunachievablestandardofcausation,ascourtstradi-tionallydefinethatterminjurisprudence.
224Ifexpertanalystsandinvestigatorswithinlawenforcement,industryandgovern-mentlamenttheinsufficientdatatoproveup"reasonableinfer-ence[s]"225regardingIDCingeneral,andIDtheftinparticular,whatchancedoesacitizen-victimonherownhaveThisisnotanargumenttodispensewithrigorousproofwhenconfrontingtheseissues,nordoesitdisregardthefactthatcourtsarelimitedinhowliberaland"creative"theycanbeinterpretingthelaw.
However,thepracticaldifficultiesinprovingcausationbetweendatabreachcasesandsubsequentIDCshouldneverbemistakenforthefactthatdamagesdirectlyrelatedtothebreacharenotoccurring;and5.
Thecourtmadeanartificialandfalsedistinctionbetweenthethreatto"publichealth"intheso-calledrealworldversuspublichealthandsafetyinadigitalenvironment.
Itisnotnecessarytopreciselyequatethetwodangerstopublichealthtoacknowledgethatbothareathreattopublichealthandsafety.
Citizen-vic-tims,liketheplaintiffsinStollenwerkwhosedatawastaken,shouldnotbesubjected,bynofaultoftheirown,tosomethingakintoa"reverselottery"226wheretheunlucky"winners"waitaroundtobe"awarded"their"prize":notificationofthemanifes-tationofdamagesand/orlossesasaresultoftheirpersonaldatabeingstolen.
(iv)SignsofChange,orMerelyOutliersWhilepronouncingattheonsetthattheaimofthisarticleistoraisethelevelofdialogueaboutIDCbyfocusingprimarilyontheshortcom-ingsofthecurrentdecisionmakingindatabreachcases,namelythedef-initionanddamageselements,thiscriticismisbeingbornout.
Outsideofthedatabreachcontext,courtshavegrappledwiththeissueofwhetherandwhentoimposecivilliabilityforidentitytheft.
Forexam-ple,ina2003case,Hugginsv.
Citibank,theSupremeCourtofNorth224.
SeeBridgev.
PhoenixBond&Indem.
Co.
,128S.
Ct.
2131,2142(2008)(quotingHolmesv.
Sec.
InvestorProt.
Corp.
,503U.
S.
258(1992),thatcourts"demandforsomedirectrelationbetweentheinjuryassertedandtheinjuriousconductalleged.
").
However,theBridgecourtalsonotedinHolmesthat,"[p]roximatecause,weexplained,isaflexibleconceptthatdoesnotlenditselfto'ablack-letterrulethatwilldictatetheresultineverycase.
'"Id.
at2142(citingHolmes,503U.
Sat272).
225.
Stollenwerk,2005U.
S.
Dist.
LEXIS41054at*17(statingthat"[w]hereevidenceiscircumstantial,itmustpermitajurytodrawreasonableinferences,notmerelyspeculateorconjecture.
"(citationomitted)).
226.
JeffSovern,TheJewelofTheirSouls:PreventingIdentityTheftThroughLossAllo-cationRules,64U.
PITT.
L.
REV.
343,362(2003)(using"Reverselottery,"DanielJ.
Solove'sphrase).
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:5420-MAY-0913:32100JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVICarolinadeclined"torecognizealegaldutyofcarebetweencreditcardissuers"andidentitytheftvictims,commentingthateventhough"itisforeseeablethatinjurymayarisebythenegligentissuanceofacreditcard,foreseeabilityalonedoesnotgiverisetoaduty.
"227TheHugginscourtheldthatgiventhelackofan"existingrelationship"betweentheplaintiffandbank,thebankowednodutyofcaretotheplaintiff.
228However,arecentcasewithasimilarfactpatternresolutelydis-agreedwiththeholdinginHuggins.
InWolfev.
MBNA,229afederalcourtheldthat:Uponreview,theCourtfindstheSouthCarolinaSupremeCourt'scon-clusioninHugginstobeflawed.
Inreachingitsconclusion,theHugginscourtreliedheavilyonthefactthattherewasnopriorbusinessrela-tionshipbetweentheparties,thatis,theplaintiffwasnotacustomerofthedefendantbank.
TheCourtbelievesthatthecourt'srelianceonthisfactismisplaced.
Whiletheexistenceofapriorbusinessrelationshipmighthavesomemeaninginthecontextofacontractualdispute,apriorbusinessrelationshiphaslittlemeaninginthecontextofnegli-gencelaw.
Instead,todeterminewhetheradutyexistsbetweenparties,theCourtmustexamineallrelevantcircumstances,withemphasisontheforeseeabilityoftheallegedharm.
Astotheissueofforeseeability,theSouthCarolinaSupremeCourtfoundthat"itisforeseeablethatinjurymayarisebythenegligentissuanceofacreditcard"andthatsuchinjury"couldbepreventedifcreditcardissuerscarefullyscruti-nizedcreditcardapplications.
"TheCourtagreeswithandadoptstheseFindings.
230TheWolfecourtwentontonotethat"[w]iththealarmingincreaseinidentitytheftinrecentyears,commercialbanksandcreditcardissuershavebecomethefirst,andoftenlast,lineofdefenseinpreventingthedevastatingdamagethatidentitytheftinflicts.
"231Finally,InBellv.
MichiganCouncil,thecourtdeterminedthatIDtheftresultingfromdatabasebreachwasaforeseeableconsequence,andthereforefoundde-227.
Hugginsv.
Citibank,585S.
E.
2d275,277(S.
C.
2003)(citingS.
C.
StatePortsAuth.
v.
Booz,Allen,&Hamilton,Inc.
,346S.
E.
2d324,325(1986)).
SeealsoPointesofPlanta-tionPointeOwnersAss'nv.
Rockwell,No.
2005-UP-579(S.
C.
Ct.
Apps.
Nov.
22,2005),availableathttp://www.
judicial.
state.
sc.
us/opinions/displayUnPubOpinion.
cfmcaseNo=2005-UP-597.
228.
Huggins,585S.
E.
2dat277.
229.
Wolfv.
MBNAAm.
Bank,485F.
Supp.
2d874,881-882(W.
D.
Tenn.
2007).
SeealsoBrunsonv.
AffinityFed.
CreditUnion,No.
A-4439-06T1,2008N.
J.
Super.
LEXIS193(N.
J.
Super.
Ct.
App.
Div.
Sept.
92008)(holdingthatfraudinvestigatorshaveadutyto"pursuewithreasonablecaretheirresponsibilityforprotectingnotonlytheirowncustom-ers,butnon-customerswhomaybevictimsofidentitytheft.
");MaryPatGallagher,Iden-tity-TheftVictimsOwedDutyofCareinBankFraudInvestigations,N.
J.
CourtSays,LAW.
COM,Sept.
11,2008,http://www.
law.
com/jsp/article.
jspid=1202424426977.
230.
Wolf,485F.
Supp.
2dat882.
231.
Id.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:5520-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS101fendantsliablefordamagesincurredbytheplaintiffsresultingfromthebreach.
232Aspromisingasthisappearstowould-beIDTvictims,wemustnotethatthisholdinggoesoutonalimb.
TheBellcourthungitshatonauniquecircumstance,namelythespecialrelationshipbetweenaunionorganizationanditsunionmembers.
233Infact,thecourtfoundthisre-lationshiphadelementsofafiduciaryrelationshipandassuch,thede-fendantswereonnoticetheyhadtotakespecialstepstoprotectplaintiff'sinformation.
234Failinginthesestepsitwasforeseeablethatthedatacouldbestolen,andifstolen,subjecttoIDtheft.
SincethisisexactlywhathappenedintheBellcase,thecourtwassatisfiedthatacausalrelationshipexistedbetweenthelossofthedataandthesubse-quentabuseofthedata.
Inadditiontothenon-databreachcases,themostrecentcasesin-volvingdatabreachesmaybeaforeshadowingthatthejudiciaryismov-inginthedirectionofrecognizingactualinjurythemomentthedataistransferred.
InNovember2007,thecourtinAmericanFederationofGovernmentEmployeesv.
Hawley(TSA)235examinedtheissueofdam-agesresultingfromatheftofalaptopcomputerthatheldPIIofworkersfortheTransportationSecurityAdministration.
236Theplaintiffshadal-legedthat"thedefendantsviolatedtheAviationandTransportationSe-curityAct(ATSA),49U.
S.
C.
§§44901and44935,andthePrivacyAct,5U.
S.
C.
§552a,byfailingtoestablishappropriatesafeguardstoinsurethesecurityandconfidentialityofpersonnelrecords.
"237Defendantssoughtdismissalonthegroundsthattheplaintiffsinthecasesufferednoactualinjuryasaresultofthebreach.
238Defend-antsclaimed,amongotherdefenses,that"individualplaintiffslackstandingbecausetheirallegationsofharmarespeculativeanddepen-dentuponthirdparties'criminalactions,"andthereforefailedto"demonstrateaninjury-in-fact.
"239Thecourtrejectedthisargumentnotingthat"inthiscircuit,'emotionaltraumaaloneissufficienttoqual-232.
Bellv.
Mich.
Council25,No.
246684,2005Mich.
App.
LEXIS353(Mich.
Ct.
App.
Feb.
15,2005).
233.
Id.
at*5.
234.
Id.
at*9-10.
235.
Fed'nofGov'tEmployees,543F.
Supp.
2d44(D.
C.
Cir.
2008).
236.
Id.
at53.
Plaintiffsallegedthatthedefendants"violatedtheAviationandTrans-portationSecurityAct("ATSA"),49U.
S.
C.
§§44901and44935,andthePrivacyAct,5U.
S.
C.
§552a,byfailingtoestablishappropriatesafeguardstoinsurethesecurityandconfidentialityofpersonnelrecords.
"Id.
at45.
237.
Id.
238.
Id.
at50-51.
239.
Id.
at50.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:5620-MAY-0913:32102JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIifyasan'adverseeffect',240andthereforenotdependentontheactionsof'criminalthirdparties.
'"241Further,inRuizv.
Gap,Inc.
,decidedinMarchof2008,thecourtheldthatJoelRuizwasentitledtomoveforwardwithhiscomplaintagainsttheGapinacasethatstartedwhensomeonestolealaptopcon-tainingRuiz'spersonalinformation.
242Ruizclaimedhehadsufferedac-tualinjuryresultingfromtheuseofthestolendata.
WhileRuizdidnotclaimthethievesstolehisidentity,hedidclaimthathewasataheight-enedriskofIDtheft.
Defendantclaimedthismeanthehadnotsufferedactualinjuryandthereforethecourtshouldhavedismissedthecase.
Thecourtrejectedthatclaim,notingthat"toconferstanding,thethreatoffutureinjurymustbecredibleratherthanremoteorhypothetical.
"243Thecourtconcluded,withsomecautionarylanguagedirectedtowardstheplaintiff,thathehadinfactmetthisthreshold.
244Whilebothcasesarenotdirectlyonpointtodatabreachnotificationcases,theyneverthelessindicatereluctanceonthepartofthecourtsinquestiontoaccepttheheretoforenearlyunassailableargumentthatloss,ortheftofdata,doesnotequatetoan"actualinjury.
"Notehowever,somecourtsaredemonstratingadifferentposturewhenitcomestohotbuttoncopyrightlitigation,wherethereappearstobeawillingnesstomakeaninferentialleapbetweencauseandeffectbyrelyingonindirectproof.
245(b)"NoDamages":AMistakenSocialFictionInkeepingwiththecontentionofthissectionthatdamagesanalysesarefictionscreatedandperpetuatedinthewakeofdatabreaches,thesecondmanifestationsaresocialfictions.
Thefailureofthelegalsystemtoassesstheextentofinjuryaccurately,andthereforepossibledamagesorlossinthewakeofdatabreaches,isonlyonefactorcontributingtoourinadequateunderstandingofthenatureandscopeoftheIDtheft.
In240.
Id.
at51n.
12(citingKriegerv.
Dep'tofJustice,529F.
Supp.
2d29,53(D.
C.
Cir.
2008)).
241.
Id.
at51n.
12.
242.
Ruizv.
Gap,Inc.
,540F.
Supp.
2d1121,1124(N.
D.
Cal.
2008).
243.
Id.
at1126(quotingHartmanv.
Summers,120F.
3d157,160(9thCir.
1997)).
244.
Id.
at1126("[s]houlditbecomeapparentthatRuiz'sallegedinjuryisinfacttoospeculativeorhypothetical,theCourtwillconclude,asitmust,thatRuizlacksstanding.
").
245.
Asimilarargument–astohowcourtsdeterminerecoverableinjury–canbefoundincopyrightcontext.
InCapitolRecordsInc.
v.
Thomas,theMPAA'sargumentrestedonhowonedefinesdistributioninthecopyrightcontext.
DavidKravits,AnEssayConcerningMPAAUnderstandingof"MakingAvailable"intheP2PContext,WIRED,June24,2008,http://blog.
wired.
com/27bstroke6/2008/06/an-essay-concer.
html.
U.
S.
DistrictJudgeMichaelDavisinstructedjurorstheycouldfindunauthorizeddistribution–copyrightin-fringement–ifThomaswasmakingavailablethecopyrightedworksoverapeer-to-peernetwork.
Id.
Thejurydecidedherliabilityinfiveminutes.
Id.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:5720-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS103additiontothislegalfiction,flawedsocialfictionsarisefromthefailureofothersocialinstitutionstoaccuratelyclassifyandassessthevalueofPII.
BothlegalandsocialfictionsarecopingmechanismsusedtobringdeterminismstotheinformationchaoswroughtbyIDC,andthevalueofthosefictionsismeasurablebyhowcloselytheyacknowledgetherealityoftheharmincurred.
WhereaslegalfictionexplicitlycategorizeswhetherPIItheftquali-fiesasdamagesbyartificiallydrawinglinesintimeandspace,socialfictionimplicitlyinfluencesdamagesanalysesbyfailingtorecognize(inverbaldiscourse)thecommoditizationofpersonalinformation,whileatthesametimetreatingitinpracticelikeothergoodsinthemarketplace.
Theresultisthatinstitutionalandsocialprotectionsandconventionsthatwouldnormallyattachtogoods(likefinancialstandardsforassetvaluation)donotattachtopersonalinformation,thusultimatelyleavingapolicygapagainstwhichdamagesareotherwisemeasured.
Whatiscausingsocietytoreacttoidentitydatatheftisaperception,institutionalizedwithinourcontrolprocessesandculturalconventions,whichisslowtograspthatpersonalandtransactionaldataisnolongerexternaltothatwhichwehavestructuredourcommercearoundinatangiblesense.
Rather,ithasbecomeahighlyvaluablecommodityinandofitself.
246AfamiliaradageofourITsociety,"themessageisthemedium"247hasevolvedinto"theproductistheperson.
"248AlthoughcurrentsocialfictionresistsexplicitlylabelingPIIasatradablecommod-ity,nonetheless,thisnotionwillassimilateandinternalizealongthesametrajectoryofothersocialnormsasthepubliccontinuesitsexposuretonewsstoriesandfirsthandaccountsofthematurationofthewhite,greyandblackmarketsinPII,includingthoserelatedtoecommerceandbreederidentification.
249Somewherealongthatcontinuum,thepublic246.
SeeJanetDeanGertz,ThePurloinedPersonality:ConsumerProfilinginFinancialServices,39SANDIEGOL.
REV.
943,953(2002)("Indeed,theformerchairmanofCiticorpreferredtotheinformationstandardsforthemovementofpersonalandnonpersonalfinan-cialdataastheequivalentofmoneyinglobalfinancialmarkets.
").
Foradiscussionofthealreadylargemarketinpersonalinformation,includingthesellingofpersonalinformationonmarkets,seeKennethC.
Laudon,MarketsandPrivacy,COMMUNICATIONSOFTHEACM,Sept.
1996,at92,availableathttp://www.
eecs.
harvard.
edu/cs199r/readings/laudon.
pdf.
247.
MARSHALLMCLUHAN,THEMEDIUMISTHEMESSAGE(2005).
SeealsoWikipedia,TheMediumistheMessage,http://en.
wikipedia.
org/wiki/The_medium_is_the_message(asofApr.
8,2009,18:19GMT).
248.
Whichistosaythattheoptimalgoalbehindonlineadvertisingandtransactionsistoshrinkthetransactioncostsbetweenthebuyersandsellersofgoods/services,suchthatifachieved,thecustomer-buyeristhesumofhistransactionsandpurchasedproducts.
249.
Breederdocumentsaredocumentsthatareusedtoobtainotherdocumentsusedforidentity;e.
g.
,abirthcertificateisusedtoobtainadriverslicensewhichisthenusedasanidentitydocument.
See,e.
g.
,SocialSecurityAdministration,ReporttoCongressonOp-tionsforEnhancingtheSocialSecurityCard,http://www.
ssa.
gov/history/reports/ssnre-portc4.
html(lastvisitedNov.
9,2008).
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:5820-MAY-0913:32104JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIwillviewthefailuretoadequatelymanagePIIandtransactionaldataasafailureofthecontrolinstitutions(legislative,judicialandpolitical)toprotectcitizens,bothindividuallyandintheaggregate.
(i)EvidenceSupportingActualDamages:WoundedVictimsTheFederalTradeCommissionunderstoodthedamagesfictionsandhurdlesthatplaintiffsinaDBNactionfacealltoooften.
Thisunder-standingledtheFTCtorequestfromCongressastrictliabilitystandardforviolationsofSection5,TheUnfairandDeceptiveTradePracticesAct.
250TheFTC,withitsbroadinvestigatorypowersandresponsibili-ties,washesitanttotakeontheburdenofestablishingthecausaldam-agesstandardimpelledbythecourtsonvictimsofdatabreaches,butalsowouldnotturnablindeyetorealdamagessufferedbycitizen-victims.
TheFTCillustrateditsdiscordwiththe"nodamages"legalfictioninitsenforcementactionagainstBJ'sWholesaleClub,inwhichthefollow-ingoccurred:251Beginninginlate2003andearly2004,banksbegandiscoveringfraudu-lentpurchasesthatweremadeusingcounterfeitcopiesofcreditanddebitcardsthebankshadissuedtocustomers.
Thecustomershadusedtheircardsatrespondent'sstoresbeforethefraudulentpurchasesweremade,andpersonalinformationrespondentobtainedfromtheircardswasstoredonrespondent'scomputernetworks.
Thissameinformationwascontainedoncounterfeitcopiesofcardsthatwereusedtomakeseveralmilliondollarsinfraudulentpurchases.
Inresponse,banksandtheircustomerscancelledandre-issuedthousandsofcreditanddebitcardsthathadbeenusedatrespondent'sstores,andcustomersholdingthesecardswereunabletousetheircardstoaccesscreditandtheirownbankaccounts.
TheFTCsettlementagreementlaidtheliabilityforthedamageinthewakeofthebreachrightonBJ'sdoorstep.
252However,nowhereinthesettlementagreementdoesonefindclaimsoradmissionsthattherewasadirectcausalrelationshipbetweenthedatabreachandtheulti-matemisuseofthedatainquestion.
253Indeed,adirectcausalrelation-250.
SeeLisaJoseFales&JenniferT.
Mallon,TheFTC'sUseofitsUnfairnessJurisdic-tioninDataSecurityBreachCases:IsitFair,THESECURETIMES,Sept.
1,2006,http://www.
thesecuretimes.
com/2006/09/the_ftcs_use_of_its_unfairness.
php.
251.
ComplaintforPlaintiff,BJ'sWholesaleClub,Inc.
,140F.
T.
C.
465(2005),availableathttp://www.
ftc.
gov/os/caselist/0423160/092305comp0423160.
pdf.
WechosenottoincludethiscaseintheStollenwerkprogenysectionbecausethecasesettledbyconsentonJune16,2005,priortoanopinionissuedbythecourtregardingamotiontodismiss.
252.
SeePressRelease,FederalTradeCommission,BJ'sWholesaleClubSettlesFTCCharges(June16,2005),availableathttp://www.
ftc.
gov/opa/2005/06/bjswholesale.
shtm[hereinafterPressRelease,BJ'sWholesale].
253.
IntheMatterofBJ'sWholesaleClub,Inc.
,140F.
T.
C.
465(2005).
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:5920-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS105shipwouldbenighimpossibletoprove.
Giventheexistenceoftheblackmarketindataandmyriadpotentialwhitemarketsourcesforanypar-ticularpieceofstolendata,thetaskoftracinganyinstanceoffrauddi-rectly,inthelegalsense,backtoanyparticularbreachisinmanycasesfutile.
254Inotherwords,theevidencethataparticulardataholderisdirectlyliableforaparticularinstanceoffraudisoftencircumstantialatbest.
HowexactlywouldtheFTC,orforthatmatterothergovernmentagenciesorlawenforcement,provedirectcausationoncethedatahadbeenpostedonline,shortofprovingwhopostedthedatainthefirstplaceThiswouldessentiallyamounttotryingtoproveanegative:thattherewasnootheravenuefromwhichthisinformationcouldhavebeenstolenandendedupforsaleontheblackmarket.
However,theFTCrecognizedthatdamagesarerealandpresentsoitforcedBJ'sintoasettlementdecreeconsistingofaheftyfinefordamageswithoutproofofcausationoracknowledgementofliability.
255Dependingonone'sper-spective,iteithercreatedanewfictionthatinferreddamagesfromthemereactofthedatabeingexposed,oritusurpedtheprevailingfiction("nodamages")byeliminatingthecausationrequirementanddeemingtheproofofbreachenoughtoholdBJ'sresponsibleforcorrelativedamages.
AnecdotalsupportfortheenduringdamagesresultingfromIDCisprovidedbyasurveyconductedbyNationwideMutualInsuranceCom-pany,andreportedinmanynewsoutlets.
256Thesurveyfoundthat"28percentofidentitythieves'marksarenotabletoreconstructtheiridenti-tiesevenaftermorethanayearofwork.
"257Furthermore,theeffortexpendedtomitigatethedamageaveragedeighty-onehourspervic-tim.
258Theaveragetotaloffraudulentchargeswasfairlyhigh:$3,968.
259Butonlysixteenpercentreportedthattheywereheldrespon-sibleforatleastsomeofthecharges.
260Amajorityofvictimsdiscoveredthefraud,notbybeingnotifiedbytheirbank,butbynoticingunusualchargesontheirstatement.
261However,ittookanaverageoffiveanda254.
SeeKimberlyKieferPeretti,DataBreaches:WhattheUndergroundWorldof"Carding"Means,25SANTACLARACOMPUTERANDHIGHTECH.
L.
J.
(forthcoming).
255.
Id.
256.
AGooglesearchfor"nationwidemutualinsuranceidentitytheftsurvey"turnsup31,700hits(conductedOct.
28,2008).
257.
SeeOneInFourIdentity-TheftVictimsNeverFullyRecover,INFORMATIONWEEK,July26,2005,http://www.
informationweek.
com/news/security/privacy/showAr-ticle.
jhtmlarticleID=166402700[hereinafterOneinFour].
258.
Id.
259.
Id.
260.
Id.
261.
Id.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:6020-MAY-0913:32106JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIhalfmonthsfromthetimeofthethefttowhenitwasdiscovered.
262"Onlyseventeenpercentwerenotifiedbyacreditororfinancialinstitu-tionofthesuspiciousactivity,afigurewhichifaccepted,wouldbethetypetofuelfederallawmakersponderinglegislationthatwouldrequirepublicdisclosureoflargedatabreaches.
"263Thisinformationindicates,amongmanyotherthings,theongoingbattlesthatconsumersandagenciesassignedtoprotectthemhavewithsimplyidentifyingandrectifyingdamagesresultingfromIDC.
Thesedifficultiesareinherenttoandaremnantofanenvironmentlackingre-portingandresolutioncapabilities.
ThisthenfeedstherecursionoflegalfictionsthatfailtorecognizeIDTdamagesandcompensatevictimsac-cordingly.
Regardlessofthefictionsrenderedbyjudicial"no-damages"orthefailurebypolicymakerstoacknowledgeindustry'shandlingofdig-italidentityasacommodity,thereisnodebatingthatIDCiscostingcitizen-victimseconomicallyandpsychologically.
(ii)MarketHypocrisyThisarticleofferstheactionsofthemarketeconomyitselfasasec-ondcounterproofoftheprevailinglegalfictionbehindthecourts'failuretorecognizeactualinjuryorIDCdamagesinwrongfulidentityacquisi-tionscenarios.
Specifically,companiesandassociatedgoodsandservicessproutinginthewakeofthegrowthofIDTbelievethelegalconclusionsthattherearenodamagesorlossincurred.
Wearewitnessestoabur-geoning,multimilliondollarindustryinidentitymanagementprofferedtoprovidesolutionstoaproblemwhichwedonotseemtorecognizewhenitcomestoliabilityorresponsibilitytoprevent.
TheFDICCyberFraudandFinancialCrimeReport,whichisacentralizedcollectionofinformationrelatedtocyberfraudandfinancialcrimesthatimpactfi-nancialinstitutions,forthesecondquarterof2007documentedasmat-teringofstatisticsthatflyinthefaceofclaimsthatIDTdamagesarenotoccurring.
