The federal Government Accountability Office issued a report today entitled: Personal Information Data Breaches are Frequent, but Evidence of Resulting Identity Theft is Limited; However, the Full Extent Is Unknown. In this report, the GAO admits that it can’t determine how often data breaches result in identity theft. The report says that even law enforcement just doesn’t know the answer to this question, and that the few private studies that have looked at the issue have methodological limitations. The report says that it “contains no recommendations.” However, it has some troubling language suggesting a limitation on notice of security breaches based on some kind of a risk standard, such as whether misuse is reasonably possible.—which means you won’t always be told when your information has been lost or stolen.
Representatives of the FBI, Secret Service, USPIS, and Immigration and Customs Enforcement told the GAO that “their investigations of data breach do not typically allow them to fully ascertain how stolen data are used.” Law enforcement also told the GAO that: “investigations of identity theft do not always reveal the source of the data used to commit the crime.” The report also confirms what privacy advocates have long said – that data stolen in a breach might be held for a year or even longer and then used to commit ID theft. And the GAO offers this chilling truth: “Further, once stolen data have been sold or posted on the Web, fraudulent use of that information may continue for years.”
One of the issues to be hotly debated this year in Congress is whether a business that loses your data or otherwise fails to protect your data from a security breach should be able to decide that it doesn’t need to notify you of the breach because the business doesn’t know if you will be at risk of harm from the breach. The GAO report suggests that U.S. businesses themselves don’t know whether or not data breaches create a risk of harm. The GAO says: “Representatives of the American Bankers Association, the National Retail Federation, and the Consumer Data Industry Association told us they were unable to determine how prevalent data breaches are among their institutions or how often such breaches lead to consumer harm.”
Consumers Union thinks that because law enforcement and business associations can’t even say how often data breaches lead to harm, letting each business that has a security breach decide not to tell individuals about the breach because the business hasn’t determined that there is a risk of harm to consumers would be a very big loophole in any notice requirement.
We believe the consumer should always know. It would have been unlikely that those 47.5 million TJX retailer customers would have known their credit card and other sensitive information had been hacked into unless TJX was required to report the incident. How else would customers know to keep a vigilant eye on their credit reports and finances for strange activity in the future after their information’s been hacked into, lost or stolen?
To email your Congressional Representative and Senator about your views on notice of security breaches, see Consumers Union’s site: www.financialprivacynow.org. To learn more about the bills pending in Congress on security breaches, see: http://www.consumersunion.org/pub/core_financial_services/004589.html.
Here are some other interesting statements from the GAO report:
“Encryption does not necessarily preclude fraudulent use of data – for example, if the key used to unencrypt the data is also compromised.”
The persons whom the GAO contacted in the private, nonprofit and government sections all believed that existing state data breach notice laws “have provided entities with incentives to improve data security practices.”
At the GAO’s request, the American Hospital Association collected information from a nonpresentative group of 46 large hospitals about data breaches and found that 13 of the 46 hospitals reported a total of 17 breach incidents since Jan. 2003
The report notes that “marketing solicitations for credit monitoring services often are made to resemble breach notification letters…” Consumers Union believes that this is a separate issue that those charged with preventing and stopping deceptive practices - including the Federal Trade Commission - should pursue.