Thinking about it did lead me to wonder if we couldn’t find a simple “X quid per person” figure to use in planning, risk analysis and back-of-the-envelope calculations though. Over at Emergent Chaos, for example, there’s a calculation based on the TJX breach that might provide a $20 rule-of-thumb figure. TJX announced a $118m setaside to deal with the loss of control of 45 million records, or around $3 per record (person, let’s assume). Setting aside that journalists were apparently quoting nearly $200 per person loss, even assuming the worst case $1 billion in costs plus lawsuits, it’s still on $21 per person. Other than data breaches, another useful rule-of-thumb figure, I reckon, might come from identity card fraud since an identity card is a much better representation of a persons identity than a credit card record. Luckily, one of the countries with a national smart ID card just had a police bust: in Malyasia, the police seized fake MyKad, foreign workers identity cards, work permits and Indonesian passports and said that they thought the fake documents were sold for between RM300 and RM500 (somewhere between $100 to $150) each. That gives us a rule-of-thumb of $20 for a “credit card identity” and $100, say, for a “full identity”. Since we don’t yet have ID cards in the U.K., I thought that fake passports might be my best proxy. Here, the police says that 1,800 alleged counterfeit passports recovered in raid in North London were valued at £1m. If we round it up to 2,000 fakes, then that’s £500 each. This, incidentally, was the largest seizure of fake passports in the U.K. so far and vincluded 200 U.K. passports, which, according to police, are often considered by counterfeiters to be too difficult to reproduce. Not!
The point I actually wanted make is not that these figures a very variable, which they are, but that they’re not comparing apples with apples. Hence the simplistic “what’s your identity worth?” question cannot be answered with a simple number.
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]