Researchers Say Notification Laws Not Lowering ID Theft Robert McMillan, IDG News Service - Thu Jun 5, 12:00 AM ET
Over the past five years, 43 U.S. states have adopted data breach notification laws, but has all of this legislation actually cut down on identity theft? Not according to researchers at Carnegie Mellon University who have published a state-by-state analysis of data supplied by the U.S. Federal Trade Commission (FTC).
"There doesn't seem to be any evidence that the laws actually reduce identity theft," said Sasha Romanosky, a Ph.D student at Carnegie Mellon who is one of the paper's authors.
Romanosky's team took a state-by-state look at FTC identity theft complaints filed between 2002 and 2006 to see whether there was a noticeable impact on complaints in states that had adopted data breach notification laws such as California's SB 1386, which compels companies and institutions to notify state residents when their personal information has been lost or stolen. Their paper is set to be presented at a conference on Information Security Economics held at Dartmouth College later this month.
Since 1999 the FTC has invited identity theft victims to log information about their cases on its Web site. The data are then made accessible to law enforcement, which uses the information to help analyze crime trends. A lot of people complain, but it represents only a subsection of all identity theft cases. In 2006, for example, the FTC logged 246,035 identity theft complaints, while a Javelin Strategy survey estimated that there were 8.9 million ID theft victims that year.
The FTC doesn't break down identity theft complaints on a state-by-state basis. However, the Carnegie Mellon researchers were able to access to this information using a Freedom of Information Act request. This allowed them to see whether or not there was a change in the rate of reported identity thefts before and after data breach laws went on the books. Looking at the complaints on a month-by-month basis, they didn't find any statistically significant effect, Romanosky said.
However, they found that other factors, such as the state's population, gross domestic product and fraud rate did have a significant effect on identity theft rates.
Because reports to the FTC are incomplete, it's hard to draw conclusions from the data, said Gartner analyst Avivah Litan. But she noted that while breach laws have made lost laptops front-page news, many companies have responded to tighter laws and regulations by focusing more on compliance than on security.
Often, that's not good enough to protect customers from ID theft, she said. "If you just meet the letter of the law you may pass an audit, but you have to pass the spirit of the law."
Romanosky admits that there may be problems in the methodology used by his team. And while he noted that the data-- compiled from self-reported complaints-- may not be perfect, the FTC database is the only source of this type of information.
In fact, there may be good reasons that explain why breach laws have not cut down on identity theft. Many consumers simply ignore breach notification letters. And Romanosky believes that security firms are still not doing enough to protect data themselves. "In so many of these cases, the breaches occur because of ridiculous security practices," he said.
Romanosky knows something about information security in the corporate world. Before deciding to pursue his Ph.D, he worked in the security groups of companies such as Morgan Stanley and eBay.
The researchers suggest a few next steps to better understand identity theft. The federal government should adopt a unified breach law in order to "reduce conflict between states laws and lower the barrier for compliance," they write in their paper.
Also, there should be standardized notification requirements so that victims learn pertinent information about the breach. Finally, they said that some kind of oversight committee should be set up as the definitive source of breach data, so that there is better information for consumers, policy makers, and researchers.
Gartner's Litan offered one more observation that might explain Carnegie Mellon's findings: The fraudsters are also getting better at what they do, she added. "If you talk to the largest banks, they will tell you that fraud has really increased in the past 18 months," she said. "And they project it going up very significantly in the next two years."
"The thieves are just getting better and there's more fraud," she said.
It has long been known that it is hard to link actual events of identity theft with known occasions of data breaches. With notable exceptions matching up actual victims to actual data breaches just doesn't happen often. What consumers who read this should as a precursor understand, is that there are different types of data breaches. These are distinguished by the nature of the data breach. Since methodology of theft of data is only marginally accounted for in notification laws and in data breach publicity, the study referred to above may be skewed based upon this factor.
Now, I haven't seen the report and when it comes out maybe my points will be put to rest. Think about data breaches in terms of intent since not all breaches are alike. The data breach laws pretty much say if personal identifying information (PII) for which you are responsible is made available to an unauthorized party, notification is necessary to the party whose information was breached.
However, what happens to the information that was lost? What if the PII stolen was not the objective of the criminal act even though it was still exposed? A good example of this is a wallet or purse theft. The criminal wants cash, things, maybe a credit card but has no interest in attempting to open accounts, work under or pose as the victim? PII is still lost and in the hands of an unauthorized individual but identity theft is not likely to result (as opposed to a possible account takeover). An unaccounted for occurrence is whether the pick pocket or purse snatcher realizes he holds a commodity and sells or trades the PII to someone who will try to use it to open fraudulent accounts? Maybe the second possessor of the PII transfers it yet again to another party? This chain could continue many times until the PII is used, maybe popping up across country and being used for work by an undocumented worker. How is it possible to determine who each party was who transferred the data (each time a felony) and from where the information originated if it were breach related instead of originating with our fictitious pick pocket?
In any event, we began by introducing the idea of different types of breaches and how these different types of breaches can be used (at least initially) as predictors of identity theft based upon the intent of the perpetrator. A malicious hack of data, targeted directly at a server location where HR information is kept should indicate a greater likelihood of identity crimes occurring than a simple stolen computer which still carries more risk than a disk which goes missing in transit. Security and information officers in the victim organizations must make a decision how to handle each sort of event. For events that are less likely to result in fraud, should the organization do any more than notify the parties whose PII was exposed? In the event of the malicious hack, time is of the essence and not only should notification occur swiftly but a program of id theft prevention be implemented including plans for consumer identity restoration services for the actual victims of identity theft. Exposed PII does not make a consumer a victim of identity theft. PII used for criminal purposes makes a consumer a victim of id theft.
Prior to notification laws, many organizations were convinced that the responsible thing to do was to notify the affected parties either because it was the "right" thing to do, it was the best move to protect business (vs. if no notification was made and the breach consequently discovered resulting in bad PR) or out of the need to counter liability. All of these are legitimate reasons and do not exist exclusive of each other. How long should this responsibility continue? As pointed out above, it could be years before the stolen PII is used for criminal purposes. Does the effect of time and the fact that information is fluid change responsibility? Reasonably, the organization that was breached must have liability for a fixed period of time. But how, with the large number of breaches and relative ease of stealing information other ways can one act of identity theft be related to a breached company say, two years after the breach without evidence of the source of the PII used in the crime? What if a consumer has been notified by multiple organizations of separate breaches? Is it left up to the consumer to decide which company has the biggest check book to approach with a liability claim? Clearly, some rules and precedents need to be set.
To conclude, as a reader who has made it this far will understand, the jury is out as to the worth of this research. But we will stand for now with reserved judgment bred in benefit of the doubt until the official release. Maybe it will afford me the opportunity to back track.