GAO: Data breaches don't often result in ID theft

Most large data breaches don't appear to lead to identity theft, and proposals that would require companies to notify customers of most breaches may lead to increased costs without significant benefits, says a report from a U.S. government agency released Thursday.

The report, from the U.S. Government Accountability Office (GAO), said only four of the 24 largest data breaches between January 2000 and June 2005 appear to have resulted in identity fraud.

Wide-ranging data breach notification laws that would require nearly all breaches to be reported could lead to notifications that "present little or no risk, perhaps leading consumers to disregard notices altogether," the report said. While a breach notification law would have several benefits, a law that requires notification for nearly all breaches could also create significant costs for businesses, the report added.

The U.S. Congress is currently considering several breach notification bills, including some that would require notification for nearly all breaches.

Instead, Congress may want to consider a notification rule based on the potential for the risk of ID theft, the report said. The U.S. President's Identity Theft Task Force has recommended a national standard for determining when government agencies and private companies should report breaches, the report pointed out.

A risk-based standard "could avoid undue burden on organizations and unnecessary and counterproductive notifications of breaches that present little risk," the report said.

A data breach law would create costs for businesses, including the cost of developing incident response plans and notifying customers, the report said. While it's difficult to determine costs, a Ponemon Institute study in 2006 found that 31 companies with breaches incurred an average cost of $1.4 million per breach for notifying customers, staffing call centers, paying legal fees, and other expenses, the report said.

The GAO researched 24 large data breaches reported in the media between 2000 and 2005, and found that 18 of them had no ID theft or fraud identified. Three of the breaches, at CardSystems Solutions, DSW, and CD Universe, had reports of fraud associated with existing customer accounts.

And a breach at ChoicePoint had reports of unauthorized new accounts opened. In the remaining two breaches, GAO was unable to determine if there had been ID fraud.

It's difficult to track ID theft resulting from data breaches, the report said. In some cases, thieves don't attempt to use the data until a year or more after the breach, the report said.

A breach notification law could be beneficial because it would encourage organizations to improve data security, the report said. "Care is needed in defining appropriate criteria for data breaches that merit notification," the report said. "Because breaches vary in the risk they present, and because most breaches have not resulted in detected incidents of identity theft, a notification that is risk based appears appropriate."

Alan Paller, director of research at the SANS Institute, a security research and training company in Maryland, praised the report, saying some in Congress have focused too much on data breaches. Some lawmakers have "dropped the ball on the far more important area of attack-based defenses," he said.

The report is important because it gives Congress more information about data breaches, added Thomas Lenard, senior fellow and acting president at the Progress and Freedom Foundation, a conservative think tank.

"It’s very good to have more data on this issue," he said. "[The report] reinforces my view that we should only adopt new regulations in this area if it can be shown that their benefits are greater than their costs."