December 6, 2007 4:00 AM PST

Perspective: A call for rational discourse on identity theft

See all Perspectives

Share
- Digg
- Del.icio.us
- Reddit
- Facebook
Email
Print

A call for rational discourse on identity theft

Related Stories: Uncle Sam's newest security challenge to businesses
November 5, 2007; Why we still invite data breaches
October 29, 2007; Officials say PR campaign may boost Real ID popularity
September 24, 2007; Google proposes global privacy standard
September 13, 2007

perspective The Federal Trade Commission last week announced the long-awaited follow-up to its 2003 Identity Theft Survey Report. The 100-page report boils down to one extraordinary finding: identity theft occurs far less today than reported in 2003, both in numbers of people affected and amount of goods stolen.

The reduction in the FTC's estimates is truly astounding. The FTC now says identity theft affects 8.3 million American adults annually as opposed to 9.9 million in 2003. The estimated annual loss from identity theft has declined to $15.6 billion from the $47.6 billion in the earlier survey. In a nutshell, the FTC sees the problem as one third the size it estimated in 2003.

It is ironic, then, that in the years since this study was first released, the outcry over identity theft and data breaches has only increased. Since 2005 alone, one privacy group has counted more than 216 million data records of U.S. residents that have been exposed to data breaches. And numerous research reports corroborate the high, and ever-rising, data breach costs incurred by organizations.

ID Analytics recently explored the actual risks posed by data breaches by examining more than a dozen breaches spanning 10 million consumer identities. Our findings were consistent with the FTC's in that we found no indication that data breaches have caused a spike in new account identity fraud.

What else did we learn? Very few identities were misused following a data breach. Even in the most egregious breaches, the rate of misuse was never higher than 0.5 percent. And in breaches with more than 100,000 identities?-the ones that get major press?-less than 0.01 percent (1 in 10,000 identities) experienced identity fraud.

Given the national obsession with data breaches, the FTC's announcement of a decline in identity theft came as a surprise to many. But it only confirms what we've learned: that many data breaches are accidental (tapes that get lost in delivery) or incidental (thieves are only after the computer hardware they steal, not the data within) and pose modest risk. Even where the intent of a breach appears to be the targeting of personal information, thieves face resource constraints on how they are able to use the data.

In the future, of course, this may change. For the time being, however, the FTC research should be considered a call for rational discourse on identity theft. Data breaches should be seen as one of a continuum of identity risks--not a cause for panic, but rather a trigger for preparation and action, where corporate resources can be focused on actual risk.

The latest research by the Ponemon Institute indicates that the average cost of a data breach to an organization is $6.3 million, or about $197 per lost or stolen data record. Ultimately, when organizations pay these ever-increasing costs of notification, we all end up victimized--particularly as fewer resources are available for other fraud-fighting efforts.

Let's refocus efforts where they are most needed: enhancing internal security, evaluating the actual harm caused by a breach, establishing efficient identity authentication, providing effective identity monitoring, and most importantly, assisting those victims of identity theft.

Biography
Thomas Oscherwitz is vice president of government affairs and chief privacy officer of ID Analytics, an identity risk management company in San Diego. From 1999 to 2004, he was counsel to Sen. Dianne Feinstein, D-Calif., and represented her on the Senate Judiciary subcommittee on terrorism, technology and homeland security.

More Perspectives

Add a Comment (Log in or register) 7 comments

so what? identity theft = positional piracy
by digitalshaman December 6, 2007 7:15 AM PST: ... let's see ... where to start ... uhhh ... so what? if people are
willing to go here to and fore with cookies and unfiltered
downloading of code that might as well be poison ... you're
surprised by the lack of interest in rational discourse?

the lowest common denominator is the cost of bandwidth to
support lots of useless on-line content ... and in many cases
that bandwidth is us ...

privacy is just another word for nothing left to lose (to
paraphrase); Reply to this comment

My loss vs. your risk
by zanely December 6, 2007 7:45 AM PST: As long as organizations view the theft of consumer information that has been entrusted to them as a risk that they can take if they choose to bear the recovery cost, we will continue to see cases of negligent handling of our personal information by careless firms. If there were criminal sanctions in place for failing to secure and safeguard sensitive consumer information, there would be very little identity theft due to report.; Reply to this comment View reply
Processing

