The threat posed by identity theft may be overstated, according to a report by US congressional watchdog the Government Accountability Office (GAO) into data breaches and their consequences published today.
The GAO looked at 570 data breaches reported in news media between January 2005 and December 2006.
"The extent to which data breaches have resulted in identity theft is not well known, largely because of the difficulty of determining the source of the data used to commit identity theft," it said.
In a review of the 24 largest breaches, it found just three "included evidence of resulting in fraud on existing accounts, and one included evidence of unauthorised creation of new accounts."
It added that for 18 cases there was no clear evidence linking them to identity theft, and there was not enough information on the other two to reach a conclusion.
The GAO said present legislation that requires companies to notify individuals when a data breach happens helped to migitage potential damage, but was costly and might desensitise individuals if they received many such notices regularly.
It noted that federal banking regulators and the President's Identity Theft Task Force recommended a risk-based standard for disclosing a breach.
This would allow individuals "to take appropriate measures where the level of risk of harm exists, while ensuring they are only notified in cases where the level of risk warrants such action."
Business data protection: the expert view >>