Identity theft? What identity theft?

GAO report concludes that theft of personal information isn’t a problem, but notifying consumers Is

Whew! We can relax.

The GAO reports that identity theft really isn’t a problem. The problem, apparently, is that the process of notifying consumers whenever their personal financial information has been compromised is confusing us simple-minded folks.

Yes, I’ve got that right. It’s not a comedic headline from The Onion.

[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]

The SANS NewsBites, one of my top information sources on security news, turned me on to The United States Government Accountability Office’s new report to congressional requesters called Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft is Limited; However, the Full Extent is Unknown. The 50-page report was developed to assist Congress with crafting all the various data breach notification legislation being proposed (the Data Security Act of 2007 (H.R. 1685), Data Accountability and Trust Act (H.R. 958), Identity Theft Prevention Act (S. 1178), and the Personal Data Privacy and Security Act of 2007 (S. 495), to name a few.) Overall, it’s not an entirely bad report, but it comes to nebulous conclusions.

For example, the report concludes that, although online criminal masterminds are stealing tens of millions of financial identities, apparently they are inept at using the captured information … maybe. The GAO examined the 24 largest data breaches from January 2000 to June 2005 and concluded that only four led to unauthorized financial activity. Who would have thought that all the malicious pros would be content with filling their hard drives with useless information?

We can all rest better, right? Further, although the report grants that notifying affected consumers has some value, it often seems more concerned about shielding the vendor than protecting the consumer:

"At the same time, breach notification requirements have associated costs, such as expenses to develop incident response plans and identify and notify affected individuals. Further, an expansive requirement could result in notification of breaches that present little or no risk, perhaps leading consumers to disregard notices altogether."

I love our GAO watchdog. It normally does a wonderful job of catching accounting irregularities, malfeasance, and government misstatements. Am I complaining only because its conclusion doesn’t agree with my strong opinions on the subject? Perhaps, but I know something doesn’t add up.

Not only did one-third of all U.S. adults have their financial identity information stolen or lost in 2006 alone (as covered in several of my previous columns), but I think we all know someone who has been the victim of identity theft, and I don’t mean merely that their identity information was taken.

I do a fair amount of public speaking to large audiences across the country. Since the middle of 2006, I’ve been quizzing almost every audience to give a show of hands if they had their identity information used by an unauthorized party. Wherever I go, the proportion of victims is pretty consistent at one out of nine audience members. My informal survey is not statistically meaningful in a macro sense, but the demonstration is enough to show that we’ve got a serious, widespread problem.

How can our government help protect us if it won't even admit that there's a problem? Even if the problem is one out of 1,000, should we be debating whether or not to notify affected consumers?

You know this dubious GAO study will end up being cited by all the companies who wish to avoid reporting responsibilities. I bet it’s already being copied and sprayed around Congress like a garden soaker hose.

How could the report be so flawed? For one, only the largest breaches as of June 2005 were used for statistics on unauthorized use of identity information. Data theft for profit started hitting its stride in June 2005, and exploded in 2006. Prior to that, all we had to worry about were spam bots, worms, and macro viruses. (Boy, do I wish macro viruses were my only problem now.) Most of the real financial damage has occurred since then. 

Second, the study identified unauthorized use of the financial information by interviewing researchers, law enforcement officials, and industry representatives. That's not a bad way to start, but why not ask the people who really know: the consumers? Just pick up the phone and randomly call adults in the U.S. and ask them how identity theft has affected them. Is it such a foreign idea?

Third, the report doesn’t even begin to address the extent of the damage caused. How much money was stolen? How many hours did the average affected consumer take to repair their credit? (I hear reports of around 90 hours.) Last week we learned that terrorists, real terrorists, are using online identity theft to raise money for their cause. The group behind the recent London bombings used money from online identity theft and malware.

There’s a reason why more than 36 states have enacted their own data breach laws, most of which have stronger reporting requirements than any of the Federal proposals.

The GAO’s report even states, “The extent to which the data breaches result in identity theft is not well known” and then simply throws up its hands, concluding, “This report contains no recommendations.” That's just not good enough. I wonder how many companies wishing to avoid reporting requirements will point that out to Congress?

Here’s my long-held feeling: If even one customer record is compromised, it should be immediately disclosed to the consumer. None of this, “You need 10,000 or more records stolen before it is reported” or “Only report if likely to be used in financial theft.” Forget that! Banks and merchants are privileged to be entrusted with our important financial data. If they don’t protect our information properly, they, not us, should pay the price.