RealTime IT News

Many Breaches, Few ID Thefts

Data breaches are frequent, but evidence of actual identity theft resulting from the breaches is limited, according to a new report by the General Accountability Office (GAO).

The report, issued late last week, found more than 570 data breaches were reported in the news media from January 2005 through December 2006. The incidents occurred across a broad sector, including government agencies, colleges and universities, medical facilities, retailers and financial institutions.

"Available data and interviews with researchers, law enforcement officials and industry representatives indicated that most breaches have not resulted in detected incidents of identity theft, particularly the unauthorized creation of new accounts," the report states.

The GAO examined the 24 largest reported breaches between 2000 and 2005 and found three of the breaches resulted in fraud on existing accounts and evidence indicating the creation of fraudulent accounts. For 18 of the breaches studied, no clear evidence was uncovered linking them with identity theft. For the remaining two breaches, there was insufficient evidence to make a connection with identity theft.

Since the 2005 ChoicePoint data breach, Congress has repeatedly debated the merits of a federal law requiring companies suffering breaches to notify affected customers. While Congress has failed to enact any such laws, at least 36 states have passed laws involving breach notification.

"Requiring affected consumers to be notified of a data breach may encourage better security practices and help mitigate potential harm, but it also presents certain costs and challenges," the report states. "Notification requirements can create incentives for entities to improve data security practices to minimize legal liability or avoid public relations risks that may result from a publicized breach."

Consumers also benefit from breach notifications. The GAO said that consumers notified of a breach could take steps to reduce the risk of identity theft, such as monitoring credit card and bank accounts.

"At the same time, breach notification requirements have associated costs, such as expenses to develop incident response plans and identify and notify affected individuals," the GAO said. "Further, an expansive requirement could result in notification of breaches that present little or no risk, perhaps leading consumers to disregard notices altogether."

Both federal regulators and the president's Identity Theft Task Force advocate, a national notification standard that is risk based, allowing companies to take proactive steps to inform consumers where the risk of identity theft is high.

Several bills in Congress take this risk-based approach. U.S. Sen. Dianne Feinstein (D-Calif.) introduced legislation in March that would require businesses and government agencies to notify consumers under certain circumstances of data breaches. Businesses would be allowed to make a "risk assessment" of a data breach and only notify consumers if there is "significant" risk of harm.

Businesses would, however, be required to notify the Secret Service of the breach. If the Secret Service disagrees with the risk assessment, then the business would be required to mount a data-breach disclosure campaign.

The bill is a revival of legislation Feinstein introduced in the 109th Congress. It passed the Senate Judiciary Committee as part of larger package of data-breach bills, but the legislation never made it to a full vote of the Senate.

"Should Congress choose to enact a federal notification requirement, use of such a risk-based standard could avoid undue burden on organizations and unnecessary and counterproductive notifications of breaches that present little risk," the GAO said in its report.

This article first appeared on InternetNews.com.