Identity theft involves a breach of data protection that is used to commit economic crimes involving electronic commerce including credit cards. If data protection is “adequate,” there would never be a security breach and no resulting identity theft. As governments lag behind technology, criminal laws are still evolving, and many countries do not have adequate criminal laws, much less enforcement capability, to deal with this growing endemic risk.
Identity theft is indiscriminate. It can hit in-house data processing, shared services organizations or outsourcing service providers. Statistically, however, if a larger universe of data is found in the hands of data dealers and data processors than in the hands of individual enterprises, identity thieves will naturally target the bigger data warehouses. This truth was shown in the newspaper headlines in the early 2005, when a handful of intrusions into data warehouses maintained by independent data processors was disclosed, with potentially millions of individual affected.
Parties to any form of data transfer, including insourcing and outsourcing, should maintain vigilance and commit contractually to adoption of appropriate procedures. For the enterprise customer, the persistent fear remains that the service provider will fail to maintain adequate security and that a severe blow to the enterprise’s reputation might ensue. Service providers share the same fear and should be ready. Indeed, one of the “unique selling propositions” in outsourcing may be the hyper-concern and hyper-infrastructure for protection of security and avoidance of identity theft.
The contract should deal with identity theft in a manner that reflects economics, law and technology.