The identity thieves are way ahead of law enforcement, says Newsweek in a cover story. “Over the last nine years, criminals have gotten a better understanding of the power of information,” says Rob Douglas of PrivacyToday, a security consulting firm. “Instead of selling drugs, so much can be made so quickly with identify theft, and the likelihood of getting caught is almost nil.” The Department of Justice has reprioritized to fight the plague, but it’s a big challenge; the research firm Gartner Group speculates that fewer than 1 in 700 identity crimes leads to a conviction. Another expert says that crooks rack up $53 billion a year in ID theft. Consumers are stuck with $5 billion directly, but the rest of it is mainly paid by retailers and businesses–which pass it back in higher prices.
One reason for recent publicity about personal data security brreaches is that a 2003 California law required companies for the first time to disclose the failures that affect residents of that state. An elaborate infrastructure of crime has emerged to collect and distribute stolen records. Malicious hackers either use automated software “bots” to methodically probe the Internet for vulnerable databases or target companies that are likely to harbor honey pots. Most often, they enter systems through preventable security flaws, like guessable passwords (example: “Dave” or the default password that came with the program) or known vulnerabilities in software. Two U.S. senators favor fining companies that lose records. Other approaches would penalize firms that did not follow best practices in protecting information, like regular security audits and use of encryption. If Congress doesn’t do it, maybe the legal system will; a class-action suit is underway in the breach by the data-collection company ChoicePoint.