264Forexample:[t]henumberofconsumerrecordsbreacheddoubledcomparedtopriorquarters;thenumberofcomputerintrusionSuspiciousActivityReport("SAR")filingsarerelativelylowbutgrowingatafastpace;theesti-matedmean(average)lossperSARalmosttripledtheestimatedmeanlossperSARidentifiedoneyearago;onlinebillpaymentapplications262.
Id.
263.
OneinFour,supranote257.
SeealsoRobertGellman,Privacy,Consumers,&Costs:HowtheLackofPrivacyCostsConsumersandWhyBusinessStudiesofPrivacyCostsareBiasedandIncomplete(2002),availableathttp://www.
epic.
org/reports/dmf-privacy.
html.
264.
SeeDivisionofSupervisionandConsumerProtection,CyberFraudandFinancialCrimeReport(2007),availableathttp://blog.
washingtonpost.
com/securityfix/FDIC%20IN-CIDENT%20REPORTR2Q07r.
htm.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:6120-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS107weremostfrequentlytargetedbycyberthieves;however,unauthorizedaccesstoACH265andwiretransferapplicationscausedthemostlossestoFIs266inthecomputerintrusioncategory;IDtheftSARsfilingin-creasedfifty-nineandfourpercentduringthe2Q062Q07,respectively,andIDtheftoftenresultsfromdatabreachesoutsideofinsured-FIs,butFIssufferlosseswhenthedataisusedtocommitaccountapplica-tionfraud;IDtheftandaccounttakeoverwasthemostfrequentlyiden-tifiedtypeofcomputerintrusionthatoccurredduringthe2Q07;unknownunauthorizedaccesstoonlinebankinghasrisenfrom10to63percentinthepastyear;and,unauthorizedautomatedclearinghouse(ACH)andwiretransferscausedthemostlossestoFIsbecauseoffasterfundsavailability,withwiretransferSARsincreased44percentfrom2Q06anddoubledcomparedto2Q05.
267Citednextisarecognizedmarketleaderinidentityriskmanage-mentasanillustrationofthecontradictoryactionsandinformationpropagated.
Althoughthenextsectiondissectsthisdynamicmorefully,theconflictofinterestexposesitselfintheinterplaybetween:(a)thecon-clusorystatisticsandprobabilisticdeterminationsaboutthelowrateofidentitymisusefrombreaches;and,(b)thecoincidentadvocacyforiden-tityriskmanagementservicesbecauseofthe"growing"threatofidentityfraud.
268Inotherwords,basedonproffereddatafromsomeidentitytheftriskmanagementvendors,citizen-victimsofdatabreachesstandaslightchancethattheiridentitieswillactuallybeusedwhentheirPIIisstolen,yetatthesametimecorporate-victimsarebeingurgedtoengagetheseclaimedsolutionproviderstocurbfraudfromthosesamebreaches.
269Acceptingthisastrue,riskanalyticsrelatedtoIDTvictimizationisin-265.
AutomatedClearingHouse.
SeeNACHA,WhatisACH,http://www.
nacha.
org/About/what_is_ach_.
htm(lastvisitedNov.
22,2008).
266.
FinancialInstitutions("FIs").
267.
PressRelease,BJ'sWholesale,supranote252.
268.
Seee.
g.
PressRelease,IDAnalytics,TheTelecommunicationRiskManagementAssociation(TRMA)HonorsIDAnalytics'MikeCookwiththe2006President'sAward(Feb.
14,2007),availableathttp://www.
idanalytics.
com/news_and_events/20070214b.
html.
269.
See,e.
g.
,IDAnalytics,Inc.
,IDAnalyticsforDataDefense:MaintainingtheTrustYou'veEarned,http://www.
idanalytics.
com/solutions/datadefense.
html(showinganexam-pleofanidentitytheftsolutionprovider'sadvertisement).
Specifically,theadvertisementstates:intheunfortunateeventthatevidenceofdatatheftisfound,theIDAnalyticsforDataDefensesolutionprovidesbreachanalysisservicesfreeofcharge.
Breachanalysisservicesareusedtodeterminewhetheraspecificbreachhasresultedinidentitytheftinordertoprovidethepreciseinformationrequiredtominimizeharmandtakerestorativeaction.
IDAnalyticswillworkwithyoutoidentifythesourceofcompromise.
Id.
Debixisanotherexampleofacompanypurportingtoofferidentitytheftservices.
DebixDataBreachServices,http://www.
debix.
com/business/index.
php(lastvisitedApr.
18,2009).
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:6220-MAY-0913:32108JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIcreasinglyindemandtobringcertaintytothelegalriskbecausetheycanhavesignificanteconomicbenefitsforthebreachedcompanies.
Forone,thispredictiveriskanalysismaybeusefultoestablishwhetherbreachnotificationresponsibilitiesaretriggered.
Ifthereisnota"reasonablelikelihood"270thatidentitieshavebeenorwillbecompromised,forex-ample,thebreachedcompanycanavoidthecostsassociatedwithnotifi-cation.
271Eveniforganizationsdecidetonotify,therationalizationisthatthecostofcontractingthesesameservicesforvictimsoutweighsthenegativepublicrelationsandreputationalcostsofnotnotifying.
Second,evenifnotificationistriggered,identityriskanalysescanbeleveragedtocharacterizetheriskofusetofeedthelegalfictionregardingdamages.
Insuchacase,ifone'sidentityisunlikelytobemisusedinthefuture,therearenodamagestothecitizen-victimsandthusnolegalliabilityriskfrompotentiallitigation,classactionorotherwise.
272Thepicturepaintedisoneofanearvictimlesscrime,yetitisonethatspawnscostlydamageforindustry.
Craftedinthisway,theriskisrealenoughtojustifyremedialandpreventativeservicesbyindustry,yetnotsothreateningtotheconsumer-victimssuchthattheyshouldre-treatfromtheelectronicmarketplace.
Thishypocrisyisfurtherevi-dencedifoneconsiderssomeoftheholdingsofrespectivecourtswhichdenydamages,inlightofthefollowing-logic:ifidentityriskmanagementservicesareinfluencingcompany'screditandloandecisions(i.
e.
,"denyapplicantXbecausesheisabadidentityrisk"),isthatnota"manifesta-tion"oftheIDtheftthatcourtsarebasingtheirdamagedeterminationson273Further,thecorporate-victimisdamagedfromwhatispurport-270.
Statuteshaveusedvariouscomparablestandards,suchas"possiblerisk",likelyrisk",etc.
See,e.
g.
,CONN.
GEN.
STAT.
§36a-701b(2008)(effectiveJan.
1,2006)(applyingalikelihoodofharmstandard);WASH.
REV.
CODE§19.
255.
010(LexisNexis2008)(effectiveJuly24,2005)(usingastandardofreasonablelikelihoodofriskofcriminalactivity);DEL.
CODEANN.
tit.
6,§12B-102(2008)(effectiveJune28,2005)(usingalikelihoodofmisusestandard).
271.
Forexample,costsareincurredfromremedialactionssuchasprintingandpostageofnotificationletters,retaininglegalservicestoaddressthelegalissues,offeringcreditmonitoringsubscriptionstocustomers,establishingandimplementingatoll-freecustomersupporthotlineandcontractcallcenter,andthemoreobliquecostsrelatedtocustomerdefections.
272.
Besidesusingquantitative,probabilisticbasesforpaintingtheriskthemisuseofPII,identityriskanalyticscanandhaveusedqualitativelabelingtosupportthesameend.
Forexample,apopularandprevailingtheoryisthat"synthetic"identitytheftisthelargestthreat.
Sincethismanifestationinvolvescombiningidentityartifactsfrommultiple,com-promised"real"personstocreateanewidentitytomisuse,such"evidence"canbeusedtosupportanargumentthattheriskofIDTislow,eithertosubvertnotificationtriggersorlitigationdamagesthresholds.
273.
SeeSectionII.
2(B)2,supra,DamagesConundrum:FictionsCreatedandPerpetu-atedintheWakeoftheDataBreaches.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:6320-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS109edlythelargestidentityfraudthreat,syntheticidentityfraud.
274WhobearsthosecostsSomeonemustbearthecostsofthelossesfromsyn-theticfraudinexcessoffiftydollars.
Thesecostsmustgetpassedalongtocitizen-consumersintheformofnebulousandopaqueincreasedfeesandpremiums,likeinthephysicalworldshopliftingsituations.
Again,realitybeliesthesocialfictionsthatdonotacknowledgethedamages.
Evenifoneweretoaccepttheclaimthatthesecostsareminiscule,unlikeshoplifting,electronic"identitylifting"affects,aswepreviouslynoted,thecitizenbeyondjustincreasedprices–itcarriestheriskandcostsofmissedopportunitiesandheightenedpricingforloans,insur-ance,creditcardrates,aswellastheoutrightdenialoftheseeconomicenablers.
Admittedly,justasthedifficultyinconnectingthebreachwiththeillegalusetojustifydenialofdamages,sotoowillthedifficultyinprovingmissedandincreasedopportunitycostsbeusedtodenytheclaimsplaintiffsputforward.
Anothermarketdynamicwhichrevealsthesocialfictionthatthereareno,orfew,legallyrecognizabledamagesfromIDT,istheactionsofbreachedcompanies,whathasbecomeadefactoresponseinthewakeofbreaches.
Specifically,separatefromanylegalliabilitydeterminations,individualswhosenamesareexposedinbreachesareoftenprovidedoneyear'sworthoffreecreditmonitoringandtheirexposedcreditcardsarecancelledandnewcardsissued.
275Thesegesturesarecouchedas"pre-cautionary"measuresbythebreachedcompanyandareserveduponaplatterofcustomergoodwill.
Somecompaniesevengosofarastoas-surecustomer-victimsthattheywillgetthedatabackandpreventitsfutureuse.
276Whilethesegesturesareafirstlineresponsetoassuringcustomersthatthattheywillbearnocosts,islabelingtheseresponsesas"remedial"ratherthan"proactive"anattempttoavoidadmittingthatdamageshaveresulted274.
"Syntheticfraudisquicklybecomingthemorecommontypeofidentityfraud,sur-passing''true-name''identityfraud,whichcorrespondstoactualconsumers.
In2005,IDAnalyticsreportedthatsyntheticidentityfraudaccountedfor74percentofthetotaldol-larslostbyU.
S.
businessestoIDfraudand88percentofallidentityfraud'events'–forexample,newaccountopeningsandaddresschanges.
"LeslieMcFadden,DetectingSyn-theticIdentityFraud,May16,2007,http://www.
bankrate.
com/brm/news/pf/identity_theft_20070516_a1.
asp.
275.
See,e.
g.
,RossKerber,BanksClaimCreditCardBreachAffected94MillionAc-counts,INT'LHERALDTRIBUNE,Oct.
24,2007,http://www.
iht.
com/articles/2007/10/24/busi-ness/hack.
php;DavidM.
Ewalt,AreCompaniesLiableforIDDataTheft,FORBES,Apr.
14,2005,http://www.
iht.
com/articles/2007/10/24/business/hack.
php.
276.
Forexample,"InMarch2005,theparentcompanyofLexisNexissaidhackersgotaccesstopersonalinformationofasmanyas32,000U.
S.
citizensinadatabaseownedbyLexisNexis.
.
.
.
"MelissaCampanelli,Certegy"DoingEverythingPossible"toEnsureTrustWithConsumersAfterDataBreach,DMNEWS,July5,2007,http://www.
dmnews.
com/Certegy-quotdoing-everything-possiblequot-to-ensure-trust-with-consumers-after-data-breach/article/96133/.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:6420-MAY-0913:32110JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIOr,regardlessofthelabeling,doesthefactthatcompaniestakethesemeasuresprovethatthelikelihoodofdamagestoindividualsisrealOnedoesnothavetowaitforacourttodeterminewhetherdamagehave"manifest"themselvestoknowthatsomeoneispayingforthecreditmonitoringandcardreissuanceofmillionsofindividuals.
Again,al-thoughIDCnumbersareshrouded,onecaninferthatthemagnitudeoflosseshavereachedatippingpointforcreditcardcompaniesbyvirtueoftherecentimplementationofastrictliabilitystandardonbreachedmerchants.
277Merchantsseemtohavegottenthemessage.
OnOctober4,2008theNationalRetailFederation,thetradeorganizationrepresent-ingmanyoftheretailersinthenation,issuedapressreleaserequestingthatmajorplayersinthecreditcardindustrydrop,oratleastalter,itsrequirementsthatthemerchanthangontopointofsaledata:"Allofus—merchants,banks,creditcardcompaniesandourcustom-ers—wanttoeliminatecreditcardfraud,"saidNRFChiefInformationOfficerDavidHoganintheletter.
"Butifthegoalistomakecreditcarddatalessvulnerable,theultimatesolutionistostoprequiringmerchantstostorecarddatainthefirstplace.
"278(iii)PublicPolicyThethirdbasisforrefutingthecurrent"nodamages"fictionsisgroundedinthepolicythatourpublichealthdemandsthatIDCsolu-tionsbedealtwithatsomelevelfromasocial-goodperspectiveratherthanfromacompartmentalized,market-centricone.
TheriskoftreatingIDCasaself-correctingproblemforthemarkettosolveisthattangibleandlatentcostsandresponsibilityforidentityfraudwillcontinuetobedispersedandexternalizedtothepointwherewewillhavepollutedthereliabilityoftheinformationwhichisfuelingoursociety.
Inotherwords,thereisapublichealthreasontopreventinformationchaosandcorruption.
279277.
Minnesotahasrecentlypassedalawthat,usingastrictliabilitystandard,makesmerchantsliabletocardissuersforcostsincurredbytheissuersasaresultofabreachofthemerchants'database.
MINN.
STAT.
§325E.
64(2007).
278.
SeeNationalRetailFederation,NFRtoCreditCardCompanies:StopForcingRe-tailerstoStoreCreditCardInformation,Oct.
4,2007,http://www.
nrf.
com/modules.
phpname=News&op=viewlive&sp_id=380.
279.
Tobesure,therearecounterargumentsthatrestrictingthemarket'suseofPIIisbadforpublicpolicy.
OnepositionholdsthattherehasbeennodemonstratedharmofutilizingPIIforbehavioraltargetingorthird-partyadvertising.
Further,someclaimthatregulatingtheInternetalongtheselinesthreatenstheopennessandfreeservicesandcon-tent–amajorbusinessmodelsupportingtheInternet.
Also,somebelievethatnormsandexpectationshavealreadybeenestablishedsuchthatpeoplehavebeenassimilatedtotheonlinebuyingandsellingofPIIbyadcompanies.
OnemajorpointisechoedbyNewYorkAssemblymanRichardL.
Brodsky:"Intheend,Idon'thaveaphilosophicalobjectiontotargeting,ifit'sdonewithpermission,butitisabsolutelyclearthatpeoplerightnowdonotunderstandwhatthey'reactuallygivingup.
"LouiseStory,APushtoLimittheTrackingof\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:6520-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS111Truetothenatureofamarket-dominatedeconomy,aslongasprof-itsfromtheformeroutweighcostsfromthelatter,rationalbusinesseswillnothaveincentivestochoosethesafeguardroute.
Underthismar-ket-centricframework,untilthecostofpreventingIDCbyinstitutingsafeguardsandshoulderingliabilityfordatabreachessurpassesthecostoflossesduetoIDC,thereisnofinancialincentiveforbusinesstoaltertheirstrategiesandpractices.
Theproblemwiththisincentiveframe-work,relyingasitdoesonmarketself-correction,isthatitpresumestoaccountforallthecostsofIDC.
BesidesthefactthatlackofreliableIDCdatapreventsthefinancialcostsofIDTfromexposuretoconsumersandregulators,directfinanciallossesareonlypartofthepicture.
TheindirectandsocialcostsofIDCgobeyondthestricturesofabalancesheetviewoftheworld.
Theinjuriestoindividualshavebeenwelldocumented.
280Apartfrompsychologicalharms,therearethemissedopportunitycostsanddownstreameffectsfromdenialofloansandcredit,andincreasedpremiums.
281Absenceofstandardstomea-suretheindirect-financiallossesofIDTdoesnotmeantheydonotexist.
Makingthecitizen-victimfinanciallywholeisonlyonepartofthesolu-tion.
Breachnotificationthresholdsbasedonmanifestationisshort-sighted.
Downstream,latentidentityintegritydamagerendersthecur-rentprotectionregimesomethingotherthanthezero-sumgamethatfi-nancialinstitutionsadvocatewhentheyclaimthatcitizen-victimsarenotoutofpocketforfraudulenttransactionscommittedbyathirdparty.
282Wehaveyettorealizetheconsequencesofmakingthecorrup-WebSurfers'Clicks,N.
Y.
TIMES,Mar.
20,2008,availableathttp://www.
nytimes.
com/2008/03/20/business/media/20adco.
htmlfta=y280.
"Infact,suchnon-monetaryharm,althoughdifficulttoquantify,maycausemoredamagetoidentitytheftvictimsthanquantifiablemonetaryloss.
"HaejiHong,Disman-tlingThePrivateEnforcementOfThePrivacyActOf1974:Doev.
Chao,38AKRONL.
REV.
71,108(2005)(describingthesignificantnon-monetaryharmcausebyIDT:losttime,emo-tionaldistress,incidentalfinancialproblems,lawsuits,arrests,etc.
).
TheseharmsofIDCaresimilartowhatisdescribedmorefullyinthecontextofthedangersofmarketsolutionsinnextsection3(a)HandicappingHorses.
281.
SeeNEWMAN,supranote42.
NewmanandMcNallypointoutthatsocietalcostsinclude,amongotherthings:publicsafetyrisks/threats;burdenscreatedbythepresenceofillegalimmigrants;potentialconstitutionalintrusionsunderlyingproposedschemesforanationalcentralizedinformationdatabase,nationalIDcards,ortheuseofbiometricmeth-odsofidentification-andtheirassociatedfinancialcosts;higherpremiumsorothercostspassedonbycompaniestoconsumers;increasedparanoia,whichmayalsoresultinfinancialcostsassociatedwiththepurchaseofpreventiveinsuranceorothermethodsofpersonalidentitytheftprevention;andoveralldecreasedconfi-denceinthepromisedbenefitsoftheinformationage.
).
Id.
282.
"Visaissuedastatementsayingitknowsofthedatasecuritybreachandiswork-ingwithauthoritiesandbankstomonitorandpreventfraud.
AswithMasterCardandDiscover,Visanotedthatcardusersarenotresponsibleforfraudulenttransactions.
"Joris\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:6620-MAY-0913:32112JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVItionofidentityintegrityanegativeexternalityofmarketcontrol.
Whataretheimplicationsofafreemarketapproachtoprotectingconstitu-tionalrights(i.
e.
,privacy,identityintegrity)whichispredicatedonanindividualconsumer'sabilitytonegotiateanddemandmoreidentitypro-tectionShouldnotindividualidentitybeaninalienablerightthatcan-notbecommoditizedForexample,justbecausewehavenotfashionedawaytoputnum-berstothecostofhavingone'sSSNstolenandusedindeterminatelyintimeorplace,orcannotquantifytheharmsfromhavingone'stransac-tionsdossier'dbystate-sponsoredorcriminalenterprise,orbehavioralmarketingintelligenceefforts,doesnotmeanthatnodamageswillorhaveoccurred.
Further,byallowinginstantcreditpolicytodrivethetrain,whilemoreturnstilesforcreditareopenedforcitizen-consumerstheyalsoallowentryforopportunisticandtargetedidentitythieves.
283Oneofthemostobviousshowingsofinformationcorruptionandpre-scienceofachaoticenvironmentisfoundinthepervasivegrowthofspamandphishing–identitytheftofthecorporatevarietyandsimulta-neouslyavectortothepersonalvariety.
TheexponentialgrowthoftheseattackvectorsnotonlyclogsbandwidthandexpendstheattentionofEvers,CreditCardBreachExposes40MillionAccounts,CNETNEWS,June18,2005,http://news.
cnet.
com/Credit-card-breach-exposes-40-million-accounts/2100-1029_3-5751886.
html.
SeealsoOECD,SCOPINGPAPERONONLINEIDTHEFT,availableathttp://www.
oecd.
org/dataoecd/35/24/40644196.
pdf.
Thereportstates:IntestimonybeforetheOhiostatelegislature,theUSFTCexplainedhowthelossisallocatedbetweenindividualsandbusinesses,statingthat:[US][federallawlimitsconsumers'liabilityforunauthorizedcreditcardchargestoUSD50percardaslongasthecreditcardcompanyisnotifiedwithin60daysoftheunauthorizedcharge.
See12C.
F.
R.
§226.
12(b).
Manycreditcardcompaniesdonotrequirecon-sumerstopaytheUSD50andwillnotholdtheconsumersliableforunauthorizedcharges,nomatterhowmuchtimehaselapsedsincethediscoveryofthelossortheftofthecard.
Consumers'liabilityforunauthorizeddebitcardchargesislim-itedtoUSD50incaseswherethelossisreportedwithintwobusinessdays,andtoUSD500ifreportedthereafter.
See15U.
S.
C.
§1693g(a).
Inaddition,ifconsum-ersdonotreportunauthorizedusewhentheyseeitontheirbankstatementwithin60daysofreceivingthenotice,theymaybesubjecttounlimitedliabilityforlossesthatoccurredafterthatperiod.
IDPublicEntities,PersonalInformation,andIdentityTheft,HearingBeforetheOhioPrivacyandPublicRecordsAccessStudyComm.
oftheOhioSenateandHouseofRepresentatives(2007)(statementoftheUSFTC,deliveredbyBetsyBroder,AssistantDirectoroftheDivisionofPri-vacyandIdentityProtection).
Id.
at62.
283.
This'instantcreditmentality'canbeseenondisplayinthesubprimedebacle.
EasycreditandlaxbackgroundcheckswereabonanzaforIDfraudspecialists.
Thefraud-stersnowfacenewchallengesnowhowever,asaccesstocredittightensup.
SeeBobTedis-chi,ThievesTapIntoHomeEquity,N.
Y.
TIMES,July27,2008,availableathttp://www.
nytimes.
com/2008/07/27/realestate/27mort.
html_r=1&scp=1&sq=theives%20tap%20eq-uity&st=cse&oref=slogin("Nowthatlendershavevastlytightenedtheirlendingcriteria,criminalswhospecializeinmortgagefraudhavelittlechoicebuttomoveupstreamandseekoutvictimswithgoodcredit.
").
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:6720-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS113humanandsystemsprocessing,butitconcurrentlypollutesthecredibil-ityofcorporateandindividualdigitalidentities.
284Whilethearmsracebetweensecuritycontrolsandhackersassuresusthatattackvectorswillbeexposedandclosed,theabilitytomeasureandremediatedamagetocorporatereputationandinformationvalidityamongreadersandvisi-tors'iswaybeyondthecapacityoftechnicalengineeringrepair.
Instancesofendusersfooledanddefraudedbyemailschemesarenotoriousandlegion.
285Undoubtedly,businessstrategiesdesignedsolelyorprimarilyaroundemailcommunications(targetedmarketing,businessdevelopment,brandbuilding)withcitizen-consumershavebeenalteredorrenderedfutile.
PayPal,eBayandtheInternalRevenueSer-viceareconsummateposterchildrenforthebuddingchaoticdigitalenvi-ronmentasaresultofidentitycorruptionofthecorporateratherthanindividualvariety.
286Stateddifferently,arguablythereisapresump-tionofillegitimacyattachedtoemailmessagesreceivedfromtheseorganizations.
Thejustifiable,emerging,apprehensionofconductingbusinesselec-tronicallyshowsnosignofretreat.
Theproliferationofbotnetsisthemostrecentandvexingsourceofinformationchaos.
287Whileestimatesvaryastohowmanyhundredsofthousandsofcomputersareunwit-tinglyunderthecontrolofcriminals,nonethelesstheirproliferation284.
SeeSecureComputing,WhyCorporationsNeedtoWorryAboutPhishing,Sept.
2004,http://www.
ciphertrust.
com/resources/articles/articles/phishing.
php;JeffVance,PhishingMorethanaConsumer'sProblem,CIOUPDATE,June7,2005,http://www.
cioupdate.
com/trends/article.
php/3510826/Phishing-More-than-a-Consumers-Problem.
htm;MichelJ.
G.
vanEeten&JohannesM.
Bauer,EconomicsofMalware:SecurityDecisions,IncentivesandExternalities,(2008),availableatwww.
oecd.
org/sti/working-papers;CLAYWILSON,CONGRESSIONALRESEARCHSERVICE,BOTNETS,CYBERCRIME,ANDCYBERTERRORISM:VULNERABILITIESANDPOLICYISSUESFORCONGRESS,(2008),availableathttp://www.
fas.
org/sgp/crs/terror/RL32114.
pdf;AARONEMIGH,ONLINEIDENTITYTHEFT:PHISHINGTECHNOL-OGY,CHOKEPOINTSANDCOUNTERMEASURES,(2005),availableathttp://www.
antiphishing.
org/Phishing-dhs-report.
pdf.
285.
Seesupranote284.
SeeRobertMcMillan,MenFallHarderThanWomenforIn-ternetFraud,StudyFinds,Apr.
3,2008,http://www.
networkworld.
com/news/2008/040308-men-fall-harder-than-women.
htmlfsrc=rss-security.
