 |
| Members of Creditlock.com enjoy free access to Credit Lock Down Pro. To access service, Click This Box |
|
|
Identity Theft Risk Undermined by Inconclusive GAO Data Breach Report
July 10, 2007
|
The Government Accountability Office, GAO, released on Thursday July 5 a comprehensive 50 page report titled: "Data Breaches are Frequent, but Evidence of Resulting Identity Theft Is Limited; However The Full Extent is Unknown" (for the full report, click here). Unfortunately, most headlines covering the content of the report gave the wrong impression that Data Breaches do not result in increased risk of Identity Theft. Many such headlines totally ignored the last part of the report title: "...However The Full Extent is Unknown." Many seem to have forgotten to ask themselves: if a criminal is not interested in using the data acquired through a data breach, then why commit such illegal activity in the first place?
The fact that the GAO itself admitted in the title that "The Full Extent is Unknown," means that the report is inconclusive. If the report is inconclusive, then it would be unwise to derive any policy or decision based on the assumption that data breaches do not result in an increased risk of Identity Theft. Not knowing or finding such relationship does not imply that it does not exist; it is simply unknown, or undiscovered. Just because the Americas were unknown to Europe in the Fourteenth Century, it did not mean that the Americas did not exist.... However, it does make sense to logically conclude that data breaches should be reported for the sole reason that a human being is entitled to know when his/her privacy is violated.
|
|
 |
Most institutions, prior to collecting personal data from customers, typically provide their customers with a Privacy Policy, whereby such policy typically assures the customer that his/her personal data will be protected and secure. A Data Breach, regardless whether incurred due to negligence or not, is in essence contrary to the spirit (and possibly letter) of such Privacy Policy. If, prior to collecting personal information, a consumer is told: "your personal information, which you are about to provide, can be stolen, and we will not notify you when and if such event takes place," will a consumer still provide personal information to such untrustworthy merchant? Most likely not.... Consumers can judge for themselves, when notified of such data breaches, whether they believe their privacy, and Identity, have been compromised.
The GAO report correctly admitted that links between Identity Theft and Data breaches are hard to detect due to the fact that in most Identity Theft cases, the source for the information utilized in Identity Theft is often unknown. It is also very possible that data collected in a Data Breach could be used several years following such Data Breach. In such case, the GAO report would not detect such links if Identity Theft is incurred after the period examined by GAO.
The GAO report examined some of the largest Data Breaches reported by the media. Logically, the publicity for such breaches would cause consumers to possibly take precautions to protect themselves against Identity Theft. Such measures could include Credit monitoring, Credit Report Locking, etc... Hence, it is also possible that a link to Identity Theft was not detected because consumers were able to deter such threat. However, had such breaches been unknown to the media, as well as consumers, it is possible that additional instances of Identity Theft would have occurred.
The GAO report examined "detected" incidences of Identity Theft. Although annual complaints filed by Identity Theft victims number about 250,000 complaints annually (as reported by FTC, Identity Theft Data Clearinghouse), it is estimated that about 9 Million Americans are subjected to Identity Theft annually. Most Americans do not report Identity Theft when it occurs. Many |
|
do not even know they are a victim of Identity Theft. Hence, it is also possible that many data breaches have resulted in Identity Theft that has not been reported, and possibly has not even been detected by the victim.
The most worrisome aspect of the report is the frequency of Data Breaches. Between January 2005 and December 2006, the media reported more than 570 Data Breaches, spanning Federal, State and Local governments, as well as merchants, financial institutions, academic institutions and medical establishments. It is rather odd that despite the high frequency and wide spectrum of such Data Breaches, as well as the report's own admittance of "unknown full extent," that such report would not fully endorse Data Breach Notification requirement. Instead, the report cautioned against "certain costs and challenges" that would be associated by such requirement. How about the $50 Billion annual damage estimated to be caused by Identity Theft? |
|
To Go Back to Blog, Make Comments or RSS Feeds Click Here |
|
| Members of Creditlock.com enjoy free access to Credit Lock Down Pro. To access service, Click This Box |
|
|
|
Seed Newsvine