Data breaches do not often lead to ID theft

It appears that every forthnight or so there is another story leading the news about major data breaches in private companies or government agencies. Fortunatley, it appears that most large data breaches do not lead to identity theft, and proposals that would require companies to notify customers of most breaches may lead to increased costs without significant benefits. IDG News Service Grant Gross writes that a report from a U.S. government agency released last week. The report, from the U.S. Government Accountability Office (GAO), said only four of the twenty-four largest data breaches between January 2000 and June 2005 appear to have resulted in identity fraud.

Wide-ranging data breach notification laws which would require nearly all breaches to be reported could lead to notifications that “present little or no risk, perhaps leading consumers to disregard notices altogether,” the report said. A breach notification law would have several benefits, but a law that requires notification for nearly all breaches could also create significant costs for businesses, the report added. The U.S. Congress is currently considering several breach notification bills, including some that would require notification for nearly all breaches.

The report suggests that, instead, Congress may want to consider a notification rule based on the potential for the risk of ID theft. The U.S. President’s Identity Theft Task Force has recommended a national standard for determining when government agencies and private companies should report breaches, the report pointed out. A risk-based standard “could avoid undue burden on organizations and unnecessary and counterproductive notifications of breaches that present little risk,” the report said. A data breach law would create costs for businesses, including the cost of developing incident response plans and notifying customers, the report said. While it is difficult to determine costs, a Ponemon InstituteLLC study in 2006 found that thirty-one companies with breaches incurred an average cost of $1.4 million per breach for notifying customers, staffing call centers, paying legal fees, and other expenses.

The GAO researched twenty-four large data breaches reported in the media between 2000 and 2005, and found that eighteen of them had no ID theft or fraud identified. Three of the breaches, at CardSystems Solutions, DSW, and CD Universe, had reports of fraud associated with existing customer accounts. A breach at ChoicePoint had reports of unauthorized new accounts opened. In the remaining two breaches, GAO was unable to determine if there had been ID fraud.

Questions about whether data breaches lead to ID thefts notwithstanding, the report says that a breach notification law could be beneficial because it would encourage organizations to improve data security, the report said. “Care is needed in defining appropriate criteria for data breaches that merit notification,” the report said. “Because breaches vary in the risk they present, and because most breaches have not resulted in detected incidents of identity theft, a notification that is risk based appears appropriate.”