286.
SeeJuanCarlosPerez,eBay:PhishingLikelytoBlameForMembers'DataTheft,INFOWORLD,Sept.
27,2007,http://www.
infoworld.
com/article/07/09/27/eBay-says-phishing-likely-to-blame-for-members-data-theft_1.
html;JorisEvers,PaypalFixesPhishingHole,CNETNEWS,June16,2006,http://news.
cnet.
com/PayPal-fixes-phishing-hole/2100-7349_3-6084974.
html;RobertLemos,IRSTaxedByPhishingAttacks,SECURITYFOCUS,Feb.
20,2008,http://www.
securityfocus.
com/brief/684.
287.
In2007,technologypioneerVintCerfestimatedthatasmanyas150millionma-chinesareinfectedbybots.
NateAnderson,VintCerf:OneQuarterofAllComputersPartofaBotnet,ARSTECHNICA,Jan.
25,2007,http://arstechnica.
com/news.
ars/post/20070125-8707.
html.
SeealsoShadowserver.
org,BotCounts,http://www.
shadowserver.
org/wiki/pmwiki.
phpn=Stats.
BotCounts(lastvisitedAug.
25,2008).
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:6820-MAY-0913:32114JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIcastsdoubtonwhoisbehindagivendigitalcommunication.
288Botnet-tedendusers'systemsallowinterloperstomasqueradeasthelegitimateuserbehindthekeyboard,andsimultaneouslyexposeanyidentityarti-factsthatresideonthatsystem,thusstrengtheningtheabilitytoimper-sonatetherealpersonorcompany.
289Therearestrongpublicpolicyargumentsthatlegislative,judicialorfreemarketfictionsdonotadequatelyaddresstherealdamagesstem-mingfromacorruptedinformationenvironment.
Noneoftheseinstitu-tionalcontrolshassufficientlyaccountedforthelongitudinalharmtotheindividualortheaggregateofsociety.
Coupledwith,andcompoundedby,unreliableandincompletestatis-ticsonIDC,courtsreachquestionableanalyticalconclusionswithsignif-icantconsequences.
Thisprocess,repeatedoftenenough,gainstractionasalegalfictionembracedbythecourtsaswellastheholdersofPIIdata.
Thisisadetrimentallegalfiction,andinjuryshouldbepresumedwhenthedataisbreached,i.
e.
,thetimeofexposure.
290Thisadvocacyshouldnotbemistakenforencouragingandempoweringindividualstotakesteps,asimperfectasthosemaybeatpresenttime,toamelioratefutureharm.
Thepresumptionadvocatedinthisarticleincentivizestheentitieswhichpossesthedataandwhoareinthebestpositiontoprotectit,toinstitutereasonableandappropriatemeasurestoprotectsocietyandtospreadthecostofheightenedprotectionacrossawidespectrumofsociety.
Thispresumptionalsoacknowledgeswhatthelegalfictionignores:thecoreelementsofIDC(unauthorizedacquisitionanduseofPII)ex-288.
SeeBruceSchneier:HowBotThoseNets,Wired,availableat,http://www.
wired.
com/politics/security/commentary/securitymatters/2006/07/71471.
Describingthespreadofbots:[M]ostbotsconstantlysearchforothercomputersthatcanbeinfectedandaddedtothebotnetwork.
(A1.
5million-nodebotnetworkwasdiscoveredintheNether-landslastyear.
Thecommand-and-controlsystemwasdismantled,butsomeofthebotsarestillactive,infectingothercomputersandaddingthemtothisdefunctnetwork.
)Id.
289.
SeeBacheretal.
,KnowYourEnemy:TrackingBotnets,Aug.
10,2008,http://www.
honeynet.
org/papers/bots/.
290.
ThisclassificationisextrapolatedfromspecificfactsoftheseminalnegligencecasedealingwithIDTanddatabreaches,Stollenwerkv.
Tri-WestHealthCareAlliance,No.
CIV03-0185-PHX-SRB,2005U.
S.
Dist.
LEXIS41054(D.
Ariz.
2005).
Thedeterminativedam-agesquestioncentersaroundwhenthebreach-related"injury""occurs"forpurposesoftherelevantlaw.
Atleastthreepossibletimepegsarerelevant:(1)thetimeofexposure:whentheIDartifactswerevulnerabletobreachbythievesduringasecurityincident;(2)thetimeofdetection:whenthecompromisedIDartifactsreasonablycouldhavebeendiag-nosed;and,(3)thetimeofmanifestation:whenthebreachedIDartifactswere"discovered"tohavebeencompromised.
Seesupra,II.
B.
2.
b.
ii,StollenwerkProgenyandAnalogousLawfordiscussionofasbestosinjury-relatedtriggersforliability.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:6920-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS115pandtofittheparametersoftheirnewplayingfield,thedigitalIn-ternetworkedenvironment.
Intheofflinerealm,misappropriationandabuseofidentityislargelyfixed,attributable,directlyperceived,andbounded(intimeandgeography);whereasthesesameactionsplayedoutintheonlinerealmarelargelyexperiential,highlymediated,distrib-uted,persistent,anonymous,representationalandboundaryless,theconsequenceofwhichisaverydifferentidentitytheftthreatmodel.
Inturn,IDClawsinterpretedinthecontextoftheofflinerealmfailtoac-commodateforthedifferingconditionsoftheonline.
Whentheidentitydataacquisitionanduseisdigital,therearequantitativeandqualitativedifferencesindamagesandharmtothepersonbehindtheidentity.
Inshort,adifferentvictimizationstructuredemandsadifferentresponseandremediationapproach.
Thepublicpolicyargumentshouldcurryfavorinlightoftheback-dropofpreviouslydescribedtreatmentofIDTdamages:combinetheju-dicialhesitancyandlegalfiction,withforthcomingfederallegislationthatwillpreemptthemoreconsumer-protectivestatelawsandwillusherinaself-certifying"significantrisk"standardfortriggeringnotifi-cationmandates.
Wearearguablyonthecuspofthebiggeststepback-wardsinprivacyprotectionindecades.
(iv)TheUndergroundEconomy:ABlackMarketinStolenIdentityArtifactsFinally,thereisampleevidenceandacknowledgementofacriminalblackmarketinstolenidentityinformationasproofthatdamagestociti-zen-victimsfromIDTarerealandconsequential.
291ArecentInternetSecurityThreatReportbycyberprotectionmarketleaderSymantecat-teststhatthecriminalsareexchangingstolenfullidentitiesforbetween$14and$18andsinglecreditcardnumbersgoingfor$1to$6inthisundergroundeconomy.
292Thisincludesavictim'sSSN,bankaccount291.
Peretti,supranote254,stating:Largescaledatabreacheswouldbeofnomoreconcernthansmallscaleidentitytheftsifcriminalswereunabletoquicklyandwidelydistributethestoleninforma-tionforsubsequentfraudulentuse(assuming,ofcourse,thatthebreachwouldbequicklydetected).
Suchwide-scaleglobaldistributionofstoleninformationhasbeenmadepossibleforcriminalswiththeadventofcriminalwebsites,knownas"cardingforums,"dedicatedtothesaleofstolenpersonalandfinancialinforma-tion.
Thesewebsitesallowcriminalstoquicklysellthefruitsoftheirill-gottengainstothousandsofeagerfraudstersworldwide,therebycreatingablackmarketforstolenpersonalinformation.
292.
SeeSYMANTECINTERNETSECURITYTHREATREPORT:TRENDSFORJANUARY–JUNE2007(2007),availableathttp://eval.
symantec.
com/mktginfo/enterprise/white_papers/ent-whitepaper_internet_security_threat_report_xii_09_2007.
en-us.
pdf.
Thereportstates:Undergroundeconomyserversareusedbycriminalsandcriminalorganizationstosellstoleninformationtypicallyforsubsequentuseinidentitytheft.
Thisdatacanincludegovernment-issuedidentificationnumbers,creditcards,bankcards,per-\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:7020-MAY-0913:32116JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIdetailsincludingpasswords,andotherpersonalinformationsuchasdateofbirthandthevictim'smother'smaidenname.
293Thisreportgoesfur-therstatesthatthemainvictimsofonlineidentitytheftareU.
S.
citi-zens,withU.
S.
basedbanksissuingeighty-sixpercentofthecreditanddebitcardsadvertisedforsaleontheonlineunderground.
Inaddition,theUnitedStatesalsoplayedhosttofifty-onepercentofserversknowntohost"undergroundeconomy"transactions.
Symanteccouldnotpro-videexactfiguresforthemoneychanginghandsintheundergroundeconomy,butitestimateditinthehundredsofmillionsofdollars.
294Thismarkethasgrownsorobustandbrazenthatthecriminal"merchants"operatingithavetakentopubliclypostingwhetherpilferedandprofferedcreditcardaccountsareactiveandviable.
Thisisnotjustagameofhackerchestbeating,butrather,anexhibitionofamarketthatoperatesonthesameprinciplesasabovegroundtradeingoodsandservices,wherebuyersandsellerscanreliablyvaluatethetradedcom-modity.
295Furthermore,proposedsolutionstocombatingthecriminaleconomyofferanindirectexistenceproofofwhatweconjecturetoresultfromthisfreeflowofidentities–informationchaos.
Specifically,someadvocatethatoneoftheonlyviablewaystodisruptthecriminalblackmarketistopollutethereliabilityofidentitiesandpoisonthetrustofboththecriminals'andvictims'reputationssoastodestabilizetheun-derlyingvaluationoftheidentitycommodity.
296(c)VictimizationRisk:IdentityPrecogsFlankingattributionanddamagesanalyses,victimizationisthelastdiscussedriskanalysisresultingfrominferencesofdubiousdataandcontributingtomisinformedpolicy.
Popularadvicehailingfromsomeriskanalysesquartersis"themorestolen,thelessdisclosed.
"297Forex-sonalidentificationnumbers(PINs),useraccounts,andemailaddresslists.
Theemergenceofundergroundeconomyserversasthedefactotradingplaceforillicitinformationisindicativeoftheincreasedprofessionalizationandcommercializa-tionofmaliciousactivitiesoverthepastseveralyears.
Id.
293.
Id.
294.
SeeKellyO'Connell,Cyber-CrimeHits$100Billionin2007,Out-earningIllegalDrugTrade,Oct.
17,2007,availableathttp://www.
ibls.
com/internet_law_news_portal_view.
aspxs=latestnews&id=1882295.
SeeBrianKrebs,WebFraud2.
0FakeYouTubePageMakerHelpsSpreadMalware,WASH.
POST,Sept.
12,2008,http://voices.
washingtonpost.
com/securityfix/2008/09/fake_youtube_page_maker_helps.
html.
SeealsoPeretti,supranote254.
296.
SeeJasonFranklin,VernPaxson,AdrianPerrig,&StefanSavage,AnInquiryintotheNatureandCausesoftheWealthofInternetMiscreants,(2007),availableathttp://www.
icir.
org/vern/papers/miscreant-wealth.
ccs07.
pdf.
297.
Forexample,ITsecuritybreachesarenotbehindmostIDtheft.
SarahHilley,NewInstantPhishingPop-upKitsontheRampage,COMPUTERFRAUD&SECURITY,August2007,at10.
TheUSGovernmentAccountabilityOffice(GAO)hassaidthereislimitedevidence\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:7120-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS117ample,recentdatafrominterestedstakeholdersindicatesthatthereislesschanceofbeingvictimizedifone'sidentityispartoflargedatabasebreach.
298WithregardtodatabreachthreatstoIDT,thisvictimizationriskanalysismayleadsomeonetoconclude,dependingonthepreciselanguageofthenumerousnotificationstatutes,thatthereislesslegalobligationtonotifyindividualswhodatahasbeencompromised.
ThatisbecauseinmanyoftheDBNstatutes,aswenotedabove,thestandardfortriggeringnotificationispotentialharmtotheindividualswhosedatahasbeenbreached.
Therelevantlegalquestiontotackleinthiskindofanalysisis:whatisthestandardfordetermining"potentialharm"Thespectrumofstan-dardsrangesfrom"reasonablypossible,"to"likely,"to"substantial"risk.
299Notwithstandingtheveracityofthesupportingevidence,ana-lyticaltheoriesthatthelikelihoodofbecominganIDTvictimislowerwiththelargerthenumberofbreachedrecordslendsupporttodecisionsnotificationandrelatedcostsarenotnecessary.
Anothertheoryprofferedforreducednotificationresponsibilityinthewakeofalargebreachisthatmorenotificationsjustdesensitizevic-timstothepotentialriskofidentitybreacheswithoutraisingawarenessandeffectiveresponse.
300Theproblemswiththeseposturesare:(1)theyarebasedonquestionablethreatmodelassumptionsregardingmonetiz-ingandliquidatingofidentityartifacts;and,(2)theyassumeastaticvulnerabilitymodelwhichignoresthevictim'sabilitytoinvokecontrolssuchascreditfreezesorothermonitoringtoolstopreemptormitigateillegaluseofcompromisedidentities.
Asmentionedabove,IDAnalytics'whitepaperonnationaldatabreacheshasdescribedaformulaicrationaletobackitsassertionsthatthelargerthebreach,thelesslikelythepersonaldatawillbemis-used.
301Thisrationalemaintains:tosuggestthatmostsecuritybreachesleadtoidentitytheft.
SeeIDAnalytics,Inc.
,Na-tionalDataBreachAnalysis(2007),http://www.
idanalytics.
com/assets/pdf/national-data-breach-analysis-overview.
pdf[hereinafterDataBreachAnalysis].
298.
SeeExperts:SmallRiskofIdentityTheftinOhio'sStolenComputerTapeCase,INSURANCEJOURNAL,June27,2007,http://www.
insurancejournal.
com/news/midwest/2007/06/27/81136.
htm("Thesmallerthedataset,thegreaterthechancesthatindividualswillbevictimsofidentitytheft,thecompanyfound.
").
299.
SuprasectionII.
B.
i.
a.
2.
Thetriggerstandardsfornotificationvaryacrossstates.
Ingeneral,theybreakdownalongsomecombinationof"userisk"andcorresponding"out-come.
"Useriskincludes:reasonably-possible,reasonably-believed,risk,reasonably-likely,likely,materialrisk,substantialrisk,significantrisk,substantialrisk;andoutcomein-cludes:breach,misuse,criminalactivity,illegaluse;harm,loss/injury,economicloss,IDtheft/fraud.
300.
SeePERSONALINFORMATION,supranote47,at31.
301.
DataBreachAnalysis,supranote297.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:7220-MAY-0913:32118JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVI[A]cceptingthatittakesapproximatelyfiveminutestofilloutacreditapplication,atthisrateitwouldtakeafraudsterworkingfull-time–averaging6.
5hoursaday,fivedaysaweek,50weeksayear—over50yearstofullyutilizeabreachedfileconsistingofonemillionconsumeridentities.
Ifthecriminaloutsourcedtheworkatarateoftendollarsanhourinanefforttouseabreachedfileofthesamesizeinoneyear,itwouldcostthatcriminalabout$830,000.
302Wechallengethereliabilityofthesetypesofassumptionsandcon-clusionsbyslicingthe"fundamentaltruth"alongadifferentspeculativeplane.
Whatifourenterpriseproductiscigarsratherthanidentities,andownerJoeSmithisamerchantownerwhohastwoemployeesStayingtruetothe"logic"fromtheanalysisabove,Joeisunabletorecruitmoreemployeestosellhiswares,thuslimitingcigarsalestothatwhichJoeandhistwoclerkscantransactfromtheirstore.
Now,suddenlyJoein-heritsawindfallfromthedeathofhisuncle,leaderofanationalstogiecartel.
Similartotheunchallengedassumptionsthatidentityfraudstersareceilinged-offfromprocessingalargenumberof"personproducts,"Joeandhiscrewoftwolikewisearelimitedintheirabilitytosellthelargebootyandtheysubsequentlypineawayinawarehousehumidor.
Arguably,anylucidmerchantinJoe'ssituationwouldresolvetheostensibledilemmabysellingthecigarsinbulktosomeoneelseinthecigarbusiness,orforthatmatterinthebusinessofmakingmoney.
Tobesure,Joewouldnotextractprofitfromeverycigar,sincehisoffloadingwouldnecessitatesellingthematareducedprice,i.
e.
,wholesaleratherthanretail.
Recall,however,sinceJoepaidnothingforthecigarsinthefirstplaceeventhereducedpriceamountstoabankrollforJoe.
QuerywhythesolutionproposedhereforJoe'scigarsisfundamentallydiffer-entthanwhatapersonengagedinfraud,attainingawindfallofidenti-tiesfacesAssumingbothareincentivizedbyavirtuallyguaranteedprofit,whywouldnotthepurveyorsofidentitiessellthedataintheblackmarketeconomyTheansweristiedtoanotherassumption-turned-socialfictionwhichisspreadbyvictimizationriskanalyses:thevictimizationriskfromIDTisbeingcalculatedsansabig,blackelephantinthemiddleoftheroom:theundergroundmarketinPII.
303302.
Id.
IDAnalyticscarefullypeppersitsreportswithimplicitdisclaimersaboutlimi-tationsofitsanalyses,accompaniedbytheexplicitclaimsthatitisthe"ONLYresearchavailabletodaythathaslookedatACTUALbreaches.
.
.
"Id.
303.
IDAnalytics,NationalDataBreachAnalysis,TheDataBreachHarmAnalysis,http://www.
idanalytics.
com/whitepapers/(lastvisitedSept.
18,2008).
IDAnalyticsdoesat-tachadisclaimertoitsanalysis,namely,"Themisuseratecouldincreasedrasticallyifthecurrentfor"identities"remainsunimpededandbecomesmorecentralizedandefficient.
"Id.
Towhichweask,howisthatwehaven'talreadyreachedthatpoint,andifwehavenot,howandwhomightsatisfactorilygaugewhenthattippingpointhasoccurred.
.
.
itisafterall,amarketunregulatedbytheSECorastransparentasNASDAQ.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:7320-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS119Despitethelegalfictionencompassedbythecourts'failuretorecog-nizeIDCdamagesinwrongfulidentityacquisitionscenarios,thepublicpressuretoaddressIDChasbecomeapparentamidstagrowingdemandforcontrolandpreventiveintervention.
Ifwepictureourpoliticalecon-omyasanorganismasapetridish,wheretheratiooffreeflowingdatasubstratetosecurePIIsubstrateweighssupreme,areactionisbeingcatalyzedbythelackofwidespreadunderstandingofIDCcombinedwiththedelugeofvoicesclamoringforasolution.
Oneproductofthisreactionis"identityscoring"or"identityanalytics,"tradenamesforIDTvictimi-zationriskanalysis.
Stateddifferently,identityscoringisarecentmar-ketresponsetotheconsumerdemandforidentitycontrol,security,anddeterminism.
IDscoringistheuseofriskanalyticsinapredictivewaytoengageinidentityriskmanagement.
Forexample,identityproofingistheuseofidentityartifacts(transactionalinformationfromvariouspro-prietary,public,andprivatedatabases)toauthenticateanidentitybasedonthestatisticalprobabilityitisbonafideorhasbepilfered.
304Theharmfulsignificanceofidentityscoringliesnotsomuchinwhattheinformationis,butmoresowithwhenandhowtheinformationisused.
Identityscoringoccurspriortoknowledgeofanywrongfulactorverificationofspecificreasonablesuspicionofcriminalactivity,topre-ventormonitorpossibleIDCactivity.
Thisprocessisdifferentthanpre-viouscreditriskscoringanalyticsgatheredafterspecificreasonablesuspicionorfactualproofofadverseactivityhasbeenestablished.
305CompaniesareincreasinglyturningtoIDscoringtoengageinthe"pre-cogging"ofIDC.
306304.
Notethedistinctionbetweenscoringandproofing.
Scoringisaprocessformeasur-ingthereliability/legitimacyofanidentitybymatchingitwithabroadrangeofavailableinformation,andwithpredictedpatternsofbehavior.
Proofing,ontheotherhand,istheprocessofmatchingahumantoaparticulartokenofidentity.
Inotherwords,makingsuresomeoneiswhohesaysheis.
Proofingisthecomplementofauthentication.
Authentica-tionistheverificationofsomeidentitycredentialormechanism,likeapasswordorasmartcard.
Proofingmatchesthepersontotheauthenticationmechanism.
Soauthentica-tionverifiestheidentitytoken.
Proofingmatchesapersontothattoken.
Scoringmeasuresthereliabilityofsuchamatch.
SeeHaroldKraft,IdentityScoring:NewDefenseAgainstDataBreaches,E-COMMERCETIMES,Feb.
15,2007,availableathttp://www.
technewsworld.
com/story/55770.
htmlwelcome=1205363504&welcome=1205364435&wlc=1220385122;Wikipedia,IdentityScore,http://en.
wikipedia.
org/wiki/Identity_score(asofDec.
16,2008,16:53GMT);WhatisOnlineIdentityProofingandHowDoesitWork,SecurityITHUB,http://www.
security.
ithub.
com/article/What+Is+Online+Identity+Proofing+and+How+Does+it+Work/212750_1.
aspx(lastvisitedSept.
18,2008).
305.
SeeUseandManagementofCriminalHistoryRecordInformation:AComprehen-siveReport,U.
S.
DepartmentofJusticeBureauofJusticeStatistics,http://www.
ojp.
usdoj.
gov/bjs/abstract/umchri01.
htm(lastvisitedSept.
8,2008).
306.
Fromabusinessperspective,thisisbecausecredit-basedexchangesarepredicatedonknowinganindividual'scredit/transactionhistory,whichinturnisdependentonbeingabletocorrelatetheconsumertotherecordoftheconsumer'sactions.
Absentreliable\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:7420-MAY-0913:32120JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIWhatistheharminapplyingpredictiveanalytictechniquestoas-sessvictimizationfromIDCTheconsequencesofIDscoringaretenu-ousgiventhatcompanieshavelittleincentivetodisclosewhentheiruseofidentityscoringcausesharmtotheircorporation(lostpotentialcus-tomersandprofit)oranaffectedindividual(thepersonwhoseidentitywasdeemedinauthenticandthusrefusedgoods/services).
Theunderly-ingtechniquesareoftenill-fittedtotheprobabilisticconclusionsaboutvictimization.
ThetechniquehasnotbeendeployedlongorwidelyenoughfortrueIDfraudtomanifest,andbeidentified,andsuchanun-dertakingisbeleagueredbythedifficultiesofprovinganegative.
Never-theless,wemightgaugetherisksoftheseidentityanalyticsbycomparativelyanalyzingIDscoringtothepursuitofpredictingfutureviolentbehaviorinsofarastheyhaveanalogousdrivers,objectivesandpurportedbenefitsoruses,yettheresultingdangersandimplicationsaresociallysignificant.
First,thefactsdrivingtheneedtopredictviolentbehaviororiden-tityauthenticitycoincide.
ViolentcrimeandIDtheftarethreatstotheindividualandsociety.
Also,predictiontechniquesarenotcompletelyaccurateandthepublicdemandsforcontrolofthesecrimesareincreas-inginnumberandintensity.
Finally,asaresult,thereisaneedforsomelevelofpreventativeintervention.
Aswithviolencepredictionwhoseobjectiveistoreduceviolentcrimebypredictingaperson'spotentialforinflictingseriousbodilyharm,iden-tityscoringisaimedatreducinglossthatresultsfromfraudulentuseofanother'sidentitybypredictingwhethertheapplicantidentityisreliableorstolen.
Withviolenceprediction,thecontrolisadecisiontoreleaseorimprisonapersonbasedonfuturecriminality,whilethedecisiontograntordenycreditbenefitsiscontrolledbytheauthenticityofanappli-cant'sidentity.
Theproblemwithbothpredictiverisksituationsisafamiliarone,thatoffalsepositives,whereapersonisinaccuratelylabeleddangerousordeclaredtohavedubiousidentityreliability.
Theresultingdamagesonasociallevelcanincludestatutes,policiesandjudicialdecisionsthatrelyontheseductiveillusionofthepredictiveaccuracy,andtheuseofinvalidpredictionsasacontrolmechanismforsocialnormsandatti-tudes.
Onanindividuallevel,over-predictioncanresultindenialorvio-lationofcivilrightsandsocialliberties,andthecriminalizationofcitizen-victims.
Tobesure,predictivetechnologiescanofferinsightandknowledge,butthequestionshouldbe:Howshouldtheinferencesandgleanedassurancesthatthecredit-seekerisnotanimpersonator,thereisnowaytoensuresharedriskandcommercewillgenerallycollapse.
SeeCharlesKahn,CreditandIdentityTheft,J.
MONETARYECON.
,availableathttp://www.
sciencedirect.
com/science/journal/03043932.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:7520-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS121knowledgetobeusedtomakedecisionsinlightofethicalandlegalcon-siderations307Asdiscussedsubsequently,iftheproperentitiesdonotknowthemethodologyunderlyingtheresults,thereisnowaytoassesshowthepredictionsservetheobjectivesforwhichtheyarebeingapplied.
