Data breaches are frequent, but evidence of actual identity theft resulting
from the breaches is limited, according to a new report by the General
Accountability Office (GAO).
The report, issued late
last week, found more than 570 data breaches were reported in the news media
from January 2005 through December 2006. The incidents occurred across a broad
sector, including government agencies, colleges and universities, medical
facilities, retailers and financial institutions.
“Available data and interviews with researchers, law enforcement officials and
industry representatives indicated that most breaches have not resulted in
detected incidents of identity theft, particularly the unauthorized creation
of new accounts,” the report states.
The GAO examined the 24 largest reported breaches between 2000 and 2005 and found
three of the breaches resulted in fraud on existing accounts and evidence
indicating the creation of fraudulent accounts. For 18 of the breaches
studied, no clear evidence was uncovered linking them with identity
theft. For the remaining two breaches, there was insufficient evidence to make
a connection with identity theft.
Since the 2005 ChoicePoint data
breach, Congress has repeatedly debated the merits of a federal law requiring
companies suffering breaches to notify affected customers. While Congress has
failed to enact any such laws, at least 36 states have passed laws involving
“Requiring affected consumers to be notified of a data breach may encourage
better security practices and help mitigate potential harm, but it also
presents certain costs and challenges,” the report states. “Notification
requirements can create incentives for entities to improve data security
practices to minimize legal liability or avoid public relations risks that may
result from a publicized breach.”