The threat posed
by
identity theft may be overstated, according to a
report by US congressional watchdog the Government Accountability
Office (GAO) into data breaches and their consequences
published today.
The GAO looked at 570 data breaches reported in news media
between January 2005 and December 2006.
"The extent to which data breaches have resulted in identity
theft is not well known, largely because of the difficulty of
determining the source of the data used to commit identity theft,"
it said.
In a review of the 24 largest breaches, it found just three
"included evidence of resulting in fraud on existing accounts, and
one included evidence of unauthorised creation of new
accounts."
It added that for 18 cases there was no clear evidence linking
them to identity theft, and there was not enough information on the
other two to reach a conclusion.
The GAO said present legislation that requires companies to
notify individuals when a data breach happens helped to migitage
potential damage, but was costly and might desensitise individuals
if they received many such notices regularly.
It noted that federal banking regulators and the
President's Identity Theft Task Force recommended a risk-based
standard for disclosing a breach.
This would allow individuals "to take appropriate measures where
the level of risk of harm exists, while ensuring they are only
notified in cases where the level of risk warrants such
action."
Data watchdog 'horrified' at number of breaches >>
Business data protection: the expert view >>
Government Accountability Office
website
>>