Forexample,"whatisthedeterrentvalueandeffectofviolencepredic-tiononthecrimerate"canbelikenedto"whatarethelosssavingsandeffectofIDscoringonfinancialorotherfraud"Inotherwords,withoutknowledgeoftheunderlyingtechniqueanddata,howdoweknowthatIDscoringisidentifyingandreducingidentityfraudFurther,absentsomereasonableleveloftransparencyandparticipationinthedevelop-mentandapplicationofthemethodology(i.
e.
,whichfactorstousetoimproveaccuracyorhowthemethodologycanbeimprovedtoproduceaccurateresults),identityscoringrisksself-reinforcingirresponsibleorunaccountableknowledgeandresultingactionsuponwhichitisbased.
308(i)IDScoring:HandicappingHorsesInourracetogetaheadofthreatsandvulnerabilitiesassociatedwithIDC,utmostattentionmustbepaidtoboththeanalyticalriskmod-elschosenandthedatawhichisfedintothosemodels.
Otherwise,thelineageofdecisions,perceptions,expenditures,andallocationofre-sourcesthatspawnfromrelianceontheaccuracyofthoseriskmodelswillbetaintedbythefictionandconfusioninstigatedbythefraudulentidentitiesthemselves.
Identityanalytics,andspecifically,identityscoring,isoneofindus-try'slatestresponsestotheproliferationofIDC.
Thistechniqueandtheentitiesthatbuildorsustainbusinessmodelsarounditaretheprogenyofthebare-knuckledfreemarketdrivenpolicy:informationsecurityinef-ficienciestakingabackseattoinformationavailabilityefficiencies.
Inlieuofcomprehensive,agreeableIDCstatisticstheeconomicsofdigitalidentityareaboutthescarcityofreliabledigitalidentities.
Identityscor-ersarethenewsuppliersinthismarket.
Theyaretheintermediariesfordigitalidentityartifacts,thenewgatekeepersofidentityreliability.
307.
Keepinmindthatdecisionsreachedandspreadindigitalformatare,inmanycases,notoriouslytenacioustoresistingcorrection.
ThestoriesofthepoorsoulswhowindupmistakingplaceoftheTSAflightrisklistarebutoneexampleofthistenaciousness.
SeeThousandsWronglyonTerrorList,http://www.
globalissues.
org/article/692/thousands-wrongly-on-terror-list(lastvisitedSept.
2,2008).
308.
BeverlyKoerin,Violentcrime:PredictionandControl,Crimedelinquency,http://cad.
sagepub.
com/cgi/content/abstract/24/1/49(lastvisitedSept.
8,2008).
Ingeneral,themethodologyinvolvedinpredictiveanalyticsinvolves:1)Identifyingthecriterionforthecategoriesofbehavior/identity,2)Identifyingthepredictorfactors,3)Definingtheprocessforclassifyingbasedonbehavior/identityartifacts,4)Testingonatargetpopulationtherelationshipbetweenthecriteriaandthepredictors,and5)Retestingtocross-validate.
Id.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:7620-MAY-0913:32122JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIIDscorersareplayinganincreasingroleinmanagingandcraftinginformationfromtheenormousamountofidentitydataavailableelec-tronically.
Asthetechniqueisapplied,IDscoringinvolvesprofilingidentityartifactsinrelationtoidentityevents,behaviorsandrelation-ships,creatinganidentityratingscoreforapersonusinganalyticaltech-niques,andthensellingthosescores.
Ifcreditscoringattemptstopredicttheriskthatanidentifiedpersonwillnotpayoffafuturedebtbasedonpasttransactions,identityscoringdealswiththatsameriskbyattemptingtopredicttheriskthatanidentifiedpersonisinauthentic,thusinferringthatanysubsequentdebtislikelytogounpaid.
TounderscorethegravityoftheconcernsposedbyIDscorers,weanalogizeidentityscorerstopublicservicecorporationsbasedonfunc-tionalsimilarities.
309Likerailroadsto19thCenturyindustrialsociety,steelmillstothemanufacturingsociety,andsearchenginesandtelecom-municationscarrierstotheinformationsociety,identityscorersarepri-vatebusinessesthatincreasinglycontrolresourceswithimportantpublicimplications.
Identityscorersalsoaffectbroadsegmentsofsoci-ety,andbyproxywieldthepowerofthemarketstheyservenotunlikethatofapublicauthority.
310Themostprevalentgrievanceagainstpublicservicecorporationsisbias–inequitableorunfairtreatmentorrefusaltoservesomeindividu-alsorgroups.
Theproblemofbiasinidentityrankinginvolves:1)Thechoiceofdataplacedinthe"rankingmachine";2)Themodelorformulaappliedtothatdata;and,3)Thenatureandweightoftheinferencesattachedtotheoutcomeoftheformula.
Whenoneormoreofthesevari-ablesislockedupbyorganizationsinthefaceofformidablepublicinter-estintransparencyandaccountabilityofthe"sausage-making-process,"weareleftwithablackboxsociety,wheredecisionsaremadethataffectsocietyabsentitscitizenryhavingaccurateperceptionand/orparticipa-tioninthebasisforsuchdecisions.
HowmightthisbiasbeappliedThealgorithmwhichinformstheprobabilityofidentityauthenticitymaybedialedtosatisfyclients'needssuchasmaintainingmarketadvantageoveritscompetitors(e.
g.
,tomeetRedFlagcompliancerequirements).
Thealgorithmmayalsobeadjusted309.
Wedistinguishbetween"IDscorers"asmarketentitiesand"IDscoring"astech-niquesthatmaybeusedbymarketentities,becauseofqualitativeandquantitativediffer-enceinharmsandremedies.
Sincethecompletenessandtheoreticalaccuracyofone'sidentityscoreisdirectlyproportionaltothescopeofthenetworkactivitiesusedtobaselineandoptimizetheresults,itisreasonabletoconjecturethatbusinessmodelswillcontinuetobebuiltonacquiringandofferingaccesstothe"network"ratherthanjustastand-alonetool.
310.
OrenBracha&FrankPasquale,FederalSearchCommissionAccess,Fairness,andAccountabilityintheLawofSearch,http://works.
bepress.
com/oren_bracha/1/(lastvis-itedSept.
2,2008).
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:7720-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS123inresponsetothechangingthreatmodelposedbyfraudsters,thusalter-ingperceptionsabouttheextentofIDfraud.
Theresultsmaybemanipu-latedinresponsetoinducementsbyclientsorotherinfluentialentitieswhoseektrendsthatarefavorablytiedtoeconomicdecisions.
Finally,resultscanbeskewedtoassuretheperpetuationoftheIDscoringbusi-nessmodel.
Also,thebreadthofthebiascanextenduniversallyorlo-cally,whichmeanstherangeofpersonsaffectedcanfallanywhereonaspectrum.
311TheharmfulorcontentiouseffectsofIDscoringbiasarenumerousandconsequential.
Thebiasinalgorithmdecisionswhichgenerateone'sidentityrankingcarriesriskforboththeindividualaswellastheorgani-zationmakingbusinessdecisionsbasedonthereliabilityofthatdetermi-nation.
Theharmsincludetheunderminingofdemocraticvaluesincludingfairnessandindividualautonomyand,ironically,thecreationofeconomicinefficiencies.
Forexample,undertheefficientmarketthe-ory,businessescanonlymakerationaldecisionswhentheyhaveaccu-rateinformation.
Alenderbankorinsurancecompany,forexample,makesitsdecisionaboutextendingcredit,orbackstoppinghealthcover-agebasedoninformationaboutwhetheranapplicantiswhohesaysheis.
Ifthisinformationisinaccurate(eithertheresultsproducedareafalsepositiveorfalsenegative)thenthosedecisionsandsystemsfail.
Asitrelatestoindividualharm,IDscorersmayundermineaper-son'sfreedombythreateningtheopenandequallyavailableopportunitytoavailherselfofthegoodsandservicesuponwhichitruns.
Thedemo-craticprinciplesofparticipation,fairnessandindividualautonomy,whichareguaranteedinourgovernment'sinteractionswithitscitizens,havenonethelessmigratedtotheprivatesectorwherethereareexpecta-tionsthatcompaniestreatcustomersfairly.
AlthoughnotbackedbytheforceoftheConstitution,citizens'expectationofdemocraticvaluesaremanifestinlegaltoolssuchasconsumerprotectionstatutes,freedomofinformationandpublicrecordsacts,andprivaterightsofaction,nottomentionviatheinvisiblehandofthemarket,wherecompaniesarere-mindedoftheforceofconsumerpreferencesandthecourtofpublicopinion.
Specifically,theseprinciplescomeintotheforewhenindividualsaredeniedloansorothercredit,oraresubjectedtohigherratesorpremiumsbasedontheidentityriskscoreusedbytherespectivefinancialinstitu-311.
Theveryactofrankingpresumesthecriteriaunderlyingthepredictivealgorithmscarriesadecisionalbiassomeidentityartifactshavegreaterimportancethanothers.
Op-timizationinvolvesiterativelytweakingthealgorithmandcriteriatomorecloselyaligntheresultswiththeobjectives.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:7820-MAY-0913:32124JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVItion.
Yet,theseprinciplesaresidesteppedwhenindividualshavenomechanismtoaccess,comprehend,respondto,orparticipateinthede-terminationstograntordenythemfundamentaltoolstosurviveinourcapitalisticsociety.
312Whatisworse,theIDscorermarketissellingitssolutionimplicitlyandexplicitlytothewould-becitizen-victim.
Thequestioniswhetherthismarketisprovidingtheillusionofcontrolbyofferingconvenienceinassessingdigitalidentityauthenticity,or,isitreinforcingalackofcon-trolandchoicefortheindividualsbehindthedigitalidentitiesIftheconceptofprivacyincludesanindividual'scapabilitytocontrolinforma-tionabouthimorherself,thequestionbecomeswhetherthetechnologi-calcapabilitiesofidentityscoringtocreateananalysisor"virtualpicture"ofanindividualthatiscontainedintheelectronicmarketplaceviolatessuchperson'sprivacybysupplantinghiscontroloverhisper-sonalinformation.
313312.
Theriskoflackofoversightandaccountabilityforsafeguardingcitizens'rightsisillustratedbyhowidentitytheftserviceanddataprovidersareabletoskirtrequirementsimposeduponentitiescoveredbyFCRAwithcontractualdisclaimerlanguage.
Inthisway,theywield,albeitininformally,theauthorityyetbearnoneoftheresponsibilityofentitiesregulatedbyFCRA.
Forexample:YouacknowledgethatanyinformationorreportwhichiscoveredbytheFAIRCREDITREPORTINGACT(publiclaw91-508,15USCsection1681,etseq.
sub-sections604-615)willberequestedandusedbytheclientinfullcompliancewiththetermsandintentofthatact.
TheclientunderstandsthatthepurposeoftheinformationpurchasedascoveredbytheFairCreditReportingActmustbeidenti-fied,thattheinformationreceivedisfortheclient'suseonly,andthattherearecriminalpenaltiesforwillfulviolationofthisact.
BackgroundCheckDisclaimer,https://www.
efindoutthetruth.
com/disclaimer.
htm(lastvis-itedApr.
21,2008).
Iwillcomplywithallapplicablelawsconcerningaccesstooruseofcriminalrecords,andIagreetocomplywiththefederalFairCreditReportingAct,15USC_1681etseq.
Iagreetoholdharmlesstheproviderofthisservice,itsofficersandemployees,fromanyexpenseordamageresultingfromthpublicationofinforma-tionprovidedbythisservice.
"abNC,Disclaimer,http://www.
abcnc.
com/Disclaimer.
aspx(lastvisitedApr.
21,2008).
Further,Iwillnot,eitherpersonallyorthroughmycompany,employeroranyoneelse,usethisinformationforcreditgranting,creditmonitoring,accountreview,insuranceunderwriting,employmentoranyotherpurposecoveredbytheFairCreditReportingAct,15U.
S.
C.
Sec.
1681etseq,("FCRA"),FederalTradeCom-missioninterpretationsoftheFCRA,andsimilarstatestatutes.
FCRADisclaimer,http://www.
findpeople.
org/infoquest/Disclaimer.
html(lastvisitedApr.
21,2008).
313.
SeeCharlesFried,Privacy,77YALEL.
J.
475,482-83(1968)[hereinafterFried];TomGerety,RedefiningPrivacy,12HARV.
C.
R.
-C.
L.
L.
REV.
233,281(1977)[hereinafterGerety]ProfessorFriedarguesthata"personwhoenjoysprivacyisabletograntordenyaccesstoothers"ofinformationabouthimorherself.
Fried,supra,at482.
ProfessorFriedusestheexampleofahousetoexplainhispoint.
Id.
at483.
One'shouseisprivatebecausethelawallowsindividualstoexcludeothersfromthehouse,andthe"houseisconstructed-withdoors,windows,windowshades-toallowittobemadeprivate.
"Id.
ProfessorFriedalsomakesadistinctionbetweensimplecontroloverthequantityofinformationandcon-\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:7920-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS125Opponentsofthispositionmayarguethatfairnessnormshavenoplacematatthefreemarkettable.
314Courtsandregulators,however,havebeenmoreamenabletoapplyingfairnessandaccountabilitynormstoprivatecompanieswhenaffectedpersonshavenoalternativesorwayto"exit.
"315Specifically,IDscorersareonthecuspofoccupyingasignif-icantplaceofpowerinsofarastheiridentityscoringdecisionslikentobecomepivotaltowhetherindividualsobtaincreditandderivativegoodsandservices.
Thisistruetotheextentthattheyreachminimumthresh-oldsofparticipationbyfinancialservices,insurance,realestate,e-com-merce,governmentandretailinstitutions,whichrelyontheiranalysestopreventlossfromIDfraud.
Moreimportantly,industryclientsareincentivizedtopatrontheIDScorerswiththelargestclientbase,thusperpetuatingthenetworkef-fectsofhavingallidentityproofingcontrolledbyafewentities.
EachadditionalcompanythatcontributestothepoolofIDartifactsbyjoiningthenetworktheoreticallydecreasesthecostofbetterpredictionsthatresultfromoptimization(algorithmtuning)basedonthisnewdata.
316Inthissense,citizenconsumerswillhavenoinputinchoosing,lestavoidingidentityvettingbyoneorafewprivateentities.
Theabilitytotroloverthequalityoftheknowledge.
Id.
"Wemaynotmindthatapersonknowsagen-eralfactaboutus,andyetfeelourprivacyinvadedifheknowsthedetails.
"Id.
ProfessorGeretyarguesthat"[p]rivacyis.
.
.
thecontrolovertheautonomyoftheintimaciesofpersonalidentity.
"Gerety,supraat281.
ProfessorGeretydistinguishespri-vacyfromconfidentiality.
Seeid.
at282.
Privateinformation"excludesallbutsuchinfor-mationasisnecessarytotheintimaciesofourpersonalidentities.
"Id.
Confidentiality,however,iscreatedthrougheither"implicitorexplicitmutualagreement"anddoesnotdependonthetypeofinformation.
Id.
Thisconceptofprivacyasanindividual'scapabilitytocontrolinformationabouthimorherselfhasalsobeenreferredtoas"databaseprivacy.
"FrederickSchauer,InternetPri-vacyandthePublic-PrivateDistinction,38JURIMETRICSJ.
555,556(1998).
ProfessorSchauerdefines"databaseprivacy"as"thepurportedrightofindividualstocontrolthedistributionandavailabilityofinformationaboutthemselvesthatmayappearinvariousgovernmentalandnongovernmentaldatabases.
"Id.
314.
Theoptiontovoicechangeinthemarketasawaytoreformorprotestiscompara-tivelycredibleasexitingthemarket.
Hirschman,ExitandVoice:anexpandingsphereofinfluence,RivalViewsofmarketSocietyandOtherRecentEssays55(ElizabethSiftonBooks)(1986).
Infairness,therearelegitimateargumentsbasedonintellectualpropertyrightsandpublicinterestthatsupportsomelevelofprotectionofIDscoringalgorithms.
Id.
Full,publictransparencycouldbedetrimentaltothequalityoftherankingsinceknowledgebyfraudstersmayenablethemtomanipulatetheirtacticsinusingthestolenidentityartifacts.
Id.
Thisgamingcouldalsomagnifystructuralbiasesofrankingalgo-rithmsinfavorofcertaininstitutions.
Id.
315.
Bracha,supranote97,at289.
316.
Optimizationinvolvesiterativelytweakingthealgorithmandcriteriatomorecloselyaligntheresultswiththeobjectives.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:8020-MAY-0913:32126JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIenterintomeaningfulagreementswillbeanillusionatbest.
317Second,thedeleteriouseffectonindividualautonomyisarelatedpotentialharmflowingfromIDscorerbias.
AsCharlesTaylorexpressedinWhat'sWrongwithNegativeLiberty,autonomyencompassesmorethantheabsenceofconstraint,butrather,involvesameaningfulvarietyofchoices,relevantknowledgeofsocietalcontext,andalternatives,andthecapacitytoevaluateandmakeachoiceamongoptions.
So,applyingtheadageif"AcontrolsthewindowthroughwhichBseestheworldthentheautonomyofBisdiminished,"IDscorerswillincreasinglycontroltheflowofinformationaboutindividuals'identityauthenticityinwaysthatshapeandconstraintheirchoicesbypassingjudgmenttoinstitutionaldecisionmakersandeliminatingaccesstothatflowofinformationtothesubjectsofthosedeterminations.
Thecitizenapplicantseesonlythere-jectedapplicationwithaminimalandabstractreasoningcouchedasob-jectivecriteriafordenial.
TheinterventionandsignificanceoftheroleplayedbytheIDscorerinmakingthisdeterminationisneithertrans-parentnorincreasinglyavoidable.
318317.
Weacknowledgethecounter-argument:practicalityandefficiencydemandsthatwecannotaffordtohaveasystemthatallowsindividuals,peroccurrence,tonegotiatewithinstitutions;and,thatpeopleactuallydonotwanttocontractindividuallybecausetheyarenotknowledgeableenoughtomakethebestdecisionforthemselvesand/ordon'twanttohasslewithit.
Theexistenceproofofthecounter-argumenttothispostureistheEuropeanUnion,whichallowscitizenscontroloversuchdata.
318.
See,e.
g.
,Beck,CreditScoresHitbyCardLimits,http://news.
yahoo.
com/s/ap/20080628/ap_on_bi_ge/all_business(lastvisitedSept.
8,2008).
Cardcompaniesarereducingborrowinglimitsfortensofthousandsofconsumers,whichthencanleadtolowercreditscores.
Thosefacingthispredicamentmightnotevenknowituntiltheyapplyforaloanoranothercreditcard,andthengetdeniedbecausetheircreditscorehasdropped.
Thisisanunintendedconsequenceofthefinancialworld'swidespreadratchetingdownofrisk.
Banksandothercardlendersaretryingtobetterprotectthemselvesfrommoremassivelosseslikethosethey'veseenfromsubprimemortgages.
Asaresult,theyarelookingforwaystoreducetheirexposuretocardholdersmorelikelytodefault.
.
.
.
Here'showthathappens:Let'ssayacardholderhasacreditlimitof$10,000andabalanceonthecardof$4,000.
Thecardcompanyworriesthatlargebalancemayincreasetheprospectsfordefault,soitlowersthecreditlineto$5,000.
Butindoingthat,itcompletelychangeswhatisknownasthecreditutilizationrate,raisingitfrom40percentto80percent.
Thatisthenfactoredintothecalculationofone'sso-calledFICOcreditscore,whichmeasurescreditworthiness,accordingtoCraigWatts,aspokesmanforFICO-creatorFairIsaacCorp.
AlowerFICOscorecouldmakeitmoreexpensiveforsomeonetryingtoborrowmoney.
Forinstance,someonetakingouta$25,00036-monthautoloanwouldseeaninterestrateofabout6.
4percentandamonthlypaymentof$765iftheywereinthehighestrangeofFICOscoresof720to850,accordingtoFairIsaac'sWebsite,myFICO.
com.
Thatthenjumpstoaninterestrateof7.
3percentandamonthlypaymentof$776forthosewithascoreof690to719andasmuchas15percentor$866amonthforthosewiththelowestFICOrangeof500to589.
AccordingtotheComptrolleroftheCurrency,oneofthegovernmentagenciesthatregulateU.
S.
banks,companiesmustnotifycardholdersatleast15daysinadvancebeforemakingchangesinthetermsoftheiraccount,suchasloweringthecreditlimit.
Buttheydon'thavetoexplainhowthatcould\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:8120-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS127AnothercontentiouseffectofIDscorersisthatbyhavingconcen-tratedcontrolovertheflowofinformation(i.
e.
,goodandbadidentityartifactprofiles)andtheabilitytomanipulateit,economicinefficiencyandstifledcompetitionmayresult.
319Inotherwords,wemayfacetheillsthatbesetmonopolyregimes.
TheargumenthereisthatIDscorersareactingasgatekeepersofidentityreliabilityandcanusethispositiontoincreaseordecreasethepoolof"authentic"identitieswhowanttoen-gageinthecredit(orothersystempredicatedonidentityauthentication)system,therebylimitingcompetitionamongclientinstitutionsbyskew-inginformationflowsorstiflinginnovationorother"valuegenerating"solutionsbydisincentivizinginvestmentinotherprovidersofIDauthen-tication.
Forexample,AcmeBankmayhavedisproportionatelyhighernumbersofallegedfraudulentapplicantscomparedtoitscompetitorBetaBank,andthusitdoesnotextendasmuchcredit,andreapthederivativeeffectsthatflowtherefrom.
Finally,perhapsthemostperilousconsequenceofrelianceonaclosedsystemofidentityscoringistherelativeinabilitytoundoanerro-neousjudgmenthasbeenactedupon.
Take,forexample,acommonsce-nariowhereapersonisdeniedaloanbecauseofalowIDscoreandsuchdeterminationisreportedtoanynumberofinstitutionsassociatedwiththetransaction,suchasconsumercreditbureaus.
Iftheinformationwasfedintothealgorithmorthealgorithmconfigurationitselfislaterdeter-minedtobeinaccurate,evenassumingacorrectionandproperdecisionbythecompanydirectlyrelyingontheconclusionweremade,thelikeli-hoodalldownstreamrecipientsofandactionspredicatedoninitialinfor-mationwillberetractedisapipedream,atbest.
Toparaphraseanadage,"thetoothpasteisoutofthetubeandit'snotgoingbackin.
"Thiserroneousrelianceonflawedinformationiswhatspawnsthepollutionofthatidentity,foritcannotberetractedandwillcontinuetobeassociatedwithsuchindividualwhensheattemptstoestablishcredibilitywithanynumberofmarketparticipantswhoactonthereliabilityofthatoriginalpronouncement.
(ii)IdentityAnalytics–CaseExampleWeinsertsometeethintotheriskanalysisofidentityscoringwithinthecontextofourcurrentIDTheftcrisisbyturningtofirst-sourcefind-ingsproducedbyamarket-leadingidentityscorercompany.
IDAnalyt-ics,retainedbyvarioushighprofilecorporatevictimsofdatabasechangeanindividual'screditscore.
Thatputstheburdenonconsumerstowatchoutforthis.
Theybettersotheydon'tgetblindsided.
Id.
319.
SeeOrenBracha&FrankPasquale,FederalSearchCommissionAccess,Fairness,andAccountabilityinthelawofSearch,http://works.
bepress.
com/oren_bracha/1/(lastvis-itedSept.
2,2008).
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:8220-MAY-0913:32128JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIbreachesprofessestohaveconductedtheonlynationaldatabasebreachstudy.
Sinceknowledgeaboutthedynamicsoftheirmethodologyanddataisundisclosed,werelyonstatisticsandconclusionsrenderedinitstwomajorpublicationsonthesubject,TheNationalDataBreachAnaly-sisandTheDataBreachHarmAnalysis,alongwithnewsmediareportsandconferencepronouncements.
320Itisuponthiscorpusofinformationwehighlightseveralcontentiousanalysesandtherealconsequencesthatmayflowasaresult.
Thebiasintheseconclusoryfindingsismanifestmoresoinwhatisnotstated,butwhatisinferred,ratherthanwhatisexplicitlyimparted.
Forexample:-ThehighestrateofmisuseofPIIcompromisedinadatabreachwas0.
098percent.
-Criminalsarelimitedbypracticalconsiderationswhenusingsto-lenIDs.
Thissuggeststhatthesmallertheintentionaldatabreach,thehighertheidentitytheftriskposedtotheindividualconsumerimpactedbyadatabreach.
Itbearsdissectingtheseclaimstoseeadifferentperspectiveofthetruthbehindtheanalyses.
Forone,thisanalysiscoversonlyonetypeofIDT–thedirectlyfinanciallymotivated,variety,whichisonlyasliceofthepie.
ItdoesnotaddresstheothertypesofIDTsuchashealthcare/medical,immigration,terrorism,orcriminalIDT.
WithinthecategoryoffinanciallymotivatedIDT,itonlyaddressescreditcardapplicationfraud.
Again,thisisonlyapercentageofthesubsetsoffinancialIDTsuchasfraudulentuseofATM/CreditCard,forgedchecks,fraudulenttaxreturns,oracquisitionofadditionalidentitydocumentslikebreederdocumentssuchasDriver'sLicense,Passport,Identificationcard,etc.
