Should Consumers Be Notified Of Every Data Breach?

The Government Accountability Office issued a report on July 5th concerning the issue of consumer privacy and data breaches in response to several bills in Congress that carry a national notice requirement. The GAO was asked to assess the costs and benefits of such a requirement. There’s good news and (sorta) bad news. First the good news:

    • Even though data breaches happen fairly frequently, they are less often used for ID theft purposes that you might expect.
    “For example, in reviewing the 24 largest breaches reported in the media from January 2000 through June 2005, GAO found that 3 included evidence of resulting fraud on existing accounts and 1 included evidence of unauthorized creation of new accounts. For 18 of the breaches, no clear evidence had been uncovered linking them to identity theft; and for the remaining 2, there was not sufficient information to make a determination.”

    Now, the bad news:

  • The Government Accountability Office is concerned about the costs and challenges involved for companies if they are required to notify consumers of every data breach.
  • The full extent of the connection between info breaches and ID theft is unknown, because it’s difficult to connect ID theft to where the information was stolen from.
  • The Government Accountability Office recommends that a “threat level” type system be used to determine if the breach warrants notification. They claim that using such a risked based approach, “could avoid undue burden on organizations and unnecessary and counterproductive notifications of breaches that present little risk.”

    The report claims that it has “no recommendations,” but the language of the report suggests otherwise. Consumer advocates are taking issue with the GAO’s “not-a-recommendation” of a risk-assessment plan, in part because they believe that every consumer who has been the victim of a data breach should know about it, and also because the connection between data breaches and ID theft is difficult to assess, thus making it somewhat unbelievable that an accurate and useful risk-assessment program could be created.

    The GAO does point out that requiring disclosure of data breaches would likely have a positive affect on security, but seems very concerned about the associated costs.

    Michelle at Consumer’s Union says about the report, “Consumers Union thinks that because law enforcement and business associations can’t even say how often data breaches lead to harm, letting each business that has a security breach decide not to tell individuals about the breach because the business hasn’t determined that there is a risk of harm to consumers would be a very big loophole in any notice requirement.

    We believe the consumer should always know.”

    Who should decide if you get notice of a security breach? [Financial Privacy Now]
    Personal Information Data Breaches are Frequent, but Evidence of Resulting Identity Theft is Limited; However, the Full Extent Is Unknown. (PDF) [GAO]
    (Photo: ellimac)