Data breaches are frequent, but evidence of actual identity theft resulting from the breaches is limited, according to a new report by the General Accountability Office (GAO).
The report, issued late last week, found more than 570 data breaches were reported in the news media from January 2005 through December 2006. The incidents occurred across a broad sector, including government agencies, colleges and universities, medical facilities, retailers and financial institutions.
"Available data and interviews with researchers, law enforcement officials and industry representatives indicated that most breaches have not resulted in detected incidents of identity theft, particularly the unauthorized creation of new accounts," the report states.
The GAO examined the 24 largest reported breaches between 2000 and 2005 and found three of the breaches resulted in fraud on existing accounts and evidence indicating the creation of fraudulent accounts. For 18 of the breaches studied, no clear evidence was uncovered linking them with identity theft. For the remaining two breaches, there was insufficient evidence to make a connection with identity theft.
Since the 2005 ChoicePoint data breach, Congress has repeatedly debated the merits of a federal law requiring companies suffering breaches to notify affected customers. While Congress has failed to enact any such laws, at least 36 states have passed laws involving breach notification.
"Requiring affected consumers to be notified of a data breach may encourage better security practices and help mitigate potential harm, but it also presents certain costs and challenges," the report states. "Notification requirements can create incentives for entities to improve data security practices to minimize legal liability or avoid public relations risks that may result from a publicized breach."