I love our GAO watchdog. It normally does a wonderful job of catching accounting irregularities, malfeasance, and government misstatements. Am I complaining only because its conclusion doesn't agree with my strong opinions on the subject? Perhaps, but I know something doesn't add up.
Not only did one-third of all U.S. adults have their financial identity information stolen or lost in 2006 alone, but I think we all know someone who has been the victim of identity theft, and I don't mean merely that their identity information was taken.
I do a fair amount of public speaking to large audiences across the U.S. Since the middle of 2006, I've been quizzing almost every audience to give a show of hands if they had their identity information used by an unauthorized party. Wherever I go, the proportion of victims is pretty consistent at one out of nine audience members. My informal survey is not statistically meaningful in a macro sense, but the demonstration is enough to show that we've got a serious, widespread problem.
How can our government help protect us if it won't even admit that there's a problem? Even if the problem is one out of 1,000, should we be debating whether or not to notify affected consumers?
You know this dubious GAO study will end up being cited by all the companies who wish to avoid reporting responsibilities. I bet it's already being copied and sprayed around Congress like a garden soaker hose.
How could the report be so flawed? For one, only the largest breaches as of June 2005 were used for statistics on unauthorized use of identity information. Data theft for profit started hitting its stride in June 2005, and exploded in 2006. Prior to that, all we had to worry about were spam bots, worms, and macro viruses. (Boy, do I wish macro viruses were my only problem now.) Most of the real financial damage has occurred since then.
Second, the study identified unauthorized use of the financial information by interviewing researchers, law enforcement officials, and industry representatives. That's not a bad way to start, but why not ask the people who really know: the consumers? Just pick up the phone and randomly call adults in the U.S. and ask them how identity theft has affected them. Is it such a foreign idea?
Third, the report doesn't even begin to address the extent of the damage caused. How much money was stolen? How many hours did the average affected consumer take to repair their credit? (I hear reports of around 90 hours.) Last week we learned that terrorists, real terrorists, are using online identity theft to raise money for their cause. The group behind the recent London bombings used money from online identity theft and malware.
There's a reason why more than 36 states have enacted their own data breach laws, most of which have stronger reporting requirements than any of the Federal proposals.
The GAO's report even states, "The extent to which the data breaches result in identity theft is not well known" and then simply throws up its hands, concluding, "This report contains no recommendations." That's just not good enough. I wonder how many companies wishing to avoid reporting requirements will point that out to Congress?
Here's my long-held feeling: If even one customer record is compromised, it should be immediately disclosed to the consumer. None of this, "You need 10,000 or more records stolen before it is reported" or "Only report if likely to be used in financial theft." Forget that! Banks and merchants are privileged to be entrusted with our important financial data. If they don't protect our information properly, they, not us, should pay the price.