Romanosky knows something about information security in the corporate world. Before deciding to pursue his Ph.D, he worked in the security groups of companies such as Morgan Stanley and eBay.
The researchers suggest a few next steps to better understand identity theft. The federal government should adopt a unified breach law in order to "reduce conflict between states laws and lower the barrier for compliance," they write in their paper.
Also, there should be standardized notification requirements so that victims learn pertinent information about the breach. Finally, they said that some kind of oversight committee should be set up as the definitive source of breach data, so that there is better information for consumers, policy makers, and researchers.
Gartner's Litan offered one more observation that might explain Carnegie Mellon's findings: The fraudsters are also getting better at what they do, she added. "If you talk to the largest banks, they will tell you that fraud has really increased in the past 18 months," she said. "And they project it going up very significantly in the next two years."
"The thieves are just getting better and there's more fraud," she said.