Microsotf is doomed
by Mproject December 6, 2007 6:42 PM PST: This is the end of Microsoft.; Reply to this comment View reply
Processing

Identity theft is ignored
by jasonganson December 7, 2007 12:46 PM PST: The government claims of identity theft going down is because they ignore use of different social security numbers. Case in point, one of many in South Dakota. One person has 31 different social security numbers, no arrest, no prosecution. Annie White of the Social Security Administration says that this in under investigation 2 years ago still no action. Google southdakotagov for court documents that this person has used different social security numbers to pass no account checks with out fear of prosecution, open credit accounts, get loans and not have to pay it back.

Identity theft is going down because it is ignored by law enforcement and the FTC.; Reply to this comment

Who can say for sure?
by wbenton December 24, 2007 5:39 AM PST: If I had just stolen a 150 million database of personal user information. I would be afraid to use that stolen information right away as it could lead the authorities to my door-step.

That said... If I were truely interested in using such info, I would wait a while until the feds laxed their stance. Whether that would take a few months, a year or more, or what ever... you would have to ask the actual pros who do this for a living on that.

How long accounts of people whom have had their information stolen is unknown to me, but known to both those who watch it and those who try to evade their system.

That said... who's to say that records hijacked back in 2005 are not being exploited today? Do they really follow that long?

As for the numbers reported... (* LOL *)

Sounds to me like somebody flunked out in their math class! (* CHUCKLE *)

Walt; Reply to this comment

Latest tech news headlines

CNET News Daily Podcast: You only need 250GB of downloads a month, says Comcast
Posted in CNET News Daily Podcast by Erica Ogg

August 29, 2008 11:55 AM PDT
Android Developer Challenge winners focus on location
Posted in News - Wireless by Tom Krazit

August 29, 2008 11:53 AM PDT
FCC to test proposed free wireless service for interference
Posted in News - Wireless by Marguerite Reardon

August 29, 2008 11:02 AM PDT

RSS Feeds

Add headlines from CNET News.com to your homepage or feedreader.

More feeds available in our RSS feed index.

Inside CNET News

Scroll Left Scroll Right

News - Cutting Edge
Art design for the masses, chosen by the masses
Industry execs say crowdsourcing is one of the best ways to stay on top of consumer trends, so a host of new sites are asking professional and armchair designers to submit art for sneakers, skateboards, car art, and stationery.
Gallery
Photos: Up close and one-to-one
News - Apple
Tethering coming soon to iPhone 3G?
If the latest e-mail claiming to be the work of Apple's CEO is accurate, iPhone 3G owners might soon be able to get their laptops online using their phone.
Outside the Lines
EIC Squared: Psystar vs. Apple, Cisco vs. Microsoft, Dell's cloud
On this episode of the EIC Squared podcast, CNET News' Dan Farber and ZDNet's Larry Dignan discuss the week's news.
Video
Up close with one-to-one computing
CNET News Daily Podcast
CNET News Daily Podcast: You only need 250GB of downloads a month, says Comcast
Cable Internet provider outlines bandwidth usage cap policy; Apple and AT&T might allow tethering of the iPhone; and Nintendo Wii sales continue to propel the company forward.
Video
Democrats: Twitter, text, or telephone?
News - Politics and Law
Video: Democratic convention, day 4 recap
CBS News' Katie Couric and her fellow pundits discuss presidential nominee Barack Obama's acceptance speech, which closed the DNC and left many attendees in tears.
News - Cutting Edge
Rocket Racing League takes off with new engine, DKNY
The league, an aspiring Formula 1 for rocket racing, chooses a new liquid oxygen-alcohol engine from Armadillo Aerospace, a suborbital space company founded by Doom creator John Carmack.
Gallery
Photos: Raising accessibility standards
Crave
Game Key Revealer retrieves PC game keys
Handy app lets your retrieve product keys for your PC games.
News - Politics and Law
Democrats find 'green' political convention tough to enforce
The idea of the "greenest" convention in the party's history was an attractive one. But tens of thousands of humans generate a lot of trash. And not everyone wanted to give up their Yukon XL SUVs.