Who should be on (and off) the hook for ID theft?

Data broker LexisNexis admitted it vastly underestimated the impact of recent breaches that now leave some 310,000 people in peril. Meantime, at least 180,000 MasterCard and Visa cardholders learned their confidential information may have been compromised after making purchases at a Ralph Lauren retailer. More than 100,000 Tufts University alumni had their private data swiped from a school server. And San Jose Medical Group Inc. announced the theft of two laptops holding unencrypted info on 185,000 people.

And that's just in the past week.

With such announcements almost commonplace, information security leaders wonder what it will take to stanch the steady stream of stolen data pouring from public and private institutions. A panel of technologists will convene this morning in the nation's capitol to discuss solutions to the rise of identity theft. They'll also hash out a particularly prickly subject: Just who's problem is it to solve?

Adding to the debate is today's publication of an essay by influential cryptographer Bruce Schneier, who calls for financial institutions to carry the economic burden of what he sees as a modern twist on an ancient crime: impersonation.

Related Information Column: Customer vs. Bank of America: Who's to blame? Security Bytes: LexisNexis victims now number 310,000

"If we're ever going to manage the risks and effects of electronic impersonation, we must concentrate on preventing and detecting fraudulent transactions," he writes. That hones in on the biggest breaches to recently hit the headlines. Both Ohio-based LexisNexis and ChoicePoint of Georgia, another data company that put 185,000 individuals at risk of ID theft, quickly noted they were conned by criminals, not compromised by computer hackers.

Schneier says holding financial institutions -- and not account holders -- liable for fraudulent transactions must be part of any solution. Banks and other financial businesses "can't claim that the user must keep his password secure or his machine virus-free," he writes. "They can't require the user to monitor his accounts for fraudulent activity, or his credit reports for fraudulently obtained credit cards. Those aren't responsible requirements for most users. The bank must be made responsible, regardless of what the user does."

Though Bank of America is mentioned only in passing, Schneier's comments come a couple of months after a Miami businessman sued the financial giant for failing to protect his online banking from thieves, who apparently installed malicious code on the man's PC and then drained his account. That case has sparked heated debate about where a customers' safeguards end and the bank's begin.

The bank must be made responsible, regardless of what the user does. Bruce Schneier CTOCounterpane Internet Security

In an interview yesterday, Schneier said that court case could prove his point. "I think it's a great case because I think the man's right," he said.

Not everyone agrees that users should be let off the hook. "Everyone has to do their part, (most) people have learned how to lock their houses and cars and not to leave keys under the mat or in the ignition," former national cybersecurity czar Howard Schmidt said. "The same thing needs to occur on PCs. If you leave your keys in the car and it gets stolen, how is that not your fault? It's the same with personal data."

Al Berg, director of information security for a New York-based electronic institutional broker, believes there's some merit to making financial institutions pay for fraudulent claims. "I think placing liability with financial institutions is going to be the most effective tool in making change happen….Nobody likes taking on more liability." @10067

Schneier, CTO of California-based Counterpane Internet Security, says sound solutions to combat online fraud won't happen until financial institutions have incentives to put them in place. "Right now, the economic incentives result in financial institutions that are so eager to allow transactions -- new credit cards, cash transfers, whatever -- that they're not paying enough attention to fraudulent transactions. They've pushed the costs for fraud onto the merchants. But if they're liable for losses and damages to legitimate users, they'll pay more attention."

Berg and other security professionals in the financial field believe it all comes down to the bottom line. "A lot of costs of not properly protecting data come down to money -- there's always a link back to that. The reason companies like ChoicePoint get into the news is because of the link to finances," Berg said. "It always goes back to the money."

That's also one reason banks have been slow to consider the shift in responsibility. As Schneier tells it, such solutions are expensive. But, he added in the interview, they're necessary. "Right now we have an administration that's very business-friendly and anti-consumer. But if enough grandmas lose their money, something is going to happen. You can't continue to shove this off on the consumer."