Over the past five years, 43 U.S. states have adopted data breach notification laws, but has all of this legislation actually cut down on identity theft? Not according to researchers at Carnegie Mellon University who have published a state-by-state analysis of data supplied by the U.S. Federal Trade Commission (FTC).
"There doesn't seem to be any evidence that the laws actually reduce identity theft," said Sasha Romanosky, a Ph.D student at Carnegie Mellon who is one of the paper's authors.
Romanosky's team took a state-by-state look at FTC identity theft complaints filed between 2002 and 2006 to see whether there was a noticeable impact on complaints in states that had adopted data breach notification laws such as California's SB 1386, which compels companies and institutions to notify state residents when their personal information has been lost or stolen. Their paper is set to be presented at a conference on Information Security Economics held at Dartmouth College later this month.
Since 1999 the FTC has invited identity theft victims to log information about their cases on its Web site. The data are then made accessible to law enforcement, which uses the information to help analyze crime trends. A lot of people complain, but it represents only a subsection of all identity theft cases. In 2006, for example, the FTC logged 246,035 identity theft complaints, while a Javelin Strategy survey estimated that there were 8.9 million ID theft victims that year.
The FTC doesn't break down identity theft complaints on a state-by-state basis. However, the Carnegie Mellon researchers were able to access to this information using a Freedom of Information Act request. This allowed them to see whether or not there was a change in the rate of reported identity thefts before and after data breach laws went on the books. Looking at the complaints on a month-by-month basis, they didn't find any statistically significant effect, Romanosky said.
However, they found that other factors, such as the state's population, gross domestic product and fraud rate did have a significant effect on identity theft rates.
Because reports to the FTC are incomplete, it's hard to draw conclusions from the data, said Gartner analyst Avivah Litan. But she noted that while breach laws have made lost laptops front-page news, many companies have responded to tighter laws and regulations by focusing more on compliance than on security.
Often, that's not good enough to protect customers from ID theft, she said. "If you just meet the letter of the law you may pass an audit, but you have to pass the spirit of the law."
Romanosky admits that there may be problems in the methodology used by his team. And while he noted that the data -- compiled from self-reported complaints -- may not be perfect, the FTC database is the only source of this type of information.
In fact, there may be good reasons that explain why breach laws have not cut down on identity theft. Many consumers simply ignore breach notification letters. And Romanosky believes that security firms are still not doing enough to protect data themselves. "In so many of these cases, the breaches occur because of ridiculous security practices," he said.