Third,theconclusionsonlyencompassthatsingletypeandsinglesubsetofIDT,whicharelimitedtoitsproprietarynetworkofclients,whichincludethelikesoffinancialinstitutions,retailers,utilities,andautodealers.
IDA'sconclusionsarebasedonanassumptionsiftheiden-tityartifactsarenot:(1)manifestinafraudulentcreditapplication;(2)insidethelimitedrealmofitsnetworkofclients;and(3)withintheim-mediateaftermathofabreachorwithinamaximumofsixmonths,thenapersonisdeemedtonotbeatriskofhavinghisidentitystolen.
Yet,inlightofthefactsthatthereisanundergroundmarketwhichthrivesontradeinIDartifacts,identityartifactsarerelativelypermanent,321and,abovegroundcommercialtransactionsanchoronidentityartifacts(which320.
IDAnalyticsNationalDataBreachAnalysis,TheDataBreachHarmAnalysis,http://www.
idanalytics.
com/whitepapers/(lastvisitedSept.
18,2008).
321.
Theartifactsweusetoidentifyandoftenauthenticatearerelativelystaticacrosstimeanddifficulttochange.
Thisissignificantfeatureofournotionofidentity-perma-nenceandfixity,whichsimilarlyisanassumptionuponwhichourpropositionsinthispaperarebased.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:8320-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS129meansartifactshavestayingpowerinthemarketplace),thereisverylittlesupportingthenotiontheartifactwillnotberesurrectedandusedfraudulentlyacrosstimeandspace.
Inotherwords,giventheconditionsabove,thereisnopredictingone'sidentityartifact(s)willnotbeusedfraudulentlyatthelocalbankorinamortgagetransactionacrosstheworld,withinaweek,sixmonths,orseveralyears.
Todissectfurther,applyingbasicmathandreasoningtowhatisdis-closedbyIDAonlyreinforcesconcernforhowtheundiscloseddataisslicedtojustifyitsfindingsandconclusions.
Forinstance,encompassingcompletecoverageofallUnitedStatesidentitiesjuxtaposedwithpro-nouncementsabouthandlingthreebillionidentityartifactsmeansthatatbest,theirprobabilitiesarebasedonatmost750,000people,whichfliesinthefaceofcommonknowledgeletaloneUnitedStatesCensusrecordsaboutthenumberofpersonsintheUnitedStates.
322Sowhatisthesignificanceoftheskewedanalysesweunderscore,inlightofharmswedescribedintheprevioussection-biasedresults,dimin-ishedpersonalautonomy,stifledcompetitionandlackofcontroloverone'sidentityFromalegalriskandresponsibilityperspective,courtsarerequiringmanifestationofdamagesinlawsuitsandbreachedcompa-niesarerequiredtojustifydecisionstonotifyornotbasedonstandardsof"reasonablelikelihood.
"Identityanalyticsisbeingreliedupontosup-portconclusionsaboutwhethertheidentitiesinthebreachhavebeencompromisedbasedonIDscoringtechniquesandnetworks.
InlightoftheblackboxapproachtodisclosingwhatdataandmodelcompanieslikeIDAusestoreachconclusions,323whichinvolvesmorethanjuststudy-ingthedatainvolvedinthebreach,itisdifficulttodeterminehowandtowhatextenttheIDAconclusionsarebeingused.
Thebiasriskisrealandapparent,insofarascompaniesofferingthistypeofanalyticalconclusionstandtoprofitfromtheiropaqueratingsandself-fulfillingprophecies.
Thisisespeciallysogivenwesuggestiden-tityscoringisalogicalcomplementandevolutionofcreditriskscoring.
Althoughnotwidelypublicized,thechecksandbalancesonsuchbiasriskinthecreditarenaarelooseatbest.
Ifcreditorshavenodutytoconsumerstoensuretheaccuracyoftheanalyticalscoringuponwhichtheyrely,thencertainlythecompaniesdoingtheratingsareundernolegalobligationtoprovideempiricalandobjectivelyaccurateanalyticalresults.
324Withintheseliabilitygaps,then,liesfertilegroundforana-322.
Thiscalculationisbasedonfourartifactsperperson,andthisfigureisliberalbe-causeweassumethatallapplicationsanalyzedwerefromdistinctlydifferentpersons.
323.
Thejustificationbeingthatsuchtransparencywouldunderminetradesecrets.
324.
Bakerv.
CapitalOne,2006U.
S.
Dist.
LEXIS62053,No.
CV04-1192-PHX-NVW(D.
Ariz.
Aug,28,2006).
Thecourt,however,hasalreadydeterminedthat15U.
S.
C.
§1681s-2(b)doesnotbyitstermsrequirecreditorstoreportconsumers'creditlimits.
Id.
Granted,acreditors'choicenottoreportitscustomer'screditlimitsmaynegativelyeffect\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:8420-MAY-0913:32130JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIlyticscompaniestosowseedsthatarebeneficialtotheircorporatecustomers.
Nevertheless,thereisnospeculatingthatimplicitintheirreportedconclusionsaboutthescopeandprevalenceofIDT,isthatthebreachedidentitieshaveinfactbeen"compromised.
"IDAnalyticsusesthefactthatallorpartofthebreachedidentitywasusedinanattemptedac-countopeningasthebasisforitsconclusionsonthelikelihoodofaniden-titybeingmisused,or"compromised.
"Yetparadoxically,theseallegedlycompromisedidentitiesarenotbeingrecognizedbycourtsashavingbeenmisusedasillustratedbythepreviouslydiscussedjettisoningofdatabreachlawsuitsforlackofdamages.
IfIDscoringisusedtosupportadenialofservicesorfinancialbenefits,whyarethosesameconclusionsnotbeingusedtosupportdamagesrequirementsforcitizenswhoseiden-tityhasbeencompromisedinadatabreachBreachedbusinessesareseekingmethodsbywhichtogaugetheno-tificationtrigger:whetherornotthebreachhasresultedinareasonablelikelihoodofaharmfuloutcome.
325Thetriggerstandard,whichdictateswhethertheyarerequiredtonotify,isamandatethathasnontrivialeconomicramifications.
Inlightoftheconfusionanduncertaintyinap-plyingthestandard,itisreasonabletosuspectanidentityriskscoringsolutionmaybeimplementedtodecideifthebreachedidentitiesshouldbenotified,ortosupportorrefutedamageassessment,oreventogaugecomplianceriskinthenormalcourseofbusinessbeforeabreachoccurs.
Suchanapplicationisalreadyoccurringintherealmofcompliancewitharelatedmandate,theRedFlagRegulationsmandatedbyFACTAwhichgointoeffectinNovember,2008.
326Thesefederalregulationsthosecustomers'creditscores,ifcalculatedusingFICOmethodology.
Butthirdpartyuseofapossiblyimperfectmethodologyinsynthesizingconsumerinformationforcommercialusedoesnotgiverisetoalegalduty,previouslyunrecognized,requiringcreditorstocatertheirreportingtosuchthirdparty'smethodology.
Bakerhasprovidednoauthorityforthepro-positionthatcreditorsbearresponsibilityforassuringthatFICOscoregeneratorsrender"accurate"resultswheninputtedwithotherwiseaccuratereportedinformation.
Id.
Rather,thelegaldutyofcreditorstoreportinformationinresponsetodisputesisgovernedby15U.
S.
C.
§1681s-2(b),whichincludesnospecificrequirementthatcreditlimitsbereportedbycreditorswhodonotordinarilydoso.
Id.
325.
Thetriggerstandardsfornotificationvaryacrossstates.
Ingeneral,theybreakdownalongsomecombinationof'userisk'andcorresponding'outcome'.
Useriskincludes:reasonably-possible,reasonably-believed,risk,reasonably-likely,likely,materialrisk,sub-stantialrisk,significantrisk,substantialrisk;andoutcomeincludes:breach,misuse,crim-inalactivity,illegaluse;harm,loss/injury,economicloss,IDtheft/fraud.
326.
Theregulationsandguidelinesimplementsections114&315oftheFairandAccu-rateCreditTransactionsActof2003,anamendmenttotheFairCreditReportingAct.
FairandAccurateCreditTransactionsActof2003,Pub.
L.
No.
108-159,117Stat.
1952(FACTA)(codifiedat15U.
S.
C.
§§1681m(e),1681c(h)).
Thefinalrulesrequireseachfinan-cialinstitutionandcreditorthatholdsanyconsumeraccount,orotheraccountforwhichthereisareasonablyforeseeableriskofidentitytheft,todevelopandimplementawritten\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:8520-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS131mandateallcreditors–financialinstitutions,retailers,utilities,andautodealersthatextendconsumercreditorholdconsumeraccounts.
ThepurposeistodevelopandimplementaproactiveIdentityTheftPreven-tionProgram.
Forinstance,IDAnalyticsproduct,"IDAnalyticsforCompliance"istoutedasaproductsolutionforentitiesthatcomewithinthescopeoftheRules:Today'sconsumersfaceawidervarietyofidentityfraudthreatsthaneverbefore.
Businessesmustdotheirparttoprotectagainstidentitytheftwhilemaintainingahighquality,seamlessbusinessexperienceforlegitimateconsumers,"saidToddHigginson,directorofproductmarketing,IDAnalytics,Inc.
"ByresolvingRedFlagswithoutmanualintervention,IDAnalyticsforComplianceminimizestheuseoftime-consumingreviewprocessesthatdrivecustomersaway.
TechnologiesthatdetectanddonotresolveRedFlagswillcreateproblems,notsolu-tions,forcreditors327Thereisstrongreasontobelieve,giventhecost-prohibitiveandin-tractablerealityofcompartmentalizingthespreadofelectronicinforma-tiononceitisexposedinourinternetworkedenvironment,organizationswillturntoprobabilisticstatisticsabouttherateofmisusetoinformitsself-certifyingconclusionsthatbreachnotificationhasnotbeentrig-gered.
Similarly,itisnotimplausibletobelievethatasecondaryuseofthisanalysiswillinformlegaldeterminationsaboutfuturedamagesforIDTvictimswhoexerciseprivaterightsofaction.
Inotherwords,willstandardsforbreachnotificationanddamagesdevolveintoprobabilistic-guesswork,ratherthanthecausal-determinismuponwhichourlegalsystemisbasedGiventhelackoftransparencyinmethodology,data,andstatisticalsignificanceofthefindingsasitrelatestotheappropri-atenessofapplyingtheseprobabilitiestodissimilarfactpatterns,strongcautionshouldbethebeaconwhenengagingindecisionmakingbasedontheseanalyticalconclusions.
Asfordiminishedautonomyrisk,thealgorithmsusedbyidentityscorersestablishone'srankrelativetoothersintherespectivedatanet-work.
Consequently,notunliketheuseofalgorithmsinsearchenginepagerankingtoaffecthowhighawebsiteislistedinsearchresults,itisIdentityTheftPreventionProgramforcombatingidentitytheftinconnectionwiththeopeningofnewaccountsandthemaintenanceofexistingaccounts.
IdentityTheftRedFlagsandAddressDiscrepanciesUndertheFairandAccurateCreditTransactionsActof2003,72Fed.
Reg.
63,718(Nov.
9,2007)(promulgatedjointlybyseveralagenciesandcodi-fiedinvariouspartsoftheC.
F.
R.
).
TheProgrammustincludereasonablepoliciesandproceduresforidentifying"redflags"thatwillhelpdetect,prevent,andmitigateidentitytheft.
Id.
327.
IDAnalytics,PressRelease:IDAnalyticsforComplianceEnablesCreditorstoSat-isfyRedFlagandAddressDiscrepancyComplianceWithoutImpactingtheConsumerEx-perience(May7,2008),availableathttp://www.
idanalytics.
com/news_and_events/20080507.
html(lastvisitedMay7,2008).
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:8620-MAY-0913:32132JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIeasytocomparativelyconcludehowindividualscanbeunfairlygradedinacreditorssearchforhigh-rankingidentities.
Fromabusinessperspec-tive,thishasresultedinlawsuitsoversignificantrevenuedecline.
Fromanindividual'sperspective,similardamagesresultinlostopportunitycostsorotherevenlesstangibleortraceableharms.
328Afinalharmfromlossofcontroloverone'sidentityisthedangeritcannotberemediatedorcleanedup.
Theidentityscoringmayinfactbebeneficialinsofarasthisisusedasonepartofthemultiplestreamsofcorroboratingevidenceforauthorization,butwhataboutwhenthosear-tifactsbecomesonumerousandpollutedwithassociatedartifactsthatareinauthentic–alikelypossibilitygiventhatweareincreasinglyleav-ingdigitalidentitytracesallovertheWorldWideWebandassociateddigitalenvironmentTheseminalquestionsare:WhatisthestandardfordeterminingidentityauthenticityWhogetstodecidebetweencom-petingandconflictingartifacts.
Finally,whatconfidencelevelswillberequiredwhenthedecisionmakingisautomatedTobesure,identityanalyticsproductsmayverywellbeusefultobusinessesseekingtoreducecomplianceandotherdigitalrisks.
How-ever,thecorrespondingrisktocitizen-consumersmustbeconsideredandbalancedinkind.
Astheseautomatedproductsandservicesarepro-liferating,relieduponandembeddedinbusinessprocessestoaddressthechallengesofinformationrisk,citizensandelectedrepresentativesdeservetounderstandtheramifications,bothbeneficialandharmful.
Aswithanyattempttoassessandbalanceinterests,effectivepolicyshoulddemandlife-alteringdecisionsaffectingcitizen-consumersshouldnotbestrong-armedbyanunregulatedfreemarketwhicheschewsknowledge,disclosureandconsentbycitizen-consumers.
III.
DIGITALSECURITYANDCYBERCRIMEINTHEU.
S.
:THELEGISLATUREANDFREEMARKET329328.
Comparativeexamplesofthehiddenandnebulousharmsthatresultfromdeci-sionmakingviathemarketmanifestbywayoftheuseofautomatedalgorithmsinbusinessdecision-making.
Forexample,inarecentbook,JohnBattellepresentsthestoryoftheownerof2bigfeet.
com(aselleroflarge-sizedmen'sshoes).
ThesitefelloffthefirstpageofGoogle'srankingsafterachangeinGoogle'salgorithminNovember2003,justbeforetheChristmasseason.
Thesite'sownercouldnotgetaresponsefromGoogle.
SeeJohnBat-telle,TheSearch:HowGoogleanditsRivalsRewrotetheRulesofBusinessandTrans-formedourCulture157(2005).
Similarly,KinderStart.
com,asearchenginedevotedtoinformationaboutparenting,unsuccessfullysuedGoogle,claiminganticompetitivebehav-ior,afterKinderStart.
comdroppedtoa"zero"ranking.
AnneBroche,JudgeFavorsGooglein'frivolous'Suit,CNETNEWS,Mar.
20,2007,http://news.
cnet.
com/8301-10784_3-6168999-7.
html.
329.
Broadlyspeakingthesetermsrepresenttwosidesofthesamecoin.
Thedifferencebetweentheterms,cybercrimev.
digitalsecurityissuescanbestbedescribedasonegroup\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:8720-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS133A.
THEBATTLEFORPOLICYCONTROL:OMNIPRESENTCHALLENGESDraftinglawsandregulationstoaddressprivacy,digitalsecurity,IDC,andcyberspaceissuesingeneralpresentuniquechallenges.
Thesameisessentiallytrueforinterpretingthelawsandimplementingtheregulationseventuallyadopted.
Thissubsectionaddresseshowsomeofthesechallengeshavebeendealtwithandtheirimplicationsforthecre-ationandprotectionofthedigitalpersona.
CongressandcourtsintheU.
S.
musthavebetterinformationbeforetheycancrafteffectivelawsintheareaofprivacyanddigitalsecurity.
Unfortunately,ourlegislativeandjudicialinstitutionsareoperatinginthesameinformationvacuuminwhichmanyresearchersandbusi-nessesareoperating:anacknowledgedlackofreliablemetricsuponwhichtocraftpolicydecisions.
EvenacursoryoutliningofsomeoftheprincipleswhichunderlieourinformationsocietyunderscoretheuniquechallengespolicymakersandimplementersfaceregardingPIIcollection,managementanddisposition:Decentralization:timeandspaceproblemscreateinformationgatheringandjurisdictionalissues.
330Anonymousactions:thenatureoftheInternetprotocolrendersanonymitythedefaultstateinthedigitalrealm.
Interdependence:problemsinoneplaceeffectallplaces.
Electronicinformation:electronicdataisthelifebloodofourIn-ternetandwebenvironment,inuresafeaturesetordersofmagni-tudedifferentthanitspaper-basedancestoralongthespectrumofcollection,storage,transmissionandsecurity.
Itismuchmoreeas-ilysearchedanddiscovered,collected,copied,disseminated,andmanipulatedwithoutdetection.
ItisthesefeaturesuponwhichtheInformationRevolutionisbased.
Thenewcontextpresentedbythedigitalenvironmentconfluenceswithapervasiveeffortonthepartofmanyentitiestounderreportsecur-ityincidentsinthefirstplace.
Therelevantdatauponwhichtobasesoundanalysesishardtoaggregate,ispronetoimperceptiblemanipula-tionaftercapture,andgenerallytheknowledgeextractedfromthedataiscloselyguardedandnotwidelydisseminated.
Thisleavessocietyrely-ingmoreandmoreonanecdotalevidence,self-reportingsurveys,gossipandrhetoric,andreinforceslegalandsocialfictions.
tryingtocreate,steal,corrupt,ormanipulatedataforcriminalorwrongfulpurposes.
Theothersideistryingtoprotecttheintegrityandprivacyofdigitaldata.
330.
Inessence,datacanbothexistandspreadanywhereacrossthephysicalInternetandrelatedvirtualWorldWideWeb,whichmakesitsreachpotentiallybothglobalandubiquitous.
Jurisdictionsaresteepedonphysicalgeography,whicharemeaninglessinourInternetworkedsociety.
Forinstance,whenanAmericanconsumerpurchasesgoodsfromGermanwebsite,whatconsumerprotectionstatutesgoverntransaction\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:8820-MAY-0913:32134JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVITheobjectinpreviouslyhighlightingandexaminingtheFTCIDCfigureswasnottodumpderisionontheFTC,ormanyoftheothersurveys.
Thelargerpointinexaminingthefigureswastwo-fold:first,tohighlightthedifficultysocietyandthelegalandlegislativesystemshaveencounteredwrestlingwithtechnical,managerialandsocio-legalbarri-erstointegrating,correlatingandinterpretingcybercrime;and,second,toshowhowthesebarrierscorrupttheanalyticalprocessleadingtothedraftingandimplementationoflawandregulationsaffectingIDC.
Thismeanssocietyanditsinstitutionsareplacedinthedifficultandpoten-tiallydangerouspositionofknowingincreasinglylessaboutanenviron-mentwhereweconductmoreandmorebusinesstransactions,governmentalinteractions,andactionsrelatingtopersonallife.
Theprecedingsectionsuggestshowambiguityovercause,valueandloss,andriskarerampantenoughtojustifyanyparties'positionsuchgovernanceoftheseissues–liability,privacy,credentials,fraud,burden,incentives–carriesahighriskofinaccuracy.
Wecannotadequatelyan-swerquestionsrelatedtohowidentityiswrongfullyacquiredandusedwithoutbetteractuarialdataonthecrime.
YetCongresshasthechal-lengeoffashioninglegislationtogoverncyberspace.
ThissubsectionwillbrieflyexaminesomeofthespecificchallengesandbrieflyidentifysomeofthepossibleresponsesCongressiscontemplating.
B.
THELEGISLATIVERESPONSE:CONGRESSTOTHERESCUEIf,aswepositedinthelastfewparagraphsabove,therisksofimpos-ingalegislative,regulatory,orjudge-mademandatearehighabsentreli-abledataonIDC,whatmightsocietyrequestthejudiciaryorlegislaturetodointhefaceofchaoticdigitalenvironment.
BorrowingfromtheHip-pocraticOath,ataminimum,wecouldaskthemto"donoharm.
"Wesuggestthecourts,especially,have"doneharm"intherealmofdatabreachnotificationjurisprudence.
Congress'recordismurky,butincompleteatthispoint.
Howevertheyappeartobeleaninginadirec-tion,whichwouldpotentiallydosignificantharmtoeffortstoprotectthedigitalPIIofAmericans.
Interestingenough,theregulatoryagenciesde-servethemostcommendationfortryingtoestablishrulestoprotectdigi-talPIIinthisnewenvironmenthowever,theregulatoryagencieshavebeenswimmingagainstthecongressionally-mandatedanti-regulatorytideofthelasttwenty-fiveyearsorso.
Thisisespeciallysoinareasofstrongmarketbias,suchasdigitalsecurityanddigitalidentitymanage-ment.
ThereareindicationsCongressiscontemplatingturningoverthekeyareaofdatabreachnotificationregulationtofreemarketforces.
Ifthisbecomesareality,wecontenditwillbeaprofoundmistakewithfarreachingramifications.
Asitstandscurrently,thereisastrongargu-mentthatthegovernmenthasalreadyconcededcontrolofidentitytothe\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:8920-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS135freemarketbyfacilitatingpoliciesofinitiativesthatdisincentivizese-curity.
Itistheevolutionoftheselegislativepoliciesthatwenowturn.
Theheadlinesofdigitalinsecurityjumpatusonanalmostdailybasis:331"InsiderPilfersCustomerDatabase,""IDTheftistheFastestGrowingCrimeinAmerica","CorporateLaptopwithCustomerDataSto-len","UniversityDatabaseHackedInto.
"Further,thisexplosionofpub-licitycomesinthewakeofthepassageofnumerouslawssupposedlyintendedtoprotectcitizensfromprivacyviolationsandcybercrime.
332GiventhehighprofilemediaattentionpaidtoIDC,inthewakeofthepassageofalltheseprivacylawsitisunderstandableifthepublicper-ceptionwaspersonaldataisbeingmanagedinsecurely.
333Nolawcata-lyzedthispositedpublicperceptionbetterthantheflagshipdatabasebreachnotificationlawinCalifornia–SenateBill1386.
334Beforegoingintoeffectin2003,theAmericanpublicwasrelativelyunawareoftheextentdatabreachesmayhavebeenoccurring.
335Indeed,thepublicwasessentiallylackinganymechanismsthatmightheightentheiraware-nessinthefirstplace.
Itisnowcommonplacetohearaboutdatabreaches,aidedcertainlybythebandwagonofstatenotificationlaws.
336Althoughthepanoplyofsector-basedlawsfirstheightenedperceptionsofprivacyanddatasecur-331.
Newbreachescometolightonalmostadailybasis.
SeePrivacyRightsClearing-house,AChronologyofDataBreaches,http://www.
privacyrights.
org/ar/ChronDataBreaches.
htm(lastvisitedSept.
1,2008).
332.
See1996FairCreditReportingAct("FCRA")revisions,ConsumerCreditReport-ingReformAct,104Pub.
L.
208,110Stat.
3009(1996)(codifiedasamendmentstoFCRAbeginningat15U.
S.
C.
§1601);IdentityTheftandDeterrenceActof1998,Pub.
L.
No.
105-318,§4,112Stat.
3009,3009(1998)(IDTheftAct);TheGraham-Leech-BlileyFinancialModernizationAct("GLB"),Pub.
L.
No.
106-102,113Stat.
1338(1999)(codifiedinscat-teredsectionsof12U.
S.
C.
andelsewhere);HealthInsurancePortabilityandAccountabil-ityActof1996("HIPPA"),Pub.
L.
No.
104-191,110Stat.
1936(1996);Sarbanes-OxleyActof2002("SOX"),Pub.
L.
107-204,116Stat.
745(2002)(codifiedat15U.
S.
C.
§7201);FairandAccurateCreditTransactionsActof2003("FACTA"),Pub.
L.
No.
108-159,117Stat.
1952(codifiedat15U.
S.
C.
§§1681m(e),1681c(h)).
333.
By"managed",werefertothelifecycleofinformation-collection,storage,process-ing,accessing,transmission,anduse.
334.
S.
1386,2002CalALS915(codifiedasamendedinCAL.
CIVILCODE§§1798.
29,1798.
82),availableathttp://info.
sen.
ca.
gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.
html.
335.
Ifwelook,forexample,attheDatalossdata,weseethatreportedincidentsaver-agedaboutonepermonthuntilearly2005.
OpenSecurityFoundation,DATALOSSdb,http://datalossdb.
org/(lastvisitedSept.
1,2008).
Obviously,ifdatabreacheswerenotbe-ingreported,thepublicwouldnotbeawareoftheproblem.
Itiscertainlydebatabletowhatextentthesteadyincreaseafter2005ofreportedincidentswasafunctionofnewnotifica-tionlaws,andtowhatextenttheincreasereflectsanincreaseinactualincidents.
336.
Forty-ninestatesnowhavedatabreachnotificationstatutes.
SeePIRG,StatePIRGsummaryofstateSecurityFreezeandBreachNotificationLaws,http://www.
pirg.
org/consumer/credit/statelaws.
htm(lastvisitedSept.
1,2008).
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:9020-MAY-0913:32136JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIity,itwasthenotificationelementofthebreachlawsthatcementedthelogicallinkbetweenincreasedawarenessofdatainsecurity,thevulnera-bilityofdigitaldata,andultimately,theperceivedexplosioninIDC.
