In a report issued on June 4, the Government Accountability Office found that while there have been frequent and widespread breaches of personal financial information, it is unclear that those breaches have resulted in actual cases of identity theft.
"The extent to which data breaches result in identity theft is not well known," the report stated, "in large part because it can be difficult to determine the source of the data used to commit identity theft."
Lauren Weinstein, a cofounder of People for Internet Responsibility and a moderator of the Privacy Forum, generally agreed with findings of the GAO report. "It is very difficult to track down the source of the data used in identity theft cases," Weinstein said. "In any large enough pool of people, a certain number are going to suffer identity theft whether or not their data is lost on a corporate backup tape or government laptop."
Enormous Amounts of Data Lost
Without question, however, the sheer number of information breaches is staggering. With the help of groups that monitor media reports of data breaches, the GAO determined that there were some 570 breaches between January 2005 and December 2006. A survey by a House Government Reform Committee listed nearly 800 breaches of federal agency data during a three-year period running from January 2003 to July 2006.
As the report noted, virtually every type of institution charged with protecting private information -- federal, state, and local government agencies; retailers; financial institutions; colleges and universities; and medical facilities -- has failed to do so.
And even if the risk of actual identity theft is small, the number of people affected by these lapses in security is enormous, ranging from hundreds of thousands to tens of millions. As the storage capacity of drives and laptops increases, the amount of material that can be lost will increase accordingly.
Costs Outweigh Benefits?
The GAO report did not contain any specific recommendations, but did suggest that the costs of consumer notification and other remedial measures need to be considered, particularly in light of the difficulty of showing specific harm resulting from data breaches.
Weinstein agreed that a cost-benefit analysis is useful. "I'm not suggesting that data theft is not a serious problem -- it obviously is -- but there may be better ways to deal with the issue. Among other things, companies should not be using hard drives and laptops to transport data, and they certainly should not be doing so without encrypting it."
The other piece of the puzzle, Weinstein said, is to educate consumers about where the real risk lies. "You're at a much greater risk of identity theft," Weinstein suggested, "from someone who knows you -- a neighbor, a family member, an ex-spouse -- than you are from someone who finds a backup tape or rips off a laptop to make a few quick bucks."