Shifting focus from technology to legal ramifications of identity
By Ross Mathis, Contributing Editor, AVISIAN Publications
In the area of identity management there has been significant work related to the technical exchange of identity information and the actual authentication processes. There has not, however, been a focused look at the legal issues, particularly those that would hold parties responsible for not properly identifying and authenticating users or customers.
“You need rules and obligations placed on the various parties and they need to perform these obligations, and if they don’t then you need some enforcement mechanism,” says Tom Smedinghoff, a partner at Wildman Harrold and chairman of the American Bar Association’s Federated Identity Management Legal Task Force.
A year ago the task force was formed to address these legal issues, as well as the privacy and liability issues faced by all participants in the identity management process.
The goal of the ABA task force is to analyze legal issues that arise in connection with the development, implementation and use of federated identity management systems. “We really try to take a rigorous look at what folks have to deal with when they establish and operate identity management systems … and look at the legal models for making it work,” says Smedinghoff.
Exploring various legal models, the group is studying the structure and weighing out the pros and cons of each to develop terms and contracts that can be used by parties in e-commerce and other electronic communication settings. “In order for there to be a viable trust framework you’ve got to address the legal side of it,” he says.
These trust frameworks, also called identity and authentication frameworks, attempt to bind all parties to a common set of rules. “More commonly now we’re finding a consortium, or groups of businesses, that are looking at setting up an identity infrastructure … so you get more of a collaborative approach to a set of rules and changing those rules as needed,” Smedinghoff says.
On the other side, there is a regulatory overlay that must be taken into account. There are certain issues of identity management that are regulated by laws, which cannot be buried or superseded by contracts between the parties.
While this is a cutting edge area of law it’s starting to get some attention. “It varies by jurisdiction but there’s a fair amount of privacy law, particularly in the European Union, but to a lesser extent in the U.S. financial and health care sectors,” Smedinghoff says.
Case law starting
In situations regarding identity theft, case law is beginning to emerge. Courts are starting to point the finger at businesses that did not, in their opinion, do enough to protect personal information. Businesses need to be sure to meet obligations and properly authenticate or identify individuals and make sure not to release personal or confidential information. The Federal Trade Commission has even instituted enforcement actions where businesses did not properly authenticate customers, says Smedinghoff.
When addressing these issues, the ABA task force considering a number of areas of law that may apply. “It’s those underlying issues … we need to figure out how they might apply, and how parties can mitigate the legal risks and allocate them fairly among participants in the process,” Smedinghoff says “We need to look at the laws of negligent representation, and see how that affects the process.”
If a business is the identity provider within the management process, then they are making assertions about a subject to a third party or a relying party. These assertions can, in theory, be considered warranties or representations. Smedinghoff notes that looking at warranty law to see how that affects the process may prove useful.
“It’s these kinds of obligations that are going to have to be addressed,” he concludes. “We need to get down to the level of what are those things that you should be doing and what are those things that you shouldn’t be doing?”