What Happened in the Identity Verification Market This Summer

Share Button

In Georgia, summer vacation is over.  It’s already back to school for the majority of the state and all the “What I did this summer” essay reports are due.  So in keeping with the back to school spirit, this post is IDology’s official summer report on identity…

Ever gotten one of those notification letters that your personal information might have been compromised?  If so, there is no need to panic.  But you do need to take action to protect yourself.

The Atlanta Journal and Constitution covered this very topic Sunday and gave some great tips about how to minimize your exposure, especially if your information was a part of a data breach.  The first tip is related to passwords:

Using unique passwords for each website you visit, including shopping sites and online banking sites.  This limits any breach to just one website, should thieves obtain access to the password.

What a perfect segue to tell you about a new event that took place in the identity industry this summer.  Last month, I attended the Cloud Identity Summit hosted by Ping Identity where the ultimate goal in the minds of the attendees from some of the most brilliant security minded companies concerned with identity verification and identity management was to eliminate passwords.  The reason being, they just aren’t secure.  Especially because in reality consumers don’t use unique passwords for every website they visit.  And passwords are just too easy to phish, hack or guess.

There were lots of great speakers and plenty of interest in collaborating to solve Internet identity issues at the summit.  Eric Sachs from Google clearly stated Google’s goal is to eliminate passwords.  PayPal’s Andrew Nash talked about identity providers brokering trust between consumers and businesses.  VeriSign’s Nico Popp discussed liability and the impact it has on identity trust.  One new initiative I learned about is the work Eve Maler (also of PayPal and known by some as @xmlgrrl) is doing with the Kantara Initiative through the User-Managed Access (UMA) Work Group.  As explained on the work group site, UMA involves:

For example, a web user (authorizing user) can authorize a web app (requester) to gain one-time or ongoing access to a resource containing his home address stored at a “personal data store” service (host), by telling the host to act on access decisions made by his authorization decision-making service (authorization manager).

The requesting party might be an e-commerce company whose site is acting on behalf of the user himself to assist him in arranging for shipping a purchased item, or it might be his friend who is using an online address book service to collect addresses, or it might be a survey company that uses an online service to compile population demographics.

UMA clearly has implications in the consumer identity market.  Being more marketing minded than technical, I found the use cases discussed here the most interesting because they show the benefits to consumers in scenarios that are easy to understand and/or imagine.

Looking at the regulatory side of identity, Congress is considering legislation that would create a federal notification act for data breaches.  Bankinfosecurity reports:

One bill pending on the floor of the U.S. Senate is Senate Bill 139, sponsored by California Sen. Diane Feinstein. The Data Breach Notification Act would cover any agency or business that uses or stores personal identifiable information and make it mandatory that if a breach occurred, the victims would be informed.

This bill, along with the recently reintroduced Carper-Bennett legislation, is aimed to protect consumers and businesses from identity theft and account fraud. The Carper-Bennett legislation, entitled the Data Security Act of 2010, applies to financial institutions, retailers and government agencies, and would require these entities to: safeguard sensitive information, investigate security breaches and notify consumers when there is a substantial risk of identity theft or account fraud.

The law is designed to address the under reporting and hiding issues of data breaches.  Four states (Alabama, Kentucky, New Mexico and South Dakota) still don’t have a security breach law and a recent report by Verizon and the Secret Service examining data breach incidents showed 2/3 of the data breaches covered had not yet been disclosed or never would be.

After hearing this, getting one of those notification letters should be looked at as a relief that you are being made aware of the risk and can be more vigilant to guard your identity!