Whew! We can relax.
The GAO reports that identity theft really isn’t a problem. The problem, apparently, is that the process of notifying consumers whenever their personal financial information has been compromised is confusing us simple-minded folks.
Yes, I’ve got that right. It’s not a comedic headline from The Onion.
[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]
The SANS NewsBites, one of my top information sources on security news, turned me on to The United States Government Accountability Office’s new report to congressional requesters called Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft is Limited; However, the Full Extent is Unknown. The 50-page report was developed to assist Congress with crafting all the various data breach notification legislation being proposed (the Data Security Act of 2007 (H.R. 1685), Data Accountability and Trust Act (H.R. 958), Identity Theft Prevention Act (S. 1178), and the Personal Data Privacy and Security Act of 2007 (S. 495), to name a few.) Overall, it’s not an entirely bad report, but it comes to nebulous conclusions.
For example, the report concludes that, although online criminal masterminds are stealing tens of millions of financial identities, apparently they are inept at using the captured information … maybe. The GAO examined the 24 largest data breaches from January 2000 to June 2005 and concluded that only four led to unauthorized financial activity. Who would have thought that all the malicious pros would be content with filling their hard drives with useless information?
We can all rest better, right? Further, although the report grants that notifying affected consumers has some value, it often seems more concerned about shielding the vendor than protecting the consumer:
"At the same time, breach notification requirements have associated costs, such as expenses to develop incident response plans and identify and notify affected individuals. Further, an expansive requirement could result in notification of breaches that present little or no risk, perhaps leading consumers to disregard notices altogether."
I love our GAO watchdog. It normally does a wonderful job of catching accounting irregularities, malfeasance, and government misstatements. Am I complaining only because its conclusion doesn’t agree with my strong opinions on the subject? Perhaps, but I know something doesn’t add up.
Not only did one-third of all U.S. adults have their financial identity information stolen or lost in 2006 alone (as covered in several of my previous columns), but I think we all know someone who has been the victim of identity theft, and I don’t mean merely that their identity information was taken.