All:
I really like Kim's posting on the George Mason University security breach. I like the fact that he fatalistically recognizes that these sorts of penetrations--with concomitant loss/theft of identity information--will happen time and again. We just have to accept that disasters do happen, even when IT administrators have taken all necessary precautions. What I didn't see in his post was any discussion of "disaster response" procedures that identity administrators (is that even a real title?) must take in response to such incidents. It's clear that they should plug the vulnerability in their system, track down the perpetrator, and seek legal recourse, if possible. But it's also critical to immediately notify the impacted parties--the people whose identities were stolen--so that they can implement "damage control" in their lives (looking for signs of identity fraud, suspicious credit-card charges, and so forth). These notifications may involve sending alerts to the institutions that manage their assets, so that those institutions can execute identity-fraud clampdown/monitoring procedures.
What I'd like to see is some IdM-penetration-event analog to the "amber alert" system, under which identity breaches trigger some sort of automated alert, fraud-control clampdown, disaster response, and investigation train of events. No matter where the IdM penetration occurred, or how many people it exposed, or how much identity info was exposed, or the amount of potential financial liability involved. There should be legal/regulatory rules governing collective national/international responses to these incidents (as if they were oil spills or tsunamis or what have you).
Identity information is a munition. Having someone steal your identity is like having them steal your gun from your hip and then shoot you in the back with it. Serious threats demand serious collective, organized responses.
Jim