Anditisthisareaofdigitalinsecurity,DBNlegislation,orlackofsaidsame,wehavecometoseeasthemostcrucialquestion,atthemoment,facingsocietyinpreventingtheemergenceofchaoticdigitalenvironmentandallthepotentialdevastatingconsequencessuchscenarioconjuresup.
337OnoneleveltheU.
S.
seemedtomoveintothedigitalageintheblinkofaneye.
Mostconsumerswerewithoutpersonalcomputersoratleast,withoutaccesstotheInternetpriorto1995.
338However,thingsbegantochangedramaticallyin1995withtheintroductionofthefirstInternetbrowser.
ItwasaroundthistimethatthereportsofwhatwehavecometocallIDtheftbegantodramaticallyincrease.
339PreciselybecauseofthelackofauthoritativestatisticsonIDtheftitisdifficulttomeasureexactlywhenthisexplosionofIDtheftbegan.
Therearehow-evercertain,anecdotal,clues:1.
NoLawReviewArticlesonIDtheftpriorto1999;2.
Nofederallawsemployingtheterm,IDtheftpriorto1998;3.
NotamentionofIDtheftduringthe1996RevisionsofFCRA;and4.
NostatelawsemployingthetermIDthefttill1996.
Tobesure,thereisvaliditytotheclaimthe"epidemic"iscausedinpartbytheincreasedreportingofincidents,whichhadbeenoccurring337.
Tworecentstoriesinthemediahighlightthedirection,perhapsthoughtlessly,thatsocietyismovingwithregardtoachaoticdigitalenvironment.
Onestorynotesthatschoollunchesarenowbeingpaidforbystudentsprovidingtheirfingerprintsintoadigitalscan-ningdevice,whichinturnpassesthedataintoalargerdatabasedthatrecordsthetrans-action.
WylieWong,BiometricsGoestoSchool,EDTECH,http://www.
edtechmag.
com/k12/issues/june-july-2006/biometrics-goes-to-school.
html(lastvisitedSept.
1,2008).
PapaGi-nos'pizzachainisessentiallydoingthesamething.
PaulKorzeniowski,PapaGino'sGoesBiometric,DARKREADING,May16,2008,http://www.
darkreading.
com/document.
aspdoc_id=154109&WT.
svl=news1_4.
ContemplatewhattheconsequencesmightbeifthisdigitaltreasuretroveisbreachedWewillneverbeable,oratleast,notintheforeseeablefuture,beabletochangeourbiometricdata.
Oncebreachedthisdatawillbe,forever,susceptibletofuturemisuse.
338.
TheInternetworldwidehadaboutsixteenmillionusersin1995.
SeeInternetWorldStats,InternetGrowthStatistics,http://www.
internetworldstats.
com/emarketing.
htm(lastvisitedSept.
1,2008).
In1995,therewereonlyabout120,000internetdomains.
RobertHobbesZakon,Hobbes'InternetTimelinev3.
3,Growth,http://www.
nic.
funet.
fi/in-dex/FUNET/history/heureka/HIT.
html#Growth(lastvisitedSept.
1,2008).
Justtwoyearslater,in1997,thenumberwasanorderofmagnitudegreater,orabout1.
3millionhosts.
Id.
339.
See,e.
g.
,SeanB.
Hoar,IdentityTheft:TheCrimeoftheNewMillenium,49UNITEDSTATESATTORNEYS'USABULLETIN,Mar.
2001,http://www.
usdoj.
gov/criminal/cybercrime/usamarch2001_3.
htm.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:9120-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS137forsometime.
340However,themoreimportantissuehereiswhethertheupswinginIDtheftsisdirectlyrelatedtothedramaticincreaseinthecommercialandonlineuseofdigitaldata.
Societybegantoslowlyrespondtothisemergingproblemwithaseriesofnewlaws,orre-inter-pretationofoldlaws.
Specifically:1.
IDTheftAssumptionandDeterrenceAct;3412.
CivilRemediesgrantedunderthefederalComputerFraudandAbuseAct;3423.
HIPAA;3434.
FinancialServicesModernizationAct1999(GLB);3445.
Section5FTCactions;345and6.
FACTA.
346Thislegislativereactionwasasector-by-sectorregulatoryregime.
Banking,medicalrecords,generalbusinessrecords,andcreditreports,wereeachassignedspecificlegislationand/orregulation.
Thisreactionwasimmediatelyundercutbecausetheregulationsweresotoothless,andweaklyenforcedthepracticaleffectwasalaissez-faireapproach.
347Thisisespeciallysowhenjuxtaposedwithmanyothernationsexperi-encewiththisissue.
TheEuropeansoptedforacomprehensivedataprotectionlaw,Di-rective95/46/ECwaspassedin1995.
348Itaddressedtheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefree340.
SeeKrisErickson&PhilipN.
Howard,ACaseofMistakenIdentityNewsAccountsofHacker,Consumer,andOrganizationalResponsibilityforCompromisedDigitalRecords,12J.
OFCOMPUTER-MEDIATEDCOMM.
5(2007),availableathttp://jcmc.
indiana.
edu/vol12/issue4/erickson.
html("[T]hebulkofthereportsoccurin2005and2006,afterlegislationinCalifornia,Washington,andotherstatestookeffect.
Therewerethreetimesasmanyinci-dentsintheperiodbetween2005and2006astherewereintheprevious25years.
").
341.
Pub.
L.
No.
105-318,§4,112Stat.
3009,3009(1998)(IDTheftAct).
342.
ActofSept.
26,1914,ch.
311,§5,38Stat.
717,719(codifiedasamendedat15U.
S.
C.
§§41-58(1994)).
343.
Pub.
L.
No.
104-191,110Stat.
1936(1996).
ItmaybeinterestingtonotethatHIPAAwasnotenactedforprivacyandsecurityreasons,butrather,forefficiencypurposes.
344.
GLB,Pub.
L.
No.
106-102,113Stat.
1338(1999)(codifiedinscatteredsectionsof12U.
S.
C.
andelsewhere).
345.
15U.
S.
C.
§45(2006).
346.
FACTA,Pub.
L.
No.
108-159,117Stat.
1952(codifiedat15U.
S.
C.
§§1681m(e),1681c(h)).
347.
ThefirstfineeverassessedbyDepartmentofHealthandHumanServiceswasissuedinJulyof2008.
HIPAAwasenactedin1996.
ThePrivacyRegulationswentintoeffectin2003.
SeeCaseExamplesandResolutionAgreements,http://www.
hhs.
gov/ocr/pri-vacy/hipaa/enforcement/examples/index.
html(lastvisitedApr.
21,2009).
348.
CommissionDirective94/46/ECof13October1994,amendingDirective88/301/EECandDirective90/388/EECinparticularwithregardtosatellitecommunications.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:9220-MAY-0913:32138JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVImovementofsuchdata.
349TheDirectivegrantedEUresident'spropertyandprivacyrightsintheirdata.
Therefore,entitiesholdingthedatainquestionhadtodeveloppoliciesandprocedurestotake,ostensibly,rea-sonableandappropriatestepstoseetheserightswerenottrampledorabused.
350TheAmericanresponse,ontheotherhandmeantthesamepoliticalbattlesfordataandprivacyprotectionarefoughtanew,sectorbysector.
Thispiecemealapproachmeantthereweredifferentstandards,direc-tives,andpenaltiesforeachsector.
Thiswasthestatusuntiltheintro-ductionofthedatabreachnotificationlawsbegantoallowsocietytograsphowwell,orpoorly,thelegislationdesignedtoprotectPIIwasworking.
Initially,DBNlegislationwasdrivenbystatelaw,withCaliforniatakingtheleadin2003,followedoverthenextfewyearsbysome40statespassinglike-mindedlaws.
TheoneIDCareawherethefederalgovernmentdidchimeinwithnationallegislationwastheaforemen-tionedFACTAlegislationwhichrevisedtheFairCreditReportingAct.
351Howeveratpresent,themainbattlebeingfoughtintheCongressconcerningprivacyandIDtheftlieswiththeproposedfederaldatabreachnotificationlaw.
Various352versionsoftheselawsarebeingcon-sideredbyCongress.
353Onitsface,thismovetowardsfederallegisla-tioncanbeviewedasashiftawayfromamarket-orientedsolutiontoIDC,butthepracticaleffectofthecontendingbillswouldbeoneofthemostsignificantCongressionalmovestowardlaissez-faireprotectionofPIIandIDC.
Thisisbecausesuchlegislationwouldplaceultimatedis-cretionfordefiningIDT,determiningwhenandhowitoccurs,decidinghowtobestpreventit,anddeterminingwhoisresponsible,withthevery349.
Japanpassedasimilarlycomprehensivelaw;thePersonalInformationProtectionLaw,in2005.
ActontheProtectionofPersonalPrivacy,Lawof57of2003,translationavailableathttp://www.
cas.
go.
jp/jp/seisaku/hourei/data/APPI.
pdf.
350.
Itisworthnotingthat,whilecausaldeterminationsaremurky,thefactseemstobethatthenationscoveredbytheEUDirectivearenotexperiencingtheIDtheftproblemstheUSis.
See,e.
g.
,LizPulliamWeston,WhatEuropeCanTeachUsAboutIdentityTheft,MSNMONEY,http://moneycentral.
msn.
com/content/Banking/FinancialPrivacy/P116528.
asp(lastvisitedSept.
1,2008);KieranGlynn,Ireland:IdentityTheftBeCautiousorBeCaught,MONDAQ.
COM,http://www.
mondaq.
com/article.
asparticleid=35504(lastvisitedSept,18,2008).
351.
15U.
S.
C.
§§1681m(e),1681c(h)(1952).
352.
See,e.
g.
,CliffordDavidson,110thCongressProposesSweepingFederalDataSecur-ityLegislation,ProskauerRosePRIVACYLAWBLOG,Mar.
6,2007,http://privacy-law.
proskauer.
com/2007/03/articles/security-breach-notification-l/110th-congress-proposes-sweeping-federal-data-security-legislation/.
353.
PrivacyLawBlog,http://privacylaw.
proskauer.
com/tags/legislation/(lastvisitedSept.
18,2008).
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:9320-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS139entitieswhocontroltheinformationandsufferthebreach.
Asnotedpre-viously,damageassessments(thedecisionwhethertopubliclyannouncethatadatabreachhasoccurred,andwhetheradutytonotifytheef-fectedconsumershasbeentriggered)willresidewiththesameentitieswhohaveapowerfullyvestedinterestindownplayingthepublicpercep-tionthatIDCisoccurring.
354Thisposturebytheprivatesectorwasnotalwaysso.
AtonetimethesamecorporateentitiesopposedafederalDBNlaw355andthevari-ousstateDBNlawsasanunnecessaryregulatoryintrusionintotheirbusinessmodels.
However,asmorestatelawspassed,manywithpro-consumerprovisions,356thecorporateentitiesdidanabout-faceontheutilitarianismofafederallawandalmostunanimously,357thependingbillscalledforthefederallawtopreemptallstatelaws.
Theconse-quenceisthatconsumer-friendlyprovisionsofthestatelawslikeprivaterightsofaction,statutorydamages,andreasonablelegalfeeswouldbejettisonedbytheproposedfederallaw.
Wecontendthatifthiscomestopasswemayexperienceareversalofconsumernotification,andnotasaresultofincreasedsecuritycontrolsresultinginlessdatabreaches,orasaresultofadecreasedthreattoPII.
ItisbeyondthescopeofthisArticletocoverthetextualnuancespresentinallthebillsbeforetheCongress.
However,giventheimpor-354.
Atleastinsofarasthoseentitiesarenotinthemarketforsellingproductsorservices,orboth,toprevent,orrespondto,IDC.
JaikumarVijayan,CriticsHitProposedDataBreachNotificationLawasIneffective,COMPUTERWORLD,Nov.
10,2005,http://www.
computerworld.
com/securitytopics/security/privacy/story/0,10801,106116,00.
html;KeithRegan,CanLegislationStopIdentityTheft,TECHNEWSWORLD,Mar.
1,2006,http://www.
technewsworld.
com/story/49099.
htmlwlc=1220355058;ChrisSoghoian,IndustryGiantsLobbytoKillPro-ConsumerData-BreachLegislation,CNET,Feb.
5,2008,http://news.
cnet.
com/8301-13739_3-9865076-46.
html.
355.
SeeRyanSingel,NoFedSecurityLaws,Hurrah!
!
WIRED,Oct.
10,2005,http://www.
wired.
com/politics/law/news/2005/11/69525("Thoughbanksanddatabrokershavelongopposedfederalprivacylegislationinfavorofself-regulation,bothindustriesarenowaskingCongresstostepintocreateasinglenationalstandardandcapthelimitsontheirliabilityincaseofabreach.
").
356.
Statutorydamages,rightofprivateaction,andreasonablelegalfees,amongotherprovisions.
357.
Oftheproposedlegislation,onlytwobillshavebeenreportedtotheSenate:thePersonalDataPrivacyandSecurityActof2007andtheNotificationofRisktoPersonalDataActof2007.
BillsbeforetheHouseinclude:DataSecurityActof2007,H.
R.
1685,110thCong.
(2007);DataSecurityActof2007,S.
1620,110thCong.
(2007)(mirroringH.
R.
1685);Cyber-SecurityEnhancementandConsumerDataProtectionActof2007,H.
R.
836,110thCong.
(2007);PersonalDataProtectionActof2007,S.
1202,110thCong.
(2007);DataAccountabilityandTrustAct,H.
R.
958,110thCong.
(2007);PersonalDataPrivacyandSecurityAct,S.
495,110thCong.
(2007);NotificationofRisktoPersonalDataActof2007,S.
239,110thCong.
(2007);FederalAgencyDataBreachProtectionAct,S.
1558,110thCong.
(2007);FederalAgencyDataBreachProtectionAct,H.
R.
2124,110thCong.
(2007)(similartoS.
1558);IdentityTheftProtectionAct,S.
1178,110thCong.
(2007).
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:9420-MAY-0913:32140JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVItanceweplaceonthesubjectofprivateentitiesmakingstatutorydeter-minationsastowhetherornotthenotificationdutyistriggered,somebriefmentionoftheparametersofthedebateareworthdiscussing.
Evenacursoryexaminationwillaptlyrevealthepotentialdangersandconflictsofinterestwithleavingthe"foxestoguardthehenhouse.
"ThebillsbeforeCongresshaveprovisionssimilartothoseinSenateBill239358whichallowthepartywhosufferedthebreachtodecideifthereisa"significantrisk"thatthesecuritybreachwill"harm"359thepersonwhosedatawastaken.
Forexample,SenatebillintroducedbySenatorLeahy:thePersonalDataPrivacyandSecurityActof2007,providesfora"safeharbor"provi-sionthatistriggeredafter:[A]riskassessment[donebytheagentsofthebreachedentity]con-cludedthatthereisnosignificantriskthatthesecuritybreachhasre-sultedin,orwillresultin,harmtotheindividualswhosesensitivepersonallyidentifiableinformationwassubjecttothesecuritybreach.
Athresholdquestionis,whatisa"significantrisk"andhowisthatdeterminationmadeHowisthebilldefining"harm"WhomakessuchdeterminationanduponwhatisitpredicatedItisinterestingtonote,harkeningbacktotheissuedcoveredinthecrackeddefinitionaldebatethatforpurposesofdefiningIDtheft,Sen.
Leahy'sbillincorporatestheIDTheftDeterrenceActdefinitionofwhenIDtheftoccurs.
360Recall,thisdefinitionlabelsIDtheftasoccurringthemomentthePIIistrans-ferredinanunauthorizedmanner,byandtosomeonewhohastheintenttousetheinformationinanunlawfulorwrongfulmanner.
361Therefore,aswereadthelaw,IDtheftwilloccurasaresultofmanydatabreacheswhereintenttocommitanillegalorharmfulactcanbeestablished.
362Yet,ifaprivateentitydeterminesthatthereisno"sig-nificantrisk"that"harm"willresult,thenotificationdutyiswaived.
Thisis,indeed,placingthedecisionmakingprocessinthehandsofpri-vateplayerswitha"doginthefight.
"AlsohowwouldthisprovisionintheLeahybillsquarewiththeholdingsinthedatabreachnotificationcases,whereIDtheft(actualinjury)isdeemednottohaveoccurred,asaresultofthebreachWeargueitcannotsquare;thetwoaremutually358.
S.
239,110thCong.
(2007),availableathttp://frwebgate.
access.
gpo.
gov/cgi-bin/getdoc.
cgidbname=110_cong_bills&docid=f:s239is.
txt.
pdf.
359.
Harmisnotdefined.
Id.
360.
Id.
at§3(b)(1).
361.
18U.
S.
C.
§1028(a)(7)(2006)Toknowinglytransferoruse,"withoutlawfulauthor-ity,ameansofidentificationofanotherpersonwiththeintenttocommit,ortoaidorabet,anyunlawfulactivitythatconstitutesaviolationofFederallaw,orthatconstitutesafel-onyunderanyapplicableStateorlocallaw.
"Id.
362.
Hackingintoadatabase,inotherwords,comingsolelyforthedatainquestion,isonesureway.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:9520-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS141exclusivebecauseeitherthedefinitioninLeahy'sbillisrenderedmean-ingless,orIDthefthasoccurred.
Furtherexamplesofhowthisdebatemayplayoutareillustrativeaswell.
Havingcometogripswiththerealitythatthereareonlysomanywaysto"qualify"riskofIDtheft,theSecuritiesandExchangeCommis-sionintheirproposeddatabreachnotificationrequirementsexpoundedanovelanduniquebasisforriskanalysis.
363Herethenotificationdutywouldbeonlybetriggeredbyfindingthereis:asignificantriskthatanindividualidentifiedwiththeinformationmightsuffersubstantialharmorinconvenience.
.
.
"Thispresentsanewtriggerinadditiontothelikelihoodoftheoccurrenceofharm;itaddsanotherlayerofqualifica-tionofdegreeofharmitself.
364Andsimilartotheproposedfederallaw,thesedeterminationsareplacedwithagentsofthebreachedparty.
Onefinaland,unappealing,fromtheconsumer'sperspective,exam-pleofhowthistextualdebatemightplayoutarisesfromthePresident'sTaskForceonIDTheftwhichrecentlyissueddatabreachnotificationguidelinesforgovernmentagenciesthatmaysufferadatabreach.
365Whiletheseguidelinesdonotapplytoprivateentities(unless,perhaps,governmententitiesareoutsourcingdataprocessdutiestoprivatesub-contractors),theymeritsomecoveragefortheirauthoritativeandrefer-entialguidance.
TheTaskForcerecommendsfollowingfactorsbeconsideredinthewakeofadatabreachtohelpdecidewhethertonotifythepublic:-Howeasyordifficultitwouldbeforanunauthorizedpersontoaccessthecoveredinformationinlightofthemannerinwhichthecoveredinformationwasprotected;-Themeansbywhichthelossoccurred,includingwhethertheinci-dentmightbetheresultofacriminalactorislikelytoresultincriminalactivity;-Theabilityoftheagencytomitigatetheidentitytheft;and,-Evidencethatthecompromisedinformationisactuallybeingusedtocommitidentitytheft.
366363.
73Fed.
Reg.
13692(Mar.
13,2008)(emphasisadded).
364.
Namely,the"harm"hastobe"substantial,"giventhedraftingoftheproposedreg-ulationsoneislefttoguesswhetherthe"inconvenience"mustbe"substantialaswell,aswecan'tascertainwithanycertaintywhetherthequalifier"substantial"appliesto"incon-venience"aswell.
365.
TheTaskForcewasmandatedbyExec.
OrderNo.
13,402,71Fed.
Reg.
27945(May10,2006).
366.
MemorandumFromtheIdentityTheftTaskForcefromAttorneyGeneralAlbertoR.
Gonzales,Chair&FederalTradeCommissionChairmanDeborahPlattMajoras,Co-Chair3(Sept.
19,2006),availableathttp://www.
whitehouse.
gov/omb/memoranda/fy2006/task_force_theft_memo.
pdf(asanattachmenttoMemorandumfortheHeadsofDepart-mentsandAgenciesfromClayJohnson,DeputyDirectorforManagementoftheOfficeofManagementandBudget)(emphasisadded).
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:9620-MAY-0913:32142JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIThelasthighlightedbulletpointisanoveltrigger.
Ittakesthesub-jectoutofthetraditional"riskbasedanalysis"intoanactualrequire-mentthat"compromisedinformation"isactuallybeingusedtocommitidentitytheft.
Again,howisIDtheftdefinedinthisTaskForcedocu-mentLikeSenatorLeahy'sbill,thedocumentcitesdirectlytothedefi-nitionofIDtheftenunciatedintheIDTheftDeterrenceActof1998.
Onceagain,andattheriskoftryingthereader'spatience,recallthisisthedefinitionthatrequiresthe"intent"tousetheaccesseddatainques-tion,foranunlawfulpurpose.
Thisdoesnot,however,preventtheTaskForceAuthorsfrommisreadingthestatutorystandard,fortheylaternotethat:Identitytheft,aperniciouscrimethatharmsconsumersandourecon-omy,occurswhenindividualsidentifyinginformationisusedwithoutauthorizationinanattempttocommitfraudorothercrimes.
367Ourmaingoalinwadingintothemireoftextualinterpretationofproposedstatutes,guidelines,andregulationsisnottobecomeboggeddownintheminutiaofdatabreachnotification.
Rather,ourgoalistotryanddemonstratehowcomplexandvitallyimportanttheissuesare,facingthosewhowillbedeterminingwhattriggersdatabreachnotifica-tionduties,whichultimatelywillaffecthundredsofmillionsofcitizensanddeterminethenatureandscopeofIDT.
Tobesuretheseagentsofthebreachedentitiesfaceanontrivialcompliancetask.
IDtheftdomainexperts,afterall,haveadifficulttimeestablishingacausalrelationshipbetweendatabreachesandthelikeli-hoodofanysubsequentwrongfuluseoftheidentityartifact.
GiventhetimeitoftentakestomanifestthedamagesfromIDtheft,someoneas-sessingthecausalrelationshipmighthavetowaiteighteenmonthsorsobeforetheycanofferanopinion.
Combinerelianceonoff-the-shelf,plug-and-playsoftwaretomakedeterminationsonthelikelihoodindividualswhosedatahasbeenstolen,withtheguttingofstatelawsthatofferthemostmeaningfulprotectionsforthesesameindividualsinquestion,andwehavearecipefordisaster.
Yetthisappearstobethedirectionthenationisheadingin.
Inconclusion,wedonotcontendeveryagentofentitiesconfrontedwithreachingtheseconclusionswilldosoinbadfaith.
Itisourconten-tiontheywillconfrontthesepressingissueswithamarkedconflictofinterest.
Importantly,thedecisionswhichcorporateentitiesreachwillgoalongwaytodetermininghowidentityismanifestinoursociety,aswellaswhatdigitalartifactswillbenormalizedinestablishingahierar-chyofidentityattributes.
Becauseofthefar-reachingsocialconse-quencesofthesedecisions,theymustnotbeultimatelydecidedbehindclosed-doorboardroomsofrelativelyunregulatedcorporateentities.
367.
Id.
at1(emphasisadded).
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:9720-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS143C.
THEMARKETFORIDENTITY–PRIVACYANDSECURITYPERCEPTIONSCREATEREALITYIncreasingly,unregulatedorunder-regulatedcapitalismcharacter-izestheUnitedStateseconomy.
368Witnesstheprivatizationandder-egulationofourairline,369telecommunications,370energy,371andfinancial372sectors.
Whileweopenlyacknowledgethateconomicsanaly-sesarebeyondboththescopeofthispaperandtheauthors'expertisewenotethatsomedynamicsaresopervasiveandobviousthatthelayper-son'sobservationisnottobeignored.
373Asnotedintheprevioussec-tion,thispolicyofindustryself-regulationispatentandgrowing.
Notably,itisnotanissuerelegatedtothosewithanaturalbenttocriti-cizeelementsoftheAmericancapitalisteconomy.
JamesCramerofMSNBCMadMoneycommentedinarecentspeech:Eversincethe(President)Reaganera,ournationhasbeenregressingandrepealingyearsandyearsworthofsafetynetandequaleconomicjusticeinthenameofdiscreditinganddismantlingthefederalgovern-ment'smissionstohelpsolveournation'scollectivedomesticwoes,"hesaid.
"Wecallitderegulation.
.
.
acovertattempttoeliminatethefed-eralgovernment'sdomesticresponsibilitiesinregardtoon-lineprivacyprotectionintheUnitedStates.
374Cramerwentontonotethat:".
.
.
deregulationistheequivalentofsayingthat"privateindustrywilldoitbetter,thatvolunteerswilldoitbetter,thatbusinessifleftunfetteredwillproducesomanyrichpeoplethattheywilldoitbetterthanthegovernmentcan.
"375GeorgeSoros,legendarycapitalistandalbeitfrequentcriticoftheUSeconomy,perhapsputhisfingeronthekeypointwithregardtooverlyaggressivederegulationwhenhesaidinarecentinterviewinthe368.
See,e.
g.
,BucknellUniversity,JimCramerChallenges'LaissezFaire'Government,Jan.
