The General Accountability Office, the non-partisian audit and investigative arm of congress, has issued a report last week that examined 24 of the largest of 570+ data breaches that were reported in the media from January 2005 to December 2006. They only found 3 breaches that resulted in fraud.
For 18 of the breaches studied, no clear evidence was uncovered linking them with identity theft. For the remaining two breaches, there was insufficient evidence to make a connection with identity theft.
Because of the low risks, they’re wondering if consumers should only be notified of data breaches when there is increased risk:
“At the same time, breach notification requirements have associated costs, such as expenses to develop incident response plans and identify and notify affected individuals,” the GAO said. “Further, an expansive requirement could result in notification of breaches that present little or no risk, perhaps leading consumers to disregard notices altogether.”
Both federal regulators and the president’s Identity Theft Task Force advocate, a national notification standard that is risk based, allowing companies to take proactive steps to inform consumers where the risk of identity theft is high.
Should consumers be notified of every breach or only high risk breaches? Please share your thoughts in the comments.
[tags]ID theft, identity theft[/tags]