Survey: Data breaches yield few ID thefts

Contrary to popular perception, computer data breaches are less likely to result in identity theft and other fraud than off-line causes such as lost or stolen wallets and checkbooks.

That was the finding of a year-long study of about 5,000 U.S. consumers by Pleasanton, Calif.-based analyst firm Javelin Strategy & Research. Javelin's research showed that despite recent hype, data breaches were responsible for just 6 percent of all known cases of identity theft, compared to 30 percent from incidents like losing one's wallet. The study also showed that less than 1 percent of all individuals whose data was lost later became victims of ID theft.

Javelin's results are similar to those found by other firms that have looked at the relationship between data breaches and actual instances of ID fraud. In a Gartner study in 2005, for instance, only 18 percent of identity theft victims attributed the cause to computer breaches, while 41 percent cited off-line causes. Similarly, a December 2005 analysis by ID Analytics Inc. of four major online data breaches involving 500,000 customer records showed that less than 1 percent of those affected had their identities stolen.

The numbers are important at a time when a spate of data breach disclosures has heightened consumer concerns and is fueling a debate among lawmakers about the need for more stringent data protection laws, analysts said.

"There is a misperception that there is a one-to-one correlation between a data breach and ID theft," said Thomas Oscherwitz, vice president of government affairs and chief privacy officer at San Diego-based ID Analytics. In reality, "the mere fact that you are part of a data breach doesn't mean that you are a victim of ID theft," he said.

The degree of risk can depend on the type of breach, Oscherwitz said. Data breaches involving a deliberate hacking, for instance, are likely to be much more risky than those involving a lost disk or laptop, he said.

Failing to make such distinctions can push consumers to undertake unnecessary efforts to protect themselves and can impose burdens on corporations, said Mary Monahan, author of the Javelin study.

"Our opinion is that consumers do need to be protected by data breach laws, and we do want to see a federal law to protect all consumers," Monahan said. But given the low risk of ID theft from such breaches, any such law would need to give the breached entity the opportunity to conduct a risk assessment before they are required to disclose it publicly; The absence of such a trigger could result in indiscriminate notifications.

"And then all you get is white noise" that few people pay attention to, Monahan said.

Currently, many of the 30-plus states that have breach disclosure laws require companies to notify customers of any data breach involving the potential compromise of personally identifiable information. Several industry groups have been lobbying lawmakers for a preemptive federal law that would add some sort of a breach notification trigger that is based on an assessment of the risk of ID theft or other fraud.

Privacy advocates, on the other hand, have been arguing for broad disclosure, saying that few companies are likely to publicly notify consumers of a breach if they are allowed to make their own risk assessments.

"I think it's always going to be difficult to make a conclusive cause-and-effect relationship between ID theft and data breaches," said Andrew Jacquith, an analyst at Yankee Group Research Inc. in Boston. So the real emphasis of any national legislation has to be on measures that companies need to take to protect sensitive customer data, he said.

Also important is the need to examine issues like the continuing use of Social Security numbers as identifiers by a large number of companies, Jacquith said. "I view nonpublic information as radioactive material that needs to be protected [from leaks]," he said. "It's material that you can use to manufacture identities with."