While the current row over concealed donations to the Labour Party draws some attention away from the HMRC data breach, it's probably a good moment to step back and take a look at some of the possible long-term implications of what may or may not have happened.
On Monday I was at a local school, giving a talk to 6th-form pupils (16-18-year-olds) about digital identity and privacy. At one level, I really wasn't sure what to say to them. After all, here's a group (representative of an entire generational demographic) who are starting their 'life in the tax system' in the knowledge that their National Insurance numbers and basic identifier information have already been compromised by the actions of a third party.
Two long-term implications present themselves.
First: this episode has prompted at least some policy-makers to attempt to quantify the breach in financial terms. For instance, Vince Cable MP, Liberal Democrat Acting Leader and Shadow Chancellor, has put it at £1.5bn, on the basis of a 'street value' of £60 per identity. The infamous US bank robber, Willie Sutton, apparently never said that he robbed banks "because that's where the money is"... but the principle still holds. Identity theft happens because identities have a value.
In a context where the government plans to operate a national scheme to provide what it has described as the "gold standard of identity", the issue of financial liability for compromised identities needs to be very carefully considered, and the implications made clear to every stakeholder up front (citizens, policymakers, data custodians, relying parties, and so on...). So far, concerning the HMRC breach, the Chancellor has assured citizens that they will not have to bear the cost of resulting identity fraud, but both he and the acting head of HMRC have said it will be the banks who pick up the tab. How the banks feel about indemnifying credentials which they didn't even issue, let alone lose, is probably quite another matter.
Second: thinking of that classroom full of young adults; how are they to know, in 5, 10 or 15 years' time, whether the identity fraud which some percentage of them are likely to suffer came about as a result of something they did, or as a result of the current breach, or (as William Heath has so astutely observed) through some subsequent exploitation of the appalling ease with which a couple of CDs can be run off?
In the Digital Era, it seems to me that any prudent enterprise - including governments - should be considering how to indemnify itself against the mass compromise of valuable data, including some condiseration of likely consequential loss. That implies that, when it comes down to cases, there is some way of determining the actual (or most probable) origin of a given breach.
I think those problems are still some way from having solutions which successfully include the appropriate range of measures, from policy, risk assessment, architecture/design and technology, to implementation, operation, audit and governance. The worry is the extent to which the stated policy aims and the implementation plans may be allowed to outstrip the other, equally vital components.
![[RSS Newsfeed]](/themes/sotto/images/valid-rss.png)
![[This is a Roller site]](/themes/sotto/images/roller-logo.gif){kind=logo}