, SecurityFocus 2008-06-25
The breach-notification laws passed by many states have failed, so far, to produce a measurable impact on identity theft, according to a group of academic researchers that will present their findings on Thursday at the Workshop on the Economics of Information Security (WEIS).
The paper, written by three researchers at Carnegie Mellon University, analyzed annual identity-theft data collected from 2002 to 2006 by the Federal Trade Commission (FTC), the U.S. agency tasked with responding to consumer fraud, to find what factors most affected identity-theft numbers. The researchers found that the passage of a data-breach disclosure law did not appreciably decrease identity theft in any particular state. Instead, identity theft tended to be more widespread in states with better economies and greater populations.
On Thursday, the researchers will present more recent data that strengthens the conclusion that breach-notification laws have yet to have an impact.
"It is possible that the laws have not been around long enough," said Sasha Romanosky, the paper's lead author and a graduate student of public policy at Carnegie Mellon. "We can assume that every company knows about them, so it could just be that they are slow at adopting better practices."
Data-breach notification laws have been passed by 38 states, since California first enacted its disclosure law, S.B. 1386, in September 2002. While some experts first doubted that the laws would cause significant reporting of lost or stolen data, a trickle of notification soon became a flood. In 2007, companies, schools and government agencies acknowledged that more than 163 million records containing personal information were lost or stolen, according to Attrition.org's Data Loss archives.
Other recent research suggests that notification laws have not been a quick fix. The number of breaches reported in the first half of 2008 have risen by half compared to a year earlier, according to a report to be released next week by the Identity Theft Resource Center, a non-profit group.
Yet, while the laws may not have helped companies stem the loss of data, they have helped in other ways, said Linda Foley, founder of the ITRC.
"I don't know if disclosure laws have decreased identity theft," Foley said. "They have increased our awareness of the breaches that go on. And, it's just common sense that identity thieves like to go unnoticed, so when details become public, it makes it harder for them."
In the ITRC's latest report, Identity Theft: The Aftermath 2007, the group found that consumers affected by new account fraud paid nearly 40 percent more in expenses, or $1,865, in 2007 to recover from the theft of identity, compared to a year earlier. However, the costs to business fell to about $49,000 from $87,000 in 2006. In cases where the victim knew the source, only 5 percent of identity theft originated online, the report found.
The ITRC report is based on interviews with victims of identity theft that contacted the group for help, likely similar to the data collected from complaints to the Federal Trade Commission.
"It's a self-selecting group," Foley said. "The people who call us range from 'My wallet has been stolen,' to 'My life is in shambles.'"
Other research has consistently found that consumers who quickly respond to identity theft limit their damage significantly, suggesting that victims should take action as soon as they are notified of a possible compromise of their personal information.
One study, using data from identity-protection firm Debix, showed that including the consumer in the security process could curtail fraud losses. The study found that 1.2 percent of the 30,618 new-account transactions processed by the firm during a 90-day period were fraudulent. Yet, by setting a fraud alert on a customer's account and requiring that customers confirm any new credit transaction eliminated the fraud.
"In no cases, when consumers were involved, did the bank get beat," said Bo Holland, founder and CEO.
Yet, frequently consumers neglect to sign up for credit-monitoring services that are offered by companies following a breach or to put fraud alerts on their credit accounts. That needs to change, said Carnegie Mellon's Romanosky.
"You can put the accountability in two places," Romanosky said. "First the firms: they can improve and they need to improve. The other end is the consumers: Once notified, they need to do something."
If you have tips or insights on this topic, please contact SecurityFocus.