Monday, July 9, 2007

GAO Reports on Identity Theft, Sort of

Recently the US Government Accountability Office released its findings of a study on the net effect of data breaches, stolen data, and unaccounted for data and how much actual identity theft resulted from such occurrences. They undertook this task to help Congress decide if a federal law should be considered for a national breach notification requirement. Some states already have laws in effect to various degrees requiring notification of data lost so that consumers can take immediate actions to see if they’ve become a victim.

Sounds a bit odd, but breach notification would most likely just give you a heads up a bit sooner if you are a victim. Many times a data breach notification is the first time a victim looks at a bank or credit card statement, balances a checkbook for the first time in ten years, or obtains a credit report.

The GAO was asked to examine three distinct areas

(1) The incidence and circumstances of breaches of sensitive personal information

(2) The extent to which such breaches have resulted in identity theft

(3) The potential benefits, costs, and challenges associated with breach notification requirements.

The GAO used various sources for the research and came up with an earth shattering discovery; data thefts are rampant and occur frequently and are probably underreported due to lack of voluntary or mandatory disclosure.

They also determined they can’t directly link identity theft to many of the data thefts they reviewed because there is not clear and conclusive evidence that directly links those breaches with identity theft. Apparently the identity thieves are not disclosing the abundant sources of their windfall.

There you have it, if it is not conclusive then it must not have occurred, or at least they can’t say it occurred. It does not mean that it didn’t.

They even admitted that the lack of reporting on the part of victims also leads to skewed and invalid data that cannot be used to create a valid statistical picture.

So how do many interpret this : “GAO finds little identity theft results from data breaches”.

Apparently there are a lot of thieves going to a lot of trouble stealing personal data, then changing their minds finding religion and doing nothing with it after all.

But if that is the case, then where did all that personal stolen information come from that results in the billions of dollars in personal losses from the millions of actual victims each year? There was not a place to include them in this report.