United States GAO findings on identity theft has questionable conclusions
Michael Durnack
July 15, 2007
When some receive a data breach notification it triggers them to start looking closely at a bank or credit card statement, maybe balance the checkbook, or to finally obtain a credit report. The GAO report stated that “consumers alerted to a breach can take measures to prevent or mitigate identity theft, such as monitoring their credit card statements and credit reports.” Unfortunately, you can’t prevent identity theft by looking at statements or reports because the absolute nature of those documents is completely historical, and you can’t change history. Individuals who do discover an anomaly will quickly realize the crime has been committed and the damage has already been done.
The GAO was asked to examine three distinct areas:
(1) The incidence and circumstances of breaches of sensitive personal information
The report released on July 5th, 2007 found more than 570 data breaches were reported in the news media from January 2005 through December 2006. The incidents occurred across broad sectors such as, government agencies, universities, medical facilities, retailers and financial institutions. The GAO used various sources for the research and came up with the conclusion that data breaches are frequent. If they were evenly distributed there would be one breach every 1.3 days.
(2) The extent to which such breaches have resulted in identity theft
"Available data and interviews with researchers, law enforcement officials and industry representatives indicated that most breaches have not resulted in detected incidents of identity theft, particularly the unauthorized creation of new accounts," the report indicated. The key point in that conclusion is “detected”, since many fail to find out that they are a victim or they do not report it to any of the agencies that were utilized for this GAO report.
They determined they can’t directly link identity theft to many of the data thefts they reviewed because there is not clear and conclusive evidence that directly links those breaches with identity theft. Apparently the identity thieves are not disclosing the abundant sources of their windfall. Or the thieves are going to a lot of trouble stealing personal data, changing their minds, finding religion and doing nothing with it after all.
As far as the GAO report is concerned if it is not conclusive then it must not have occurred, or at least they can’t say it occurred. They even recognized that the lack of reporting on the part of victims also leads to skewed and invalid data that cannot be used to create a valid statistical picture.
If all of the breaches the GAO analyzed resulted in little or no identity theft, one needs to look elsewhere for the origin of all the personal stolen information that results in the billions of dollars in personal losses from the millions of actual victims each year.
(3) The potential benefits, costs, and challenges associated with breach notification requirements.
Currently there are bills in congress that would require a business to make a risk assessment due to a data breach and decide if a notification is necessary. The concern in Washington is that too many data breaches will result in too many notifications and the consumer will start to ignore them.
Requiring affected consumers to be notified of a data breach may encourage better security practices and help mitigate potential harm, but it also presents certain costs and challenges," the report states. "Notification requirements can create incentives for entities to improve data security practices to minimize legal liability or avoid public relations risks that may result from a publicized breach."
Ultimately it may end up with a business, or other entity, deciding if they want egg on their face, and if they want to risk the liability of a disclosure.
All the parties who were entrusted with keeping our data safe, but didn’t, are now allowed to decide if they should tell us, or not.
Print
Email
