GAO: Identity Theft Cases Limited Compared to Breaches

July 9, 2007

While the Government Accountability Office fell short of offering recommendations, it released a report stating that many entities in the private, public, and government sectors have reported the loss or theft of sensitive personal information in recent years.

A rapidly developing crisis, GAO says data breaches are frequent but the full extent of the problem is unknown, though evidence of resulting identity theft is “limited.”

The law of averages dictates that as the number of data breaches increases, so will the incidences of follow-on identity theft. The GAO report released last month said more than 570 data breaches were reported in the news media from January 2005 through December 2006, according to lists maintained by private groups that track reports of breaches.

Account fraud (such as misuse of credit card numbers) or unauthorized establishments of new accounts (such as opening a credit card in someone else’s name) are common examples of identity theft resulting from data breaches.

While many states have enacted laws requiring entities that experience breaches to notify affected individuals, Congress is considering legislation that would establish a national breach notification requirement as well.

GAO analyzed 24 large data breaches, and gathered information from federal and state government agencies, researchers and consumer advocates. The Office examined the incidence and circumstances of breaches, the occurrence of identity theft resulting from breaches and issues related to breach notification requirements.

These incidents varied significantly in size and occurred across a wide range of entities, including federal, state, and local government agencies; retailers; financial institutions; colleges and universities; and medical facilities.

The extent to which data breaches have resulted in identity theft is not well known, largely because of the difficulty of determining the source of the data used to commit identity theft. However, available data and interviews with researchers, law enforcement officials, and industry representatives indicated that most breaches have not resulted in detected incidents of identity theft, particularly the unauthorized creation of new accounts.

In reviewing the 24 breaches reported in the media from January 2000 through June 2005, GAO found that three included evidence of resulting fraud on existing accounts and one included evidence of unauthorized creation of new accounts. For 18 of the breaches, no clear evidence had been uncovered linking them to identity theft; and for the remaining two, there was not sufficient information to make a determination.

Notification requirements can create incentives for entities to improve data security practices to minimize legal liability or avoid public relations risks that may result from a publicized breach. At the same time, breach notification requirements have associated costs, such as expenses to develop incident response plans and identify and notify affected individuals.

Federal banking regulators and the President’s Identity Theft Task Force have advocated a risk-based notification standard allowing individuals to take appropriate measures where the risk of harm exists, while ensuring they are only notified in cases where the level of risk warrants such action.

Should Congress choose to enact a federal notification requirement, use of such a risk-based standard could avoid undue burden on organizations and unnecessary and counterproductive notifications of breaches that present little risk.

Source: Government Accountability Office

Was this article valuable?

Here are more articles you may enjoy.