The Government Accountability Office said what we don't know about security breaches and identity theft could hurt you, but stopped short of recommending that Congress include in pending federal legislation a requirement that private and government organizations that store or handle personal information notify affected individuals whenever a breach occurs.
Data breaches have been "widespread" in recent years, according to the GAO, with more than 570 breaches having been reported in the news media between January 2005 and December 2006. Meanwhile, last year 17 government agencies reported a total of 788 separate incidents of data breaches of government systems. The FBI's cyber division said it had more than 1,300 pending cases of data breaches from network intrusions while the Secret Service agency of the Treasury Department reported to the GAO last year having opened 327 cases involving network intrusions of banks, credit card processors, telephone companies, retailers and other organizations. The GAO also noted that the Federal Trade Commission estimates that "millions of Americans have their identities stolen each year."
Even so, the GAO said, "the extent to which data breaches result in identity theft is not well-known, in large part because it can be difficult to determine the source of the data used to commit identity theft."
In its 50-page report released Thursday, the GAO looked at the 24 largest data breaches reported in the news media between January 2000 and June 2005, including blockbuster system failures such as the disclosure in January by retailer TJX Cos. in which credit card information on 45 million customer accounts was compromised, and the healthcare mother-of-all-IT errors, the 2006 loss to a burglar of 26.5 million patient records from the Veterans Affairs Department.
Investigating those 24 largest breaches, the GAO found evidence that three of them "appeared to have resulted in fraud on existing (financial or credit card) accounts" and in an additional case, the fraud involved creation of new accounts, which the GAO notes is potentially far more damaging.
Aside from the notorious VA incident, the GAO only occasionally mentions healthcare. One notable exception is a short reference to an American Hospital Association survey of 46 hospitals conducted at the GAO's request. The survey found 17 breaches had occurred at 13 of the 46 hospitals since 2003, three resulted in "fraudulent activity on existing accounts and another three resulted in other forms of identity theft, including one case where the information was used to file false income tax refunds." Another mention involves an analysis of media accounts of breaches compiled by three different privacy organizations, one of which found that 10% of all breaches were reported by healthcare organizations.
Yet, the GAO said its report "focuses on breaches of sensitive personal data that can be used to commit identity theft, and not on breaches of other sensitive data such as medical records or proprietary business information," a position seemingly contradicted by the GAO's own findings with the AHA study. It is a position also contrary to the findings of a report issued last year by the World Privacy Forum that warned medical identity theft in particular was widespread and a growing threat in the healthcare industry.
According to Pam Dixon, executive director of the World Privacy Forum, medical identity theft is narrowly defined as the theft of an individual's identity to fraudulently obtain healthcare services.
The privacy group's report concluded that medical identity theft can be far more long-lasting and harmful to its victims than even some of the worst forms of theft of ordinary financial information. Damages from medical identity theft could include loss of job opportunities or denial of insurance coverage, or coverage at increased cost, or even serious injury or death due to improper treatment if another's medical information is combined with the victim's medical record. Dixon could not be reached for comment on the GAO findings.
In compiling its report, the GAO conducted research from August 2006 to April 2007. It looked at information on hundreds of data breaches collected by state monitoring programs in New York and North Carolina as well as conducting interviews with government officials, including federal banking regulators and members of President Bush's Identity Theft Task Force as well as representatives of various private-sector organizations.
The report was addressed to Rep. Spencer Bachus (R-Ala.) the ranking member of the House Committee on Financial Services; three fellow committee members, Michael Castle (R-Del.), Steven LaTourette (R-Ohio) and Dennis Moore (D-Kan.); and former committee member Darlene Hooley (D-Ore.) who serves on the Science and Technology Committee. The report was requested, "because a number of bills have been introduced in Congress that would establish a national breach notification requirement," and the GAO was asked to research electronic privacy and security data breaches, their relation to the incidence of identity theft and the potential costs and benefits of a breach notification requirement.
Since California passed pioneering legislation in 2002, "at least 36 states have enacted breach notification lawsthat is, laws that require certain entities that experience a data breach to notify individuals whose personal information was lost or stolen," the GAO said. "There is no federal statute that requires most companies or other entities to notify affected individuals of data breaches, although federal banking regulatory agencies have issued guidance on breach notification to the banks, thrifts and credit unions they supervise."
The report attempted to straddle the issue of whether a federal disclosure law would be appropriate.
"Requiring consumer notification of data breaches may encourage better data security practices and help deter or mitigate harm from identity theft, but it also involves monetary costs and challenges such as determining an appropriate notification standard," the report said.
On the plus side, notification requirements make companies and organizations more sensitive to legal and public relations risks and therefore encourage companies to improve their data security, the report said. The National Association of Attorneys General, for example, "has advocated that a breach notification requirement should apply broadly in order to give consumers a greater level of protection and because the risk of harm is not always known."
On the minus side, a 2006 survey of 31 companies that experienced data breaches said the companies spent on average $1.4 million per breach, which included breach notification costs such as letters, but also included other liability mitigation costs, damages and other expenses, including attorney fees, courtesy discounts and other services.
Federal banking regulators in 2006 and the Bush Identity Theft Task Force last year, have opted for guidelines calling for more of a triage approach to notification in which some breaches require notice while others do not, based on an assessment of potential harm. The task force, however, has recommended a federal notification requirement. While the GAO report says it "contains no recommendations," it warned that "care is needed in defining appropriate criteria for incidents that merit notification." It added that should Congress pass a federal notification law, "use of such a risk-based standard could avoid undue burden on organizations and unnecessary and counterproductive notifications of breaches that present little risk."
The report said identity theft "encompasses many types of criminal activities, including fraud on existing accountssuch as unauthorized use of a stolen credit card numberor fraudulent creation of new accounts."
The GAO noted only that harm to victims of identity theft ranges in severity from the inconvenience of having to close and obtain new credit cards to "substantial financial losses and damaged credit ratings."
What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.