GAO report on data breaches

I’ve been reading a report by the US Government Accountability Office (GAO) entitled “Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown.”

It makes for interesting reading. Findings include that “in reviewing the 24 largest breaches reported in the media from January 2000 through June 2005, GAO found that 3 included evidence of resulting fraud on existing accounts and 1 included evidence of unauthorized creation of new accounts. For 18 of the breaches, no clear evidence had been uncovered linking them to identity theft; and for the remaining 2, there was not sufficient information to make a determination.”

The paper discusses in detail breach notification requirements and makes the following claim

Breach notification requirements have several potential benefits, including creating incentives for entities to improve their data security practices (and thus prevent potential breaches from occurring), allowing affected consumers to take measures to prevent or mitigate identity theft, and serving to respect individuals’ basic right to know when their personal information is compromised.

The report also finds that individuals then “often assume that any perceived mistakes on their credit card statements or credit report were a result of the breach.” Notifications also cause consumers to panic. We have to respect our customer’s rights to known if their data has been stolen but there should be some better trigger for notification other than some sneaking suspicion that it’s been compromised.

The report goes on to list the data breach causes. These are:

  • Hacking
  • Employee theft
  • Theft of physical equipment
  • Deception or misrepresentation to obtain unauthorized data.
  • Loss of laptop computers or other hardware.
  • Loss of backup tapes.
  • Unintentional exposure on the Internet.
  • Improper disposal of data

The report does mention the risk of “over-notification.” However, it states that this is a challenge for the policy-makers rather than the businesses who are the ones to have to suffer the expense and effort of providing sending out the notifications.

Regardless of whether or not we operate in a legislative environment where notifications are required, we should be making best effort to protect customer data with an appropriate set of controls. The report concludes

The frequency of data breaches identified in this report suggests that a national breach notification requirement may be beneficial, in large part because of its role in further encouraging entities to improve their data security practices. However, because breaches vary in the risk they present, and because most breaches have not resulted in detected incidents of identity theft, a notification that is risk-based appears appropriate