GAO: Security Breach-Identity Theft Link Weak

Security experts for years have known this dirty little fact about identity theft: The reason some banks, universities and online merchants are not as vigilant as they could be in protecting personal financial information in their databases is because if a security breach does occur, linking fraudulent purchases to that specific leak of information is extremely difficult.

Now the Government Accountability Office has concluded in a report that linking security breaches to specific identity thefts is very hard to do. But the evidence, GAO concludes, indicates the threat of fraudulent activity is not that great. “For example, in reviewing the 24 largest breaches reported in the media from January 2000 through June 2005, GAO found that three included evidence of resulting fraud on existing accounts and one included evidence of unauthorized creation of new accounts,” GAO reports. “For 18 of the breaches, no clear evidence had been uncovered linking them to identity theft; and for the remaining two, there was not sufficient information to make a determination.”

The GAO report undertook to provide insight into a federal security notification bill now pending in Congress, in which organizations would be required to notify those customers who had personal information exposed in a breach. GAO’s advice:

Federal banking regulators and the President’s Identity Theft Task Force have advocated a notification standardâ€"the conditions requiring notificationâ€"that is risk based, allowing individuals to take appropriate measures where the risk of harm exists, while ensuring they are only notified in cases where the level of risk warrants such action. Should Congress choose to enact a federal notification requirement, use of such a risk-based standard could avoid undue burden on organizations and unnecessary and counterproductive notifications of breaches that present little risk.

That kind of “risk-based” decision sounds like a loop hole the size of a Mack truck. “Risk of harm” is in the eye of the beholder. Don’t expect any security notification law using such risk-based measures to assuage public outrage over frequently reported security breaches. But then again, they won’t know about the security breach because the business or agency didn’t report it. Ignorance is bliss, I guess.