Federated Identity Management: Balancing Privacy Rights, Liability Risks, and the Duty to Authenticate

36 Pages Posted: 12 Sep 2009 Last revised: 6 Oct 2009

Thomas J. Smedinghoff

Locke Lord LLP

Date Written: August 21, 2009

Abstract

In an online environment, identifying and authenticating a person or entity that seeks remote access to a corporate system, that authors an electronic communication, or that signs an electronic document, is the domain of what has come to be called "identity management." It is essential to establishing the trust necessary to facilitate electronic transactions of all types, plays a key role in fighting identity fraud, and in many cases has become a legal obligation. Yet it is also a process that typically requires the disclosure, verification, storage, and communication of personal information, and thus, by its nature, raises significant legal, privacy and liability concerns, among others.

This paper outlines the basic concepts behind identity management and the developing concept of federated identity management, and identifies and examines some of the key legal risks that must be addressed to make it work. In particular, it:

• Explains the basic principles that underlie the concept of commercial identity management;
• Identifies the numerous legal issues raised by the use of identity management systems;
• Focuses on the privacy implications of the collection, verification, storage, communication, and disclosure of personal information in the context of identity management systems;
• Examines the role of identity management in addressing the legal and risk-based obligations to authenticate remote parties; and
• Evaluates the legal requirements applicable to all identity management systems, and how the operation of those systems raises issues of concern relating to the privacy and security of personal information

Keywords: identity management, federated identity management, IdM, law, legal, authenticate, authentication, privacy, liability, identity, identification, identity provider, identity proofing, relying party,

JEL Classification: K00, K10, K12, K19, K20, K29, K30, K33, K39, L86

Suggested Citation

Smedinghoff, Thomas J., Federated Identity Management: Balancing Privacy Rights, Liability Risks, and the Duty to Authenticate (August 21, 2009). Available at SSRN: https://ssrn.com/abstract=1471599 or http://dx.doi.org/10.2139/ssrn.1471599

Thomas J. Smedinghoff (Contact Author)

Locke Lord LLP ( email )

111 S. Wacker Drive
Chicago, IL 60606
United States
+1 312-201-2021 (Phone)

HOME PAGE: http://www.lockelord.com/professionals/s/smedinghoff-thomas-j?lang=en

Paper statistics

Downloads
370
Rank
63,884
Abstract Views
2,027