Many Breaches, Few ID Thefts

Data breaches are frequent, but evidence of actual identity theft resulting
from the breaches is limited, according to a new report by the General
Accountability Office (GAO).

The report, issued late
last week, found more than 570 data breaches were reported in the news media
from January 2005 through December 2006. The incidents occurred across a broad
sector, including government agencies, colleges and universities, medical
facilities, retailers and financial institutions.

“Available data and interviews with researchers, law enforcement officials and
industry representatives indicated that most breaches have not resulted in
detected incidents of identity theft, particularly the unauthorized creation
of new accounts,” the report states.

The GAO examined the 24 largest reported breaches between 2000 and 2005 and found
three of the breaches resulted in fraud on existing accounts and evidence
indicating the creation of fraudulent accounts. For 18 of the breaches
studied, no clear evidence was uncovered linking them with identity
theft. For the remaining two breaches, there was insufficient evidence to make
a connection with identity theft.

Since the 2005 ChoicePoint data
breach, Congress has repeatedly debated the merits of a federal law requiring
companies suffering breaches to notify affected customers. While Congress has
failed to enact any such laws, at least 36 states have passed laws involving
breach notification.

“Requiring affected consumers to be notified of a data breach may encourage
better security practices and help mitigate potential harm, but it also
presents certain costs and challenges,” the report states. “Notification
requirements can create incentives for entities to improve data security
practices to minimize legal liability or avoid public relations risks that may
result from a publicized breach.”

Consumers also benefit from breach notifications. The GAO said that consumers
notified of a breach could take steps to reduce the risk of identity theft,
such as monitoring credit card and bank accounts.

“At the same time, breach notification requirements have associated costs,
such as expenses to develop incident response plans and identify and notify
affected individuals,” the GAO said. “Further, an expansive requirement could
result in notification of breaches that present little or no risk, perhaps
leading consumers to disregard notices altogether.”

Both federal regulators and the president’s Identity Theft Task Force advocate,
a national notification standard that is risk based, allowing companies to
take proactive steps to inform consumers where the risk of identity theft is

Several bills in Congress take this risk-based approach. U.S. Sen. Dianne
Feinstein (D-Calif.) introduced legislation in March that would require businesses and government agencies to notify
consumers under certain circumstances of data breaches. Businesses would be
allowed to make a “risk assessment” of a data breach and only notify consumers
if there is “significant” risk of harm.

Businesses would, however, be required to notify the Secret Service of the
breach. If the Secret Service disagrees with the risk assessment, then the
business would be required to mount a data-breach disclosure campaign.

The bill is a revival of legislation Feinstein introduced in the 109th
Congress. It passed the Senate Judiciary Committee as part of larger package
of data-breach bills, but the legislation never made it to a full vote of the

“Should Congress choose to enact a federal notification requirement, use of
such a risk-based standard could avoid undue burden on organizations and
unnecessary and counterproductive notifications of breaches that present
little risk,” the GAO said in its report.

This article first appeared on

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web