By Jenn Behrens, MSW, PhD, CIPM, CIPP/US
For years, RadioShack made a promise to its customers: provide us with your data, and we will not sell or rent it to third parties. This agreement between the company and its customers worked well until recently when the company filed for bankruptcy, and it became clear that its customers’ data – more than 65 million names and physical addresses and over 13 million email addresses (link is external) – is a valuable financial asset. And, during bankruptcy proceedings, assets are for sale. This put the issue of customer data privacy at the center of the bankruptcy proceeding. The title of an article by The Dallas Morning News framed the immediate issue well: How safe is your information when a company goes bankrupt? (link is external)
The recent case of RadioShack’s bankruptcy highlighted the consequences of an identity-enabled world without NSTIC principles or industry promulgated standards for exchange of online trust by the IDESG. One of the IDESG market-differentiators in this space is that IDESG’s approach is the deliberate alignment with the NSTIC guiding principles – and, one of those is that identity solutions will be “privacy-enhancing.” These principles are a critical part of what makes our work meaningful and our solution invaluable as it is implemented by organizations in government, industry, academic institutions and across the business landscape.
Today, our personal information (PI) is not safe online. Individuals give away their PI every day in exchange for products or services across government, industry, education and non-profit sectors. And, what becomes of it? And, who is responsible for the trust and safety of that PI?
The RadioShack case is ongoing. The company has temporarily restructured and the issue will be moot, if the restructuring succeeds. Only time will tell if its customer data will be ultimately sold at auction.
IDESG members know the issue is even bigger than bankruptcy. It extends to the countless websites and mobile applications that collect, maintain and (sometimes) distribute consumers’ PI. We promote transparency, accountability and consumer choice in this distribution. However, the consumer often does not realize the full implications of providing their PI at one point in time, or how it may be transferred at different times for a variety of reasons.
A story (link is external) in The Washington Post illustrated that many companies' existing policies may not provide customers protection after bankruptcy or acquisition. Individuals interact every day with countless sites where their PI is requested.
IDESG is part of the solution – we are wearing the white hat while we do the work in committees hashing out the details of the future of the Identity Ecosystem. In fact, the IDESG Privacy Committee has worked hard to raise the bar for organizations in collecting, managing and disseminating PI. Under an NSTIC-aligned Identity Ecosystem, there is a requirement governing the use of PI: “Organizations shall limit the retention of personal information to the time necessary for providing and administering the services and transactions to the individual end-user for which the personal information was collected, except as otherwise required by law, regulation or legal process.” Requirements such as this will prevent the likelihood of consumers’ PI being sold without permission.
Simply put: there is no “RadioShack problem” with an NSTIC-aligned Identity Ecosystem. Consumer data will not be at risk when businesses and government agencies participate in the Identity Ecosystem and agree to abide by the Identity Ecosystem Framework (IDEF) requirements. The IDEF provides the overarching set of standards for security, risk, usability, accountability, and also encompass the set of requirements just established in the privacy committee. IDESG raises the bar on what it means to participate in the Identity Ecosystem.
Jenn Behrens is Director of Privacy and Compliance, ID.me and Chair of the IDESG Privacy Committee.