You are viewing a read-only archive of the Blogs.Harvard network. Learn more.


crypto and public policy

Incentive for Deploying Security Infrastructure

Filed under: Policy — March 21, 2005 @ 2:53 pm

The bankruptcy bill recently passed by Congressional Republicans is despicable on numerous counts. You can read more about it to find out exactly how terrible it is. The short version is that it’s now harder (if not impossible) for individuals to file for bankruptcy protection, no matter what the cause (medical expenses or shopping sprees), and easier for credit card companies to charge loan-shark-level interest rates without disclosing their exact practices to customers until they’re deep in the hole.

There is one particularly pernicious aspect of the bill, however, which has gotten too little attention, in my opinion. Democrats proposed an amendment that would have provided bankruptcy relief to victims of identity theft. Republicans struck down this amendment. Think about this one carefully: according to this idea, going on a shopping spree and having your identity stolen are equivalent in terms of personal liability.

This insanity is incredibly significant in the grand scheme of corporate liability and financial information security. Identity theft in all of its forms is a growing problem. The rise of phishing attacks and spyware promises to make this crisis far more painful than most people imagine. The way we have addressed these types of issues, historically, is by spreading the risk via insurance or by motivating the service providers to secure the infrastructure. There’s a $50 maximum personal liability on credit cards today in case of theft. That’s why the credit card companies like American Express deploy complicated Artificial Intelligence mechanisms to detect fraud early and shut it down. Because if they don’t, it’s their loss. And that makes sense, because the financial institutions are the only ones with the means to deploy security, so they should be the ones incentivized.

So what happens if we start holding individuals responsible for being victims of identity theft? We end up with financial institutions that have far less motivation to deploy security solutions to these growing problems. After all, it’s not like it’s their dime. If we continue with this type of legislation, we should stop hoping for new security solutions from the financial industry.

The unlucky ones will pay the price for a society which increasingly refuses to mitigate its citizens’ risk.

No Comments

No comments yet.

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.