In 1964, the U.S. Supreme Court struggled to define obscenity. It was within that context that Justice Potter Stewart spoke the immortal words “I know it when I see it.”
The Identity Theft Prevention and Identity Management Standards Panel (IDSP) met last fall and again last month with a similar goal—defining identity theft and methods for more accurately determining the crime’s magnitude.
As the number of reported data breaches and identity theft crimes escalates, so too does the number of relative studies and, proportionately, reporters—all of us trying to accurately deliver the latest information.
As identity theft writers, our articles are often filled with statistics drawn from respected government, non-profit, law enforcement and security industry sources, but somehow the numbers don’t always match up.
The problem is this: there are no standard definitions or consistent methodologies for tallying the damage; what one organization calls identity theft, another calls identity fraud. In other words, we all think we know identity theft when we see it.
The same confusion surrounds the reportage of data breaches. Sometimes data breaches are publicly reported, but often not. In some cases the numbers of effected records are unknown or are only added to a total if a Social Security number was part of the exposed record.
So far the IDSP has settled on a distinction between identity theft and identity fraud, determining that identity theft is the accessing of personal data; identity fraud is the use of that data.
The panel’s work to establish standard methodologies for reporting and measuring the total extent of identity theft, fraud and data breaches is ongoing. Nine years passed between the time Justice Potter presented his working definition of obscenity, and the time the Court was able to define it less ambiguously. The IDSP is faced with no less daunting a task, but making much faster progress.