ID Theft Rare, as Far as Measurable, in Breaches, GAO Says
For all the hype, data breaches rarely result in identity theft, even loosely defined, the Government Accountability Office (GAO) said in a report made public Thursday. Warning that the scarcity of data on breaches and the difficulty of tracing fraud on accounts to specific breaches may have affected its findings, the GAO uncharacteristically made no formal recommendations based on them. But the agency said if Congress acts, it should use a risk-based standard for breach notification to avoid “undue burden” on breached entities and preempt “counterproductive” notice requirements that could make consumers complacent.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The report was done at the request of four House Financial Services Committee members and one former committee member: Ranking Member Spencer Baucus, R-Ala., and Reps. Michael Castle, R-Del., Steve LaTourette, R-Ohio, Dennis Moore, D-Kan., and Darlene Hooley, D-Ore. All sponsored ID theft bills the past two years. Last Congress, the five asked GAO to evaluate the link between breaches and actual ID theft and the pros and cons of breach notification requirements. GAO studied news coverage of breaches and interviewed law enforcement officials and representatives of breached organizations.
Breaches occur often, GAO said. The FBI Cyber Division has 1,300 cases of computer or network intrusion; in 2006 the Secret Service opened 327 cases on network intrusions and other private sector breaches. At least one breach each was reported at 17 federal agencies, for a total of 788, from 2003 through July 10, 2006 -- the period that the House Government Reform Committee set in its request to federal agencies a year ago, GAO said. The U.S. Computer Emergency Readiness Team at the Department of Homeland Security got notice of 477 incidents at 59 agencies in fiscal 2006. The New York attorney general’s office fielded reports of 255 breaches under the state’s notification law December 7, 2005, through October 5, 2006, it told the GAO. Breaches vary from a dozen or fewer records to millions, as with the Department of Veterans Affairs breach (WID May 23/06 p7).
Most breaches do not seem to have spawned ID theft, the report said. Among the 24 largest breaches receiving media coverage from January 2000 to June 2005, three appeared to result in fraud on existing accounts: Those at shoe retailer DSW, credit card payment processor CardSystems and e-tailer CD Universe. One led to fraudulent creation of a new account, at data broker ChoicePoint. A further 18 breaches showed no “clear evidence” linking them to ID theft. But the GAO cited “methodological limitations” for some ID theft studies that found little relation between breaches and ID theft. The most common breach methods were by hacking (11) and computer equipment theft (5).
Little is known about which data are affected by breaches - but educational institutions mostly lose Social Security numbers and retail stores credit card numbers, the GAO said. Opening new accounts in someone else’s name is less common than fraudulently using existing accounts because it takes more work, law enforcement officials told the GAO.
Federal agencies lack a basis for definitively connecting breaches to ID theft in most circumstances, the report said. The Federal Trade Commission ID Theft Data Clearinghouse has no “statistically reliable” information, since its data are self-reported complaints; the FBI Internet Crime Complaint Center is no better at correlating breaches and fraud, GAO said. Since data can be used fraudulently years after being acquired, law enforcement told GAO that studies measuring harm from breaches cannot rule out future harm.
Breach notification laws by state and category appear to have improved data security, encouraging use of low-cost tools like better firewalls and incident response reporting, a broad spectrum of entities told the GAO. But few data exist on how consumers respond to breaches. A 2005 Ponemon Institute survey showed half of consumers did nothing when notified. The costs for breached organizations to respond can be high, such as the $75,000 the University of California at Berkeley spent to operate call centers in the wake of a 2005 breach of 98,000 records, GAO said.
Complying with and developing notification requirements is fraught with peril, the report said. The definition of “encryption” for purpose of exemptions to notification varies widely, “from simple password protection to complex coding,” GAO said. It is not always clear under federal banking rules who is responsible for notification and associated costs, as when breached merchants are not a bank’s service provider. Notification letters often are complicated, and a large national bank told the GAO that credit monitoring service sales material often looks like breach notifications.
State laws vary in notification triggers, so a federal risk-based trigger would appear to walk a thin line between state officials’ desire for a strong notification standard and federal officials’ wish for a looser standard, the GAO said. The agency did not call its advice a “recommendation,” but sided with federal banking regulators and the President’s ID Theft Task Force in promoting a risk-based approach, if Congress intervenes.