30,2008,http://www.
bucknell.
edu/x40027.
xml(citingJimCramer,remarksattheBucknellForum(Jan.
29,2008)).
369.
AirlineDeregulationAct,Pub.
L.
95-504,92Stat.
1705(1978)(codifiedat49U.
S.
C.
§1301).
370.
TelecommunicationsActof1996,Pub.
L.
104-104,110Stat.
56(1996)(codifiedas47U.
S.
C.
§609).
371.
EnergyPolicyActof1992,Pub.
L.
102-486,106Stat.
2776(1972)(codifiedas42U.
S.
C.
§13201).
372.
Sarbanes-OxleyActof2002,Pub.
L.
107-204,116Stat.
745(2002)(codifiedas15U.
S.
C.
§7201).
373.
Whatseparatestheexpertandnon-expertisanunderstandingthecausesandef-fectsofthegivensubjectmatter.
374.
SeeJonathanP.
Cody,ProtectingPrivacyOvertheInternet:HastheTimeCometoAbandonSelf-Regulation,48CATH.
U.
L.
REV.
1183(1999).
375.
Id.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:9820-MAY-0913:32144JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVINewYorkReviewofBooks:376Soyouhavetorecognizethatallofourconstructionsareimperfect.
Wehavetoimprovethem.
Butjustbecausesomethingisimperfect,theop-positeisnotperfect.
Sobecauseofthefailuresofsocialism,commu-nism,wehavecometobelieveinmarketfundamentalism,thatmarketsareperfect;everythingwillbetakencareofbymarkets.
[But}marketsarenotperfect.
Andthistimewehavetorecognizethat,becausewearefacingaveryseriouseconomicdisruption.
Now,weshouldnotgobacktoaveryhighlyregulatedeconomybecausetheregulatorsareimperfect.
They'reonlyhumanandwhatisworse,theyarebureaucratic.
Soyouhavetofindtherightkindofbalancebe-tweenallowingthemarketstodotheirwork,whilerecognizingthattheyareimperfect.
Youneedauthoritiesthatkeepthemarketunderscrutinyandsomedegreeofcontrol.
That'sthemessagethatI'mtryingtogetacross.
377Itwasnotsurprisingthatthisspiritofexcessivecapitalismandunder-regulationwouldfindfertilesoilinthedigitalworld,oneinfamousforitsallegedabilitytoescapejurisdictionalboundaries,taxregimes,andregulatoryrequirementsofallgovernments.
Controlofresourceshasshiftedawayfromthepublictotheprivatesectorandsocietyin-creasinglyreliesonthemarket–whetherprovidingfordrinkingwaterinthewakeofHurricaneKatrina,378orfoodanddrinktoourtroopsinIraq379–toprovideanddistributegoodsandservices.
380Giventhebreadthandscopeofthisshift,itisunsurprisingthatthese"goodsandservices"nowincludetheintangibleforms,i.
e.
dataandpersonalinformation,which,whenaggregated,makeupourdigitalper-sonas.
Societyhasyettofullyunderstandtheramificationsofoutsourc-ingtraditionalgovernmentfunctionssuchaslawenforcement,letalonegraspingtheimplicationsofdivingeyes-closedintoaregimewhereiden-tityisnolongerbeingfurnishedbythegovernment.
Ina1997paper,GlobalFrameworkforElectronicCommerce,theClintonAdministrationadvocatedindustryself-regulationtoprotect376.
GeorgeSoros&JudyWoodruff,TheFinancialCrisis:AnInterviewwithGeorgeSoros,NEWYORKREVIEWOFBOOKS,May15,2008,availableathttp://www.
nybooks.
com/articles/21352.
377.
Id.
378.
MichaelBarbaro&JustinGillis,Wal-MartatForefrontofHurricaneRelief,WASH-INGTONPOST,Sept.
6,2005,atD01.
379.
PratapChatterjee,HalliburtonMakesaKillingonIraqWar,ALTERNET,Mar.
23,2003,http://www.
alternet.
org/story/15445/.
380.
Foragooddescriptionandaccountingofhowgoodsandservices,onceexclusivetothefunctioningofourdemocraticgovernment,havebeenoutsourcedtotheprivatesector,seeNAOMIKLEIN,SHOCKDOCTRINE:THERISEOFDISASTERCAPITALISM(MetropolitanBooks2008).
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:9920-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS145consumerinformationonline.
381Furthermore,thenation'sforemostau-thoritativeguidancefortacklingcybersecurity,the2003NationalStrat-egytoSecureCyberspace,explicitlypronouncedunwittingtrustintheprivatesectortopreventcybercrime.
382Asdiscussed,wearecertainlywitnessingamanifestationof"industryself-regulation"intheunfoldingjurisprudenceandregulatoryregimeofdatabreachnotificationissues.
Inthecontextofdigitalidentityprovisioning,thehandwritingisonthewallandbeingbornout.
SpecificallyasrelatedtoIDT,itisacknowl-edgedthatfraudulentcreationanduseofidentitybreederdocuments–passport,driver'slicense,socialsecuritycard–issuedexclusivelybythegovernmentstrikesattheAchilles'heelofidentityintegrityandisaproblemforwhichthegovernmentisfailingtoresolve.
383Inanefforttoaddressthisarguableover-relianceonbreederdocumentswhosevulner-abilitytofraudisshowingnosignsofslowing,themarketispromotingnewwaystoauthenticateidentitysuchasKBA(knowledge-basedau-thentication),smartcards,andother"strong-auth"typemechanisms.
384Whatishappeningisthatratherthanrelyingontraditionalauthentica-tionmechanismsissuedbythegovernmentandoverwhichthemarkethaslittlecontrol,theunregulatedprivatesectorisfillingtheneedformorerobustidentityreliabilityandcreatinganidentityregimenotbasedonthecontextofourphysicalpersons–aka,thedigitalidentity.
Itisunderstandablethatputtingone'sarmsaroundtheextentofIDCisproblematicinlightofhowdigitalidentityisbeingcommoditized,aprocessthatfeedsonthe"scopecreeping"ofidentitydocumentation.
ThisisstronglyillustratedinthecaseofcommercialuseofandrelianceontheSSNanddriver'slicense("DL").
TheSSNisusedbyfinancialinstitutions,realestateprofessionals,thehealthcaresystemandotherindustriesasadefactoidentifier,despitethefactthatitwasoriginallyissuedbythefederalgovernmentforthepurposeoftrackingretirementbenefits.
Similarly,theDLhasbecomethedefactoidentificationcard,381.
BucknellUniversity,http://www.
bucknell.
edu/x40027.
xml(postedJan.
30,2008).
382.
SeePresident'sCriticalInfrastructureProt.
Bd.
,TheNationalStrategytoSecureCyberspace(2003),availableathttp://www.
-whitehouse.
gov/pcipb/cyberspace_-strategy.
pdf;BrianKrebs,CybersecurityDraftPlanSoftonBusiness,ObserversSay,WASH-INGTONPOST,Sept.
19,2002(statingthat"intenselobbyingfromthehigh-techindustryhaspullednearlyalltheteethfromtheplanwhenitcomestostepsthetechnologyindustryshouldtake.
").
383.
Asstatedinthebeginningsectiononidentityandauthenticity,ouridentityispri-marilybasedonthecontextofourphysicalbeings,ourcarbon-basedlifeforms.
Thisisthecontext,therefore,aroundwhichwehavebasedourlawsandsocialnormsandcustoms.
384.
Strongauthorization"isaformofcomputersecurityinwhichtheidentitiesofnetworkedusers,clientsandserversareverifiedwithouttransmittingpasswordsoverthenetwork.
"StrongAuthenticationatFermilab,http://www.
fnal.
gov/docs/strongauth/(lastvisitedNov.
21,2008).
SeealsoRSAInformationSecurityGlossary,strongauthentication,http://www.
rsa.
com/glossary/default.
aspid=1080,(lastvisitedNov.
21,2008.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:10020-MAY-0913:32146JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIyetitwasissuedbystatemotorvehicleagenciesforthepurposeofen-hancingpublicroadwaysafety.
Therepurposingofidentityartifactsforcommercialusetookaprofoundevolutionaryleapwiththeaidofotherenvironmentvariables.
Forinstance,businessuptakeoftechnologyadvancesincapture,stor-age,transmissionandanalysesofthisdataprovidedunprecedentedabil-itiestomigratebusinessprocessesintotheinformationage.
Inordertomonetizethesenewlymigratedorgeneratedproducts,userregistrationbecameaprerequisite.
Thishasfurtherevolvedthecreationofmoreproductsandservices,furtherexchangeanddisclosureofpersonalinfor-mation,andanincentivetoinventnewformsofconsumerprofilingandtargetingtonotonlysellthoseproducts,buttostimulateadvertisingrevenue.
Aseminalillustrationofthiscycleistheeruptionandubiquityofadspaceonwebsites.
385Thesproutingofonlinebehavioraltargetmarketingfurtherexem-plifiesthedrivetoleveragetechnologyadvancement(storage,communi-cations,andanalysis)toovercomephysicalworld,time-spaceconstraintsandnarrowthegapbetweenbusiness(supply)andcustomer(demand).
Aconsequentialeffectisthatidentityisbeingexploitedviacommoditiza-tioninordertonarrowthegapbetweenbusiness-supplyandcustomer-demand.
AcompellingcasestudyfortheincreasingcommandoftheprivatesectoroverPIIistheprosperityandproliferationofthesearchenginebusinessmodel,whichowesitprominenceifnotexistencetoonlinetargeted,andbehavioraladvertising,andwhichhasspawnedanentirefieldofmarketingstrategy.
386TheposterchildforthistruthisnoneotherthanGoogle,whichhastransformeditselffromanengineeringcompanyvaluedforitsinformationretrievaltechnologyintoanadvertis-ingandmarketingcompany.
Similarly,theskyrocketingvaluationandpropositionforcybersocialnetworksillustratesthehungertocaptureourdigitalpersonas.
387PIIisfuelingthisengine.
Itisboththecontentandcommodity,whichthemarketwantstocontrolinordertomaximize385.
SeePRIVACYINT'L,ARACETOTHEBOTTOM:PRIVACYRANKINGOFINTERNETSERVICECOMPANIES,ACONSULTATIONREPORT(2007),availableathttp://www.
privacyinternational.
org/issues/internet/interimrankings.
pdf.
386.
SEO,orsearchengineoptimization,isamarketingstrategyforincreasingasite'srelevance,SEOconsidershowsearchalgorithmsworkandwhatpeoplesearchfor.
SEOeffortsmayinvolveasite'scoding,presentation,andstructure,aswellasfixingproblemsthatcouldpreventsearchengineindexingprogramsfromfullyspideringasite.
Other,morenoticeableeffortsmayincludeaddinguniquecontenttoasite,ensuringthatcontentiseasilyindexedbysearchenginerobots,andmakingthesitemoreappealingtousers.
See,e.
g.
,Wikipedia,SearchEngineOptimization,http://en.
wikipedia.
org/wiki/Search_en-gine_optimization(asofSept.
2,2008).
387.
See,e.
g.
,CatherineHolahan,Google'sDoubleClickStrategicMove,BUSINESSWEEK,Apr.
14,2007,http://www.
businessweek.
com/technology/content/apr2007/tc20070414_675\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:10120-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS147profitsinthespiritoflaissezfairecapitalism.
388Afulldecadeago,legalacademicianJerryKangreflectedonthisfreemarketcommerceargumentwhichholds,forexample,thatthatper-sonalinformationflowswilldecreasetransactionscostsbyhelpingcredi-torsavoidbadrisksandminimizeassociatedpremiumcostsforconsumers;decreasesearchcostsbetweenbuyersandsellers;and,en-hancethequalityofdirectmarketingtoindividuals.
Hecommentedthathe:"believe[s]thatsuchpracticesviolatetheusers'rightsto"informa-tionprivacy,"whichisdefinedastherightofanindividualtocontroltheacquisition,disclosure,anduseofpersonalinformation.
Siteoperatorsarguethatthecollectedinformationisavaluablecommodity,andthattheyhavetherighttoexploititcommercially.
Thisargumentisstrengthenedbythefactthatthe"postindustrialeconomygenerallyandthetelecommunicationssectorsparticularlyareseeingincreasedcompe-tition.
.
.
[prompting]firmstoexploiteverycompetitiveadvantage,in-cludingtheuseofpersonalinformation.
"389TotheextentthisobservationwastruewhentheInternetande-commercewasinitspreemiestage,whatisoccurringnowisordersofmagnitudegreater.
Theprotectionandmaintenanceofanauthenticdigitalpersonaviadigitalsecurityiscentraltocounteringelectroniccrimeandpromotingconsumerfaithinthemarketplace.
Primarilytodate,thishasbeenlefttothemarketforces,whichconcomitantlypromotestheunregulatedandunobstructed,flowofhighlypersonalinformation.
Thisflowispredi-catedoneasycredit,whichinturnfuelstheconsumereconomy.
Themarketforcesfavorefficient,friction-freeenvironments,whereoneoftheultimategoalsistomaximizebenefitsandreducecostfortherespectivecorporateshareholders.
AcollateraleffectandnegativeexternalityhasbeenanexplosionofdatabreachesandIDtheftresultingfromsuchac-tivities.
390TherisingfraudcostsfromIDtheft,accounthijacking,dataleakage,andphishinginthefaceoftheever-growinglistofcompetingproductsandstandardsisaclearsignthatthemarketisfailinginthesecurityrealmperhapsattheexpenseofthefreeflowofPII.
Courts,legislation,andregulationareoftenperceivedasstandinginthewayofthemarket's"goals.
"511.
htmcampaign_id=rss_daily;GoogleBuysFacebook,INFOWORLD,Apr.
1,2008,http://www.
infoworld.
com/article/08/04/01/14FE-april-fool-google-facebook_1.
html.
388.
WilliamJ.
Frawley,GregoryPiatetsky-Shapiro&ChristopherJ.
Matheus,Knowl-edgeDiscoveryinData-bases:AnOverview,13AIMAGAZINE58(1992),availableathttp://www.
aaai.
org/ojs/index.
php/aimagazine/article/viewArticle/1011.
389.
SeeJerryKang,InformationPrivacyinCyberspaceTransactions,50STAN.
L.
REV.
1193,1238(1998).
390.
WhateverconfusionabouttheactualnumbersofpeopleaffectedbyIDtheftorcybercrimeingeneral,scantfewarguethatthenumbers,inbothpeopleaffectedandre-sultingdamages,areinsignificant.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:10220-MAY-0913:32148JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIInadditiontotheconsumerandmarket-driveninformationeconomyjustdiscussed,thesetwoadditionaldynamicsarereflectiveoffreemar-ketpolicydrivers,391whichexertprofoundandomnipresent,yethardtomeasureandcounteractivepressureonprivacyanddigitalsecuritypoli-cies.
Anycombinationofthesedynamicsthataffectprivacyanddigitalsecuritypolicies,impactscybercrimeandspecifically,IDtheft.
TotheextentthereisanIDtheftcrisis,itsexistencecannotbedivorcedfromthefollowingdynamicsoutlinedinthenextfewparagraphs.
Allofthesevariousinterestsareimpactedbypolicyderivedfromlegislaturesandcourts,asexpressedinlaws,regulations,andadministrativeandjudicialdecisions,orlackthereof.
Insomeinstancesthe"impact"isevendesigned.
First,thisconsumerandservice-orientedAmericaneconomyisfu-eledbycheaplabor,thepracticalrealityofwhichofteninvolvesillegalorquasi-legallabor.
Theselaborersmusthavesomeidentifyingdocumenta-tionthatiscapableofsatisfyingemploymentrequirementsgoverningbusinessestoensurecompliancewithemploymentlaws.
Inshort,em-ployersofcheaplaborandtheworkersthemselvesarehighlymotivatedtosecureproperidentitydocumentationandimpersonatingaqualifiedidentityisoftentheonlywayforthattooccur.
392Second,informationserviceprovidersandcontentownersarecapi-talizingonthevalueofintellectualpropertyinthisinformationecon-omy,andarethusproliferatingandbuildingastronglobbytomonetizetheirintellectualproperty("IP")rights.
TheseserviceprovidersandIPownershaveapowerfulincentivetotrack,harvest,andprotecttheirin-tangibleassets,whichoftenentailscontraveningprivacyandsecurityinterestsandcontrolsthatindividualsandentitieshaveintheirdataandsystems.
Lastly,theAmericannationalsecurityenvironment,undoubtedlydrivenbyunprecedentedinternationalterroristeventsandcorporatees-pionage,isferventlydrivenbytheneedtoprotectthenationanditsas-setsfromthenewthreatandfaceofterrorism.
TheISE,InformationSharingEnvironment,isanentirefederalofficewithinthenationalin-telligencedirectoratethatwasformedafterthe9/11terroristattacksonNewYorkandthePentagon,partiallyinresponsetocriticismthatalackofinformationsharingamongthegovernmentagencieswasareason391.
Theauthorsacknowledgethereareotherdynamicsthateffectprivacyanddigitalsecurityissues.
Mostspecifically,werefertoconsumerinterestgroups.
Butcomparedtothefreemarketforceswesee,theirinfluenceastepid,anderratic,atbest.
392.
SeeBiancaVazquezToness,RaidonIllegalImmigrantsBringsChaostoTown,Mar.
14,2007,availableathttp://www.
npr.
org/templates/story/story.
phpstoryId=8904390;NuclearRaysfromMyHalogenHaze,http://nuclearraysfrommyhalogenhaze.
wordpress.
com/2008/08/27/600-detained-in-mississippi-plant-raid-suspected-of-being-illegal-immi-grants/(lastvisited16October2008).
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:10320-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS149thatthoseeventswerenotprevented.
Significanthumanandeconomicresourcescontinuetobeexpendedtomonitoranddisseminatecommuni-cations,transactions,andmovementsofpersonssuspectedofposingathreattoournationandtotheworld.
393IV.
THEROLEOFLAWENFORCEMENTANDIDCOneofthecentralpremisesofthispaperisthatgivenIDCdatadefi-ciencies,wehavenobaselineunderstandingofthenatureandscopeoftheproblem.
Anyentity,whetheritisLEorcorporationsinanyindus-try,usesbenchmarkingtounderstandriskandtheeffectivenessofre-sponses.
Inotherwords,baselinesandbenchmarksdefinetheresults.
Whennobaselineofdataisestablished,nobenchmarkexists,anddeci-sionsareindubitablymadeonpartialdata.
Thesocialinstitution,whichhastraditionallystewardedthisbase-lineknowledgeofsocialwrongsbecauseitisuniquelypositionedtocol-lectgroundtruthdataonlawbreaking,hasbeenlawenforcement,andmorespecifically,locallawenforcement.
Regardingthethree-ringcircusofIDC,LEhasassumedtheroleofspectatorasahybridresultoftheaforementionedpolicy-backedlackofsecurityaccountability,andLEhasbeenwillingtocedeIDCasaself-correctingproblemforthemarkettosolve.
Thisisparticularlysignificantbecauseitisaself-reinforcingblackhole:unliketraditionalcrime,LEisnolongerthefrontlineinter-faceforcorporateorcitizen-victimreporting.
394Individualsareapa-theticaboutLE'searnestnessintakingandinvestigatingreports,reportingthatdoesoccurishandledprivately,civillyorviaregulatoryaction,andthisresultsinadearthofaggregate,objectivedataonthenatureandextentoftheproblem.
395Inturn,LEandtheaggregatepub-licitservesareontheshortendofIDCthreatinformationasymmetries,whichthencripplestheaccurateallocationofresourcesforLEtogetintothegame,therebyreinforcingLEasaspectatortotheproblem.
396393.
See,e.
g.
,CarlHulse&EdmundL.
Andrews,HouseApprovesChangestoSurveil-lanceProgram,INT'LHERALDTRIBUNE,Aug.
5,2007,availableathttp://www.
iht.
com/arti-cles/2007/08/05/america/spy.
php;K.
C.
Jones,WhiteHouseWantsImmunityforElectronicSurveillance,INFO.
WEEK,Jan.
24,2008,availableathttp://www.
informationweek.
com/news/management/showArticle.
jhtmlarticleID=205918006;SiobhanGorman,NSA'sDo-mesticSpyingGrowsasAgencySweepsupData,WALLSTREETJ.
,Mar.
10,2008,http://online.
wsj.
com/public/article_print/SB120511973377523845.
html.
394.
WiththeexceptionofrecentbreachnotificationlawscorporationshaveverylittleincentivetoreportIDCtoLEandinfactmaybedisincentivized.
395.
Victimsbearamaximum$50lossandaregenerallymadefinanciallywholebyfinancialinstitutionsforcreditcardfraud.
396.
SeeSusanW.
Brenner,TowardACriminalLawforCyberspace:ANewModelofLawEnforcement,30RUTGERSCOMPUTER&TECH.
L.
J.
___(2003),availableathttp://pegasus.
rutgers.
edu/~rctlj/;UNITEDNATIONSINTERREGIONALCRIME&JUSTICERESEARCH\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:10420-MAY-0913:32150JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIA.
TWENTY-FIRSTCENTURYLAWENFORCEMENT:PRICEDOUTOFTHEIDCMARKETBothcorporateAmericaandthegovernmentareconcernedaboutconsumerslosingfaithinthemarketplace.
Oneissuethathasengen-deredscantattentioninpublicdebateistheharmfromlossoffaithinthelawandlawenforcement.
Legislativeandjudicialdecisionmakershavehonedtheirradarsonthedirectcoststocitizen-victimsandtheeconomy.
Thismyopiaignoresthemoreinsidiousdownstreamandim-plicitcostsofIDC.
Wemustreassessthenotionofharminordertoevaluatetheaggre-gate,negativesocialimpactofIDC.
Therippleeffectofanincidentmaygofarbeyondthereporteddamagesandlosscurrentlydefinedinprosecutorialpolicyandcivilliability.
Anecdotaldataandotheravaila-bleindicatorsrevealvariableratesandcostsofIDC,butthatdataisonlyasmallsubsetoftheactualprevalenceofIDC.
Measuringthesocialim-pactandderivativeeffectsoncriticalinfrastructureusingafinancialim-pactmodelisturningablindeyetotherealityofinsidiousharmthatflowsfromidentitypollution.
Market-dominantresponsestoIDCper-petuatetheprivatepolicingofaproblem,whichdemandssolutionsatalevelbeyondtheindividualbalancesheetandcorporateshareholdersandfundmanagers.
Theunder-representationofLEinaddressingIDCisamajorcontributortoourcurrentstateofignoranceasreflectedinthelackofmetrics,aswellastheresultingineffectivepreventionandreduc-tionstrategiestolowertheIDCrisk.
LEneedstoresumeitsplaceasacriticaltrustedintermediary,ofcrimestatisticsparticularly,intheflowofIDCinformation.
397WhyisitthatavictimofarobberywouldnothesitatetoturntoLE,yethasnearlytheoppositeresponsewhenhisidentityisthievedandabusedWhatdoesthegrossdiscrepancybetweenhundredsofmillionsofcompromisedidentitiesfromdatabreaches,theestimatedbillionsofdollarslosttothisfraud,andtheminisculenumberofvalidLEincidentreportsandcriminalprosecutionsmeanThereislittleattribution,orclosingtheloopsbetweencriminalthreats,datavulnerabilitiesandlossevents.
Ascorporatevictimsbrushcostsundertherugand/ordeployprivate,orevenindustry-widecounterstrategies,thecostofIDCjustgetsshiftedwithlittledeterrenteffectontheunderlyingproblem.
IfweanalogizetheresponsetoIDCasafour-leggedstoolwithvictimadvo-INSTITUTE,THECHALLENGESOFCYBERCRIME,2002JOURNAL14,http://www.
unicri.
it/news/UNICRI%20Journal%202002_1%20FINAL.
doc.
397.
SeeUnitedStatesGeneralAccountingOffice,IdentityTheft:GreaterAwarenessandUseofExistingDataAreNeeded,GAO-02-76617-18(2002)(findingthatlawenforce-mentagencieshaveinsufficientresourcestoinvestigateandprosecuteandthatidentitytheftcasesoftenendwithoutanarrest).
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:10520-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS151cacy,legislativeandjudicialpolicy,andcorporatesecurityasthreeofthepillars,thereisgrosslydisproportionateattentionpaidtotheLEleg.
So-cietyassumesthatthetraditionalbusinessmodelofLE,comprisedofthepeople,processesandtechnologytorespondtoandenforcetraditionalanalogcrimeslikeburglaryandassault,isthesamemodelthatcanef-fectivelyaddressidentitycrime.
Thisassumptionquicklybreaksdownascitizen-victimsareforcedbeyondthecurrentapatheticanddiscretion-aryreportingdynamic.
SocietyisharboringundergrossmisperceptionsthatLEissituatedtoeffectivelyhandlethecurrentandoncomingdelugeofIDCreports.
LEisfailingasa"frontlinemanifestationofsociety'sdeterminationtoestablishareliabledigitalenvironment.
"OneendofthespectrumhaslocalLEposturingthattheproblemsaretoounboundedandmulti-juris-dictional;whilefederalLEbemoanthatthegroundlevelissuesaretoonickel-and-dimetowarranttheirattention.
