The Government Accountability Office issued a report on July 5th concerning the issue of consumer privacy and data breaches in response to several bills in Congress that carry a national notice requirement. The GAO was asked to assess the costs and benefits of such a requirement. There’s good news and (sorta) bad news. First the good news:
• Even though data breaches happen fairly frequently, they are less often used for ID theft purposes that you might expect.
“For example, in reviewing the 24 largest breaches reported in the media from January 2000 through June 2005, GAO found that 3 included evidence of resulting fraud on existing accounts and 1 included evidence of unauthorized creation of new accounts. For 18 of the breaches, no clear evidence had been uncovered linking them to identity theft; and for the remaining 2, there was not sufficient information to make a determination.”
Now, the bad news:
The report claims that it has “no recommendations,” but the language of the report suggests otherwise. Consumer advocates are taking issue with the GAO’s “not-a-recommendation” of a risk-assessment plan, in part because they believe that every consumer who has been the victim of a data breach should know about it, and also because the connection between data breaches and ID theft is difficult to assess, thus making it somewhat unbelievable that an accurate and useful risk-assessment program could be created.
The GAO does point out that requiring disclosure of data breaches would likely have a positive affect on security, but seems very concerned about the associated costs.
Michelle at Consumer’s Union says about the report, “Consumers Union thinks that because law enforcement and business associations can’t even say how often data breaches lead to harm, letting each business that has a security breach decide not to tell individuals about the breach because the business hasn’t determined that there is a risk of harm to consumers would be a very big loophole in any notice requirement.
We believe the consumer should always know.”
Who should decide if you get notice of a security breach? [Financial Privacy Now]
Personal Information Data Breaches are Frequent, but Evidence of Resulting Identity Theft is Limited; However, the Full Extent Is Unknown. (PDF) [GAO]