One of the interesting threads that runs through the National Broadband Plan (NBP) released today is a reliance on secure, trusted authentication for innovative online technologies that isn't widely available to the public. As a result, the NBP calls for certain steps to spur the growth of a marketplace for trusted identity providers that will help consumers manage their data.
Specifically, recommendation 4.15 of the Plan calls out the role of identity providers in providing privacy and security safeguards to consumers and suggests ways that Congress can help these trusted identity providers enter the market. The NBP floats an interesting idea for setting best practices, standards, and appropriately strict guidelines and audits on data protection and privacy for identity providers: a regime for identity providers that provides insurance (and possibly a safe harbor from liability) contingent upon following these best practices for trusted identity providers.
The insurance regime for identity management that is envisioned in the NBP is similar to the role the Federal Deposit Insurance Corporation (FDIC) plays in the banking space. The FDIC acts as a private entity with the backing of the government to protect consumers in the banking industry, providing confidence that the money entrusted with a private bank is insured in case the bank fails. As part of this program, the FDIC creates rules and regulations for participating banks, in order to effectively manage the risk taken in insuring these banks. Such a regime could easily create similar rules for consumer protection in order to insure identity providers and potentially provide a safe harbor for identity providers following strict and robust privacy-protective guidelines and audits for data protection. Essentially, this insurance would serve the same role as a ‘trust framework’ would – creating a minimum set of policies and rules for entities in identity transactions that will ensure that trust is created.
Clearly, there is no way that an insurance entity could reimburse a consumer for data lost or breached. However, an FDIC-like entity or regime could provide appropriate identity theft resources for affected consumers, as well as a safe harbor for identity providers, as long as they are compliant with established guidelines on privacy and security. It could also insure that a user always has data portability. Because the NBP mentions a safe harbor, it is important that the best practices required to participate under such an insurance model are strong enough to provide effective protections for consumer privacy and security.
In the past, CDT has suggested other types of private or public legal regimes to ensure identity providers properly safeguard consumer privacy. We still believe a contract regime or relying on existing regulatory frameworks, i.e., a FCRA regime, could be viable regulatory approaches here. But ultimately, we need some kind of rules and guidelines for these emerging identity providers, and this insurance regime seems to be one promising way to do it without overarching and inflexible legislation. The key for all of these approaches is that users, identity providers and services using identity information (aka, relying parties) are in a marketplace that they can trust.
Of course, the devil will be in the details, but we hope that Congress explores this idea to protect responsible identity providers from liability by encouraging that they adhere to robust guidelines for information security and privacy protections.