Kim Cameron, who thinks as deeply about identity as anyone I know, points out that the most recent loss of identity data by the Univ. of California was the result of breaking four of his laws of identity at one blow.
I expect this information disaster came about by breaking four identity laws at once. What a run!
- Were users in control of what their information was being employed for? Were they told where and how it was being used (law of user control)?
- Was there really a need to store social security numbers rather than some local or derived identifier (law of minimal information, law of directional identity)?
- Would the identified subjects see a "test machine" as a legitimate party to their identity relationship with the university (law of fewest parties)?From Kim Cameron's Identity Weblog
Referenced Mon Apr 18 2005 10:52:48 GMT-0600 (MDT)
Sen Diane Feinstein, D-Calif. has said she'll introduce legislation requiring encryption of all identity data stored for commercial purposes. While this is probably a good idea, its not going to solve the real problem. The real problem is sloppy data handling practices--something that goes beyond just encrypting sensitive data.
The real answers will be found when organizations start being held accountable for keeping data safe. Note that I'm not suggesting personal liability for individuals. I think Sarbanes-Oxley, an example of that in the financial arena, went too far.