Imagine this scenario: You recently discovered your identity has been "borrowed" by someone who has purchased a number of expensive items online. A number of your peers have also suffered similar thefts which leads some of you to assume that the problem may be related to CSUMB's accidental publishing of student social security numbers last year. What steps are you going to take to correct the situation and to prevent additional problems in the future?

 

Identity theft is one of the most pressing issues in today’s world, especially with the accessibility of the Internet, and how easy it is to share information with many people.  At the same time, identity theft is an issue which will never be truly “solved” - if there is a secure computer system, it is most likely that there will eventually be a person who can hack that computer system.  So, rather than concentrate on ways in which we can prevent identity theft from ever happening, it would be better to focus on methods to recover the data and make sure that the users whose data has been stolen is safe.

 

The first thing to do is to have constant realtime security and checks of the data stored on a server - these records should be redundant, and they should always be active, recording the access of data.  This way, if data is found to be stolen, at the least you have a lead to an IP address or location of the person who last accessed said data.  Proactive security also helps to find holes which data can be stolen through, such as the public site hosing the information which CSUMB accidentally leaked out.

 

In the case that data is leaked, the priority should be on cleaning up, informing, and securing those users data which has been compromised.  A data leak is much like an oil spill - it’s already happened, time to get started on cleanup.  The first step should be to evaluate how sensitive the lost data was, and to alert the proper authorities regarding the data loss;  In the case of credit card information, this would be for the company to call a credit card bureau and alert them of the theft which has taken place.  Then, one should alert the user - it is their right to know if their personal information has been compromised, and so they should be informed ASAP so that they may take matters into their own hands, if they wish.

 

Data can never be completely secure, but if users and service providers both catch data leaks before they become too big, major compromises of sensitive information can be reduced, if not prevented altogether.