Identity theft? What identity theft?

One-third of all U.S. adults had their financial identity information stolen or lost in 2006

Phew! We can relax.

The GAO reports that identity theft really isn't a problem. The problem, apparently, is that the process of notifying consumers whenever their personal financial information has been compromised is confusing us simple-minded folks.

Yes, I've got that right. It's not a comedic headline from The Onion.

The SANS NewsBites, one of my top information sources on security news, turned me on to The United States Government Accountability Office's new report to congressional requesters called Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft is Limited; However, the Full Extent is Unknown. The 50-page report was developed to assist Congress with crafting all the various data breach notification legislation being proposed (the Data Security Act of 2007 (H.R. 1685), Data Accountability and Trust Act (H.R. 958), Identity Theft Prevention Act (S. 1178), and the Personal Data Privacy and Security Act of 2007 (S. 495), to name a few.) Overall, it's not an entirely bad report, but it comes to nebulous conclusions.

For example, the report concludes that, although online criminal masterminds are stealing tens of millions of financial identities, apparently they are inept at using the captured information ... maybe. The GAO examined the 24 largest data breaches from January 2000 to June 2005 and concluded that only four led to unauthorized financial activity. Who would have thought that all the malicious pros would be content with filling their hard drives with useless information?

We can all rest better, right? Further, although the report grants that notifying affected consumers has some value, it often seems more concerned about shielding the bank than protecting the consumer:

"At the same time, breach notification requirements have associated costs, such as expenses to develop incident response plans and identify and notify affected individuals. Further, an expansive requirement could result in notification of breaches that present little or no risk, perhaps leading consumers to disregard notices altogether."

Show Comments