Bothperspectivesarefueledbyapoorinfrastructuretoactuponboththerelativelysmallnumbersofofficiallyreportedcases,nottomentionthetreasuretroveofIDTcom-plaintreportsthatarenotvalidated.
Ifevertherewasacrimethatne-cessitatescross-jurisdictionalsharingandlinkingofreports,IDTcertainlysitsinpoleposition.
LE'scurrentinfrastructureforcollecting,investigatingandprose-cutingIDTislargelysteepedinthephysicsoftraditionalcrime,whichistosaythatinformationisnotaggregatedormatchedacrossjurisdic-tionalrecord-keepingbutratheriscompartmentalizedinanddispersedwithinagencyinformationsilos.
Thiscontributestothewell-earnedbadgethatIDTisalowrisk-highrewardventure,ascriminalsexploittheknowledgeblackholeswithinthecurrentbusinessmodelofLE.
Thedynamicsofthediscovery,perpetration,andmanifestationofIDTmeansthattheruleratherthanexceptionisaminimumoffourjurisdictionaltouchpoints:(1)thejurisdictionwherethetheftoccurred;(2)wherethestolenidentitywasused;(3)wherethevictimresides;and,(4)wherethesuspectoriginates.
Aresultingquestionis:IssocietygrapplingwithiswhetherweareonourowntoprotectouridentitiesinthisinformationsocietyWehavearrivedatthisstateduetoseveralmajordeficienciesanchoredaroundreportinganddatasharing–theboundaryconditions(thepoliciesandproceduresinstructingthedesignandapplicationoftechnologies)whichdefineLE'soperatingbehavior.
Internally,lawenforcementisillequippedtoreceiveandactuponIDCincidentreportsfromvictims,especiallyontheindividualratherthanthebusinessenterpriselevel.
Reportingisclumsyandineffectiveatthreelevels:attheinterfacebetweenthevictimandLE;internallywithintheinitialcollectoragencies;and,collectivelybetweenLEagen-ciesandacrossstakeholderorganizationsnationally.
ThewidespreaddisagreementaboutthestatisticssurroundingIDTheftisdiametrically\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:10620-MAY-0913:32152JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIoppositewhenitcomestoacknowledgingreportingdeficiencies.
Thisisbothalogicalandexpectedvalidationofthenumbersproblemdiscussedpreviously.
BesidesthepolicydisincentivestoreportthecrimestoLE,realandfictionaljustificationsexacerbatetheproblem.
398Oneofthebonafidereasonsthatseventy-twopercentofvictimsdonotfeeltheneedtoreportisgroundedinthemechanicsofthereportingprocess–itiscon-fusing,inconsistentandinefficient.
399SomejurisdictionsdonottakeIDTreports,manywilltakeitoutofcourtesybutwithnorealfollow-through,somewillpassoffcitizen-vic-timstoconsumeradvocacy-charteredorganizations,andthoseacceptingreportsuseagency-specific,genericcrimeformats.
Thereisnonation-allyacceptedstandardforIDCreports,bothatthehuman-readableandmachinelevels.
400Thisartifactofthetraditionalmodelofindividualju-risdictionalsovereigntyisproblematicbecauseitassumesacompart-mentalizedsolutiontoamultijurisdictional,multidimensional,cross-crimeproblem.
IfeachagencycapturesIDT-agnosticinformationinitsownformat,thereisnowaytomatch,link,analyzeorcomparereportsfromoneagencytoanotheronanylevelofefficiency.
Theresultisduplicationofreportingandinvestigationacrossagen-cies,aninabilitytocompareapplestoapplesforinformationsharingandstatisticalreportingpurposes,andrelianceonmanual,dumblucktodis-covercrimeinformationcommonalities.
Itisnowonderthatthetwo-waystreetofapathybetweenLEandcitizen-victimsisawell-pavedroad.
TherearereasonswhyIDTisahighopportunity,lowriskcrime.
401IDCanditsmanifestationsareproliferatingbeyondthetime398.
Somecommonassumptionsandmythsregardinglawenforcement'shandlingofcybercrimeingeneralandIDTinparticularinclude:destructionofpublicconfidenceinthereportingcompany,negativepublicityingeneral,lossofcontrol,lackofconfidenceinLEtechnicalandmanagementcapabilities,possiblecompetitivedisadvantages.
SeeErinKen-neally,WorkshoponCyberCrimeReporting:ChallengesandIssues,ProceedingsReportandRecommendations,SanDiegoSupercomputerCenterUniversityofCaliforniaSanDi-ego(Jan.
13,2004).
399.
FEDERALTRADECOMMISSION,2006IDENTITYTHEFTSURVEYREPORT(2007),availa-bleathttp://www.
ftc.
gov/os/2007/11/SynovateFinalReportIDTheft2006.
pdf400.
ThePresident'sTaskforceonIdentityTheftandIACPResolutionrecommendsauniformIDTcrimereport.
401.
Thesetechnologicalinnovationshaveforeverchangedthewayordinarypeopledobusinessandclearlyhavepositiveaspects.
Thenewtechnologicalrevolution,however,alsohasadownside.
Theincreasedaccessibilitytopersonalinformationhasprovidedidentitythieveswithnewopportunitiestoengageincriminalactivity.
Thistechnologicalchangemaybeviewedintermsofroutineactivitiestheory,whichstatesthatwhenthethreeele-mentsofoffenders,victims,andlackofcapableguardianshipmeetinspaceandtime,crimeislikelytooccur.
Itisreasonabletoproposethatadvancesintechnologyhavealteredtwoofthethreeelementsinthistheory,specificallyvictimsandguardianship.
Withregardtovictims,theremaybeagreaterabundanceofsuitabletargetsduetogreateramountsofaccessible,personalinformationbeingstoredontheInternetthaneverbefore.
Withre-\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:10720-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS153andspaceboundariesthattheLEbusinessmodelisbuiltupon,andthoselegacyreportingdynamicsandmanagementarepressuredwellbe-yondresourcecapacityandscale.
TheIDCreportingthatismoreconsistent,comprehensible,andstructuredispredominantlygeneratedbytheFTCorInternetCrime&ComplaintCenter("IC3").
Theproblemwhichalltoomanyareunawareisthatthose"reports"arenotvalidatedbyanyauthorityletaloneLE,andconsequentlythereisnorequirementthatLEtakeactionuponordispositionofthesecomplaints.
Only2,100ofthemorethan17,000lawenforcementagenciesintheUnitedStatesacceptcomplaintsfromtheIC3.
AndonlyafractionoftotalLEagenciesinteractwiththereportsstore-housedbytheFTCinitsConsumerSentineldatabase.
AnotherreasonforthestateofcardiacarrestinIDCreporting,exac-erbatedbytheformattinganddispositiondynamics,isthattherecordeddataarenotmigratedovertoUniformCrimeReporting("UCR")andNa-tionalIncident-BasedReportingSystem("NIBRS"),thecrimereportingstandardsresponsiblefornationalbenchmarkingandbaseliningofallcrimes.
TheFTCandIC3complaintsareneveringestedintoLEcrimeandincidentdatabasessotheyarenotreflectedinnationalcriminalstats.
IDCreportscollectedbyLEareretrofittedintotraditional,broadcrimecategoriessuchasgeneral"theft.
"UCRandNIBRSoffensecodesavailableforlawenforcementreportingdonotdifferentiateIdentityTheftcrimes(orcyberorcomputercrimeforthatmatter)fromthemoretraditionalfraudandlarcenyoffenses.
Thisseriousoversightinourna-tionalcrimereportingstandardsforceslawenforcementagenciestore-trofitIDCasfraud,larceny,orimpersonation.
402WhenIDCcasesareembeddedinthesetraditionalreportingstatisticstheresultisaseri-ouslyskewedstatisticalanalysisforidentityandallcrimetypes,andanexacerbationofdefinitionalconfusion.
OnefinalaspectofthereportingproblemisthatIDCinformationisoftennotstandaloneeventhoughitistreatedassuch.
Thesecrimescommonlyoverlapwithand/orarebreedersfortraditionalcrimessuchasspecttoguardianship,thiselementmayhavebeenreducedbecauseofinsufficientregula-tionsformallyprotectingagainstpersonalinformationbeingabused.
Thesechangestotheelementsofvictimsandguardianshipfromtechnologicaladvancesmayhavehadtheeffectofincreasingthenumberofidentitytheftincidents.
See,e.
g.
,StuartF.
H.
Allison,AmieM.
Schuck,&KimMichelleLersch,ExploringtheCrimeofIdentityTheft:Prevalence,Clear-anceRates,andVictim/offenderCharacteristics33J.
CRIM.
JUSTICE(2005)19.
402.
Forinstance,thetopfrequentcrimetypesusedtochargeIDTinSanDiegoCountywereBURGLARY,FRAUD,FORGERY,THEFT,DRUG-RELATEDOFFENSES,VEHI-CLETHEFT,EMBEZZLEMENT,DUI,ASSAULT,andWEAPONSOFFENSES.
JulieWartell,GeographyofIdentityTheft:AnalysisofSanDiegoCountyData,July2008.
Fur-thermore,IDThasinthepastbeenchargedunderanyoftheapproximate66relatedpenalcodechargesinCalifornia(analyzedaspartoftheNIJProjectWHOIdentityTheftpro-ject,infranote389).
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:10820-MAY-0913:32154JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIrobbery,mugging,pick-pocketing,theftfromcars,andburglary.
OftenthecrimeincidentreportingprocessesandsystemscurrentlyusedbyLEdonothavesufficientflexibilitytocollectthemultidimensionalcriminalactsandinformation.
InadditiontotheinaccuraterecordingwithintheLEjusticesystem,manyIDCaresimilarlynotprosecutedorprosecutableassuch,againcreatingbarrierstocognitiveunderstandingofthenatureandscopeofIDC.
Relatedtoreportingdeficiencies,theothermajorboundarycondi-tionimpedingLE'smanagementofIDCisthesystemsinvolvedindatasharing.
Theinformationsystemsdonotallowinvestigatorsandana-lyststocheckacrossdifferentcrimeincidentsandIDCreportstouncoverovertsimilaritiesbetweencases,letalonelatentpatternsorrelation-shipsthatspeaktounderlyingproblemsbeyondjustcases.
IDTheftspansjurisdictionalboundaries:itisnotuncommonforthevictimtoliveinoneLEjurisdiction,thesuspectinanother,theidentitystoleninathirdjurisdiction,andfinally,theidentityusedfraudulentlyinafourth.
Andtocomplicatejigsawpuzzle,theseareusuallynotdis-creteevents,butrather,episodicandrecurringinlikelyanotherpatch-workofphysicalandvirtualgeospaces.
LEsystemsofrecordsareforthemostpartstandaloneandnotinterconnected.
LEisrelyingonmanualprocessestoassimilateandsynthesizeacrossever-expandingdatare-latedtoIDCincidents.
403Continuedattemptstomanuallymanagetime-intensiveknowledgetasks,whichareaptforautomation,createinefficienciesinresourcede-ployment.
ThishascontributedtoacrisisofprioritizationwhereLEdoesnotevenknowwhichhaystacktostarttoparsethrough,letalonebegintofindtheneedlesandconnectingthreadsburiedwithin.
Worka-blecasesfallthroughthecracksbecauseoffailuretomeetjurisdictionalandthresholdinvestigationrequirements.
Investigationsareduplicatedbetweenagenciesbecausetheyareoperatingonincompleteanduncorre-latedpiecesoftheoverallcrimepicture.
Thus,thecollection,sharingandcoordinationofIDCdatadonotscalequalitativelyorquantitativelywiththeIDCthreat.
Criminals'exploitationofthisdisjointiswhatcontrib-utestothelowrisk-highrewardattractivenessofthiscrime.
B.
COUNTERINGINERTIADespitethereportingandcoordinationdeficiencies,whichhavecre-atedtheIDCresponsibilitycrisis,therearedefinable,measurableandpracticablesolutions,andinnovativeeffortstocatalyzethenecessary403.
Forexample,inlieuofelectronicallymemorializedandsearchablereports,investi-gatorsreviewingreportsoftenrelyonmemorytriggersthattwoormorereports/casesareconnectedbasedoncommondataelementsbetweenthem.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:10920-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS155changesinthecurrentlycrippledsystem.
404Weneedtocreateecono-miesofscaleforLEtodetectandrespondtoIDC.
ThesemeasuresareaimeddirectlyatchangingtheboundaryconditionsthatconstrainLE'sroleinloweringtheIDCrisk.
Forone,LEmusthaveaframeworkforcentralizedandsearchablereportingcoordinationcapabilitiesrelatedtoIDC.
Specifically,thisentailstheabilitytodigitallycollect,communi-cate,linkandanalyzedatarelatedtosuspects,victimsandincidentsinstandardformats.
405Thesubstanceandmechanicsofthisstandardizedreportingshouldfacilitateactionableinformationexchange.
Forinstance,Web-basedre-portingofinformationthatisreflectiveofthesupplyheldbyvictimsandthedemandsofLEinvestigationcanprovidethestandardization,conve-nience,consistency,completenessandaccuracythatpresentlyinhibitcurrentcooperationbetweencitizen-victimsandLE.
UnderlyingpoliciesandproceduressothatthedataismeaningfulandsupportiveofcounterIDCstrategiesandenforcementofcriminallawsmustsupportthisframework.
Thisframework,enabledbypolicyandprocedure,shouldberelieduponasakeyempiricalsourceofgroundtruth,andthedatageneratedshouldbesharedwithkeystakeholderstoenablepragmaticprevention,detectionandresponsesolutions.
Asrecountedthroughoutthispaper,decisionmakersareoperatingfromanecdotalandincompleteinforma-tionaboutthescopeandbreadthofIDtheftcrime.
Unlessvalidatedfirst-sourcedataflowsintopolicydialogues,theexecutive,judicial,andlegislativedecisionmakerswilldevelopanddeploystrategiesthatallo-cateresourcesinefficientlyandineffectively.
Anotheraspectofthisreli-anceincludesturningtoLEasanintermediary,particularlyasitpertainstodatabreachnotificationincidentsthatenablethepropertransferofinformationbetweencitizen-victimsandtheinstitutions404.
OnesuchinnovativeeffortisProjectWHO–ALawEnforcementCentricFrame-workforManagingIdentityTheft,fundedbytheU.
S.
DepartmentofJustice,NationalInstituteofJustice.
TheProjectWHOmodeloffersthepromiseofsignificantprogresstowardsolvingthelackofmetricsanddetachmentproblemsinIDtheftbyprovidingamodeltechnologyandpolicyframeworkformanagingIDCbaseduponrepeatableandfa-miliarprocesses.
405.
Thestandardizationshouldoccurbothsemanticallyandsyntacticallyonboththehumanreadablelevel(i.
e,similardatafieldsacrossincidentandinvestigationreports)andmachinelevel(i.
e,theunderlyingdatamodeland/orexchangeschemasuchasGlobalJus-ticexML("GJXML")IDTheftReferenceDataModelSchema.
TheaforementionedProjectWHOhasdevelopedsuchareferentialIDTschemagroundedinGJXML.
SeealsoThePresident'sIdentityTheftTaskForce,CombatingIdentityTheft:AStrategicPlan()Apr.
2007),availableathttp://www.
ftc.
gov/opa/2007/04/idtheft.
shtm.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:11020-MAY-0913:32156JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIstewardingidentityartifacts.
406Finally,thisrelianceonLEasanempiricalsourceofmetricsde-mandsappropriatefundingresources.
ThecommitmentbyLEmustbematchedbyafinancialcommitmentfromsociety.
Otherwise,wehavecreatedanunfundedmandatewhosefailureisimminent.
Themarketanditsservanttechnologyshouldassumetheleadwithregardtovarioussolutionsaimedatprotecting,authenticatingandvali-datingidentity.
However,itcannotreignsupreme–societymusthavearoleinthedecisionmakingprocess.
Thisinvolvementintroducesfrictionthatimpedesmarketdynamics.
Ourperspectivesmustshifttoviewingtheroleofsociety–asrepresentedbyLEandpublicinstitutions,asanecessarysourceof"Q&A"thatcanvalidatemarketeffortsinIDC.
Weneedtoengageinbasicquestionssuchas:WhatarethepoliciesdrivingattemptedsolutionstotheproblemandwhyareweimplementingtheminthemannerschosenWhatarethebenefitsanddangersHowdoweavoidthelatterPerhapssocietyiswillingsubsidizeIDTlosses,butnooneisaskingandsocietyisnotbeinggivenaseatatthetableinmakingtheeconomicdecisionsandaskinghowwearriveatthosenumbers.
Lo-calLEhasapivotalyetunderratedandunrealizedroleinthisQ&Apro-cess.
Itcanhelpmanifestwhatisworkingbycollectinggroundtruthandassumingitsrightfulroleastrustedintermediaryofidentityvulnerabilities.
V.
CONCLUSIONThispaperdevelopedthefollowingproposition,albeitraisingasmanyquestionsasitattemptedtoanswer,withtheobjectiveofraisingthelevelofdiscoursesurroundingidentitycrime:1.
IDcrimeintheU.
S.
isacascadingeffectoftheculminationofpublicpolicy(i.
e.
,law,regulation,jurisprudence)decisionsornon-deci-sions.
Thepresentpolicyregimeincentivizesinformationavailabilityanduse.
Thesepoliciesdefineandshapeourcurrentfreemarketsocioeconomicsbyfacilitatingarelativelyunrestrictedflowandmin-ing407ofacommodity:datathatincludespersonally-identifiableinfor-406.
See,e.
g.
,CAL.
CIV.
CODE§1798.
82.
Forexample,theCaliforniadatabreachnotifi-cationlawprovidesanexceptionthatallowsdelayingnotifcationfor"thelegitimateneedsoflawenforcement.
"Id.
407.
Weusethetermtoencompassmorethantheothertechniquessuchasstatistics,OLAP,datawarehousing,butrather,"thenontrivialextractionofimplicit,previouslyun-knownandpotentialusefulinformationfromdata.
"Frawleyetal.
,supranote389.
SeealsoJesusMena,DataMiningFAQs,DMREVIEW(1998),availableathttp://www.
dmre-view.
com/master.
cfmNavID=198&EdID=792.
Dataminingdiffersfromotherdataanaly-sismethodsinseveraldifferentways,significantly,inwhoandhowthequeryisperformed.
See,indatamining,theinterrogationofthedataisdonebythemachine-learningal-gorithmorneuralnetwork,ratherthanbythestatisticianorbusinessanalyst.
Tradition-\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:11120-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS157mation.
Thenotionthat"informationisacommodity,"inandofitselfhasmaturedtothepointofbeingacliche.
2.
Thisdynamic,takentoitslogicalconclusion,meansthatthemarketdemandstheuncontrolledandfrictionlessflowandminingofpersonalinformationinordertofuelthecreditandsales(includingad-vertisingandmarketingservices)channelsuponwhichoureconomyisgrounded.
IDCisanexternality,thecollateraldamageifyouwill,offreemarketdominationofthedigitalpersona.
3.
Thesevaluesembeddedinsocioeconomicpoliciesconflictwithacoexistentsocioeconomicpolicywhichdemandsgreaterdatasecurityandprivacycontrolsthatpromoteprevention,detectionandresponsetoper-sonaldatainsecurity.
Nearcompletedominationbytheformernecessa-rilymeansthatsecurityandprivacyvulnerabilitiespersistinordertoenablethatfreeflowandmanipulationminingofinformation.
4.
Implicitinthispolicy,whichincentivizesfreeflowofdata,isacorrespondingpoorallocationofincentivestosecuredata.
Oneconse-quenceispersonaldatavulnerability,includingfailuretodisclosevul-nerabilities.
Knowledgeaboutthevulnerabilitiesputspeopleonnotice.
Itimposesmanagementcosts,whichintroducefrictionbecauseitallowstheassignmentofresponsibilityandimpositionofdutyforpersonalin-formationsecuritycontrols.
5.
Thesocialinstitution,whichhastraditionallybeenbest,situ-atedtostewardthisknowledgeofsocialwrongsviacollectionanddis-seminationofaggregatestatisticsandanalyseshasbeenlawenforcement.
Giventhepolicy-drivenlackofsecurity-privacyaccounta-bility,thereislittletoenforceandevenlessobjectiveinformationuponwhichtounderstandtheproblemandallocateresourcesaccordingly.
Intheend,localLE'sspeculativeroleisaugmentedbysecondary,anecdotalinformation,withquestionablereliability.
Forthelegalboundariesthatdoexist,enforcementishandledcivillyorregulatory,resultinginthreatinformationasymmetriesforLEandthepublicitserves.
6.
Theresultisaknowledgegapandmisunderstandingofthena-tureandextentofthisinformationcorruptionandmisuse.
Therefore,thenatureofthethreatismaskedandpolicyisinformedbyincomplete,in-ally,thegoalofidentifyingandutilizinginformationhiddenindatahasbeenachievedthroughtheuseofquerygeneratorsanddatainterpretationsystemssuchasSPSSorSAS,thetraditionaltoolsofdatabaseanalysis.
Thesestatisticalmethodsrequiretheusertoformatatheoryaboutapossiblerelationinadatabaseandtoconvertthehypothesesintoaquery.
Itisamanual,user-driven,top-downapproachtodataanalysis.
Incontrast,indatamining,theinterrogationofthedataisdonebythedataminingalgorithmratherbytheuser.
Theuniquelydynamicfeatureofdataminingallowstheanalysttominethedatawithoutpre-preparedquestionsorproblemstoresolve.
Dataminingusesdiscovery-basedapproach,meaningthatitdiscovershiddenstructures,ratios,patterns,andsignaturestodeterminethekeyrelationshipsinthedata.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:11220-MAY-0913:32158JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVIaccurate,andself-servingorbiasedversionsofthe"truth.
"Thelackofstandarddefinitions,objectivestatisticsandempiricaltrackingofIDCleaveslittleforthelegislatureandjudiciarytoinformtheirsolutions.
Whatresultsisabreedinggroundforprivatizedsolutionsandself-per-petuating,viciouscycle.
Itiscertainlynotinthebestinterestsofthefreemarkettoaccu-ratelyreportthisgap.
Thesesecurity-privacyvulnerabilitieshaveincen-tivizedtheexploitationofpersonalinformation.
Witnesstheblackmarket/undergroundeconomyandabovegroundcriminaluseofidentitydata.
Thishasnegativelyaffectedtheauthenticityandreliabilityofourdigitalidentities,whichinturnhascontributedtothechaoticdigitalenvironment.
7.
Unlesstechnologypolicyshiftstocreateabetterequilibriumbe-tweentheneedforsecurity-privacyenforcementandthefreemarketagenda,corrupteddigitalpersonaemaypervadethelandscape.
Ifdigitalidentityisdefinedbymarket-drivenpolicy,individualswillbelefttothetendermerciesofthevariousmarketingandlegaldepartmentswiththepresumptionthattheynegotiateprivacyprotectionwiththosemarketentities(i.
e.
,vendors,merchants,creditors)ontheirown.
Willconsum-ersenterintomeaningfulagreementswiththeseentitiestodisclosePIIbreachesormisusesThisopensthedoortothecreationofclassesofprivacydividedonsocioeconomiclines,amongothers.
Ifprivacyisacivillibertyrightakintofreespeech,itshouldnotbecommoditizedassome-thingthatcanbeboughtandsold.
Ifitistreatedassuch,whatweriskisinformationasymmetries,wherecitizenconsumersareleftwithoutknowledgeoftheirprivacyvulnerabilitiesorrightstoremediation.
Rele-gatingdetectionandprotectionoffundamentalprivacyrightstocase-by-casedeterminationsisbothinefficientforcitizenconsumersanditfailstoprovidethedeterrenteffectthatinfluencesbothnormativeanddevi-antbehavior.
Digitalidentitymaybedefinedorcorruptedbytheentitiespromot-ingthecapitalisticbottomline,whichheretoforehastreatedidentityasanalienablecommoditythatdemandsanunrestrictedflowinordertomaximizeprofits.
Itsproponentswouldarguethatifsuchtreatmentfailstopromotethe"bottomline"andthebalancetipsinfavorofgreaterprivacyprotectionoverfreeflow,themarketwillself-correcttogivecon-sumerswhattheydemand.
However,thisignorestheintangiblecosts,whichwehaveyettoquantifyonthebalancesheets:widespreadandaggregateindeterminismofidentityreliabilityandreputationpollution.
ThiscostgoesbeyondfinanciallyremediatingIDCvictimsforout-of-pocketlossesandunderwritingfraudlossesasacostofdoingbusiness,butrather,includesthepollutionofanyactivitythatispredicatedontheauthenticityofthepersonbehindthetransaction.
Ifaneconomypredi-catedonknowingtheintrinsicvalueofidentityisnolongerableto,we\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:11320-MAY-0913:322008]BEYONDWHIFFLE-BALLBATS159havefertilebreedinggroundsforGrandCanyongapsbetweenpercep-tionandreality.
Inordertopreventparticipantsinthiseconomyfromjumpingship,oneprobablesolutionistocreatefalseillusionsofreliabil-ityandcontroloverone'sdigitalintegrity.
\\server05\productn\S\SFT\26-1\SFT102.
txtunknownSeq:11420-MAY-0913:32160JOURNALOFCOMPUTER&INFORMATIONLAW[Vol.
XXVI