December 6, 2007 4:00 AM PST
Perspective: A call for rational discourse on identity theftSee all Perspectives
- Related Stories
Uncle Sam's newest security challenge to businessesNovember 5, 2007
Why we still invite data breachesOctober 29, 2007
Officials say PR campaign may boost Real ID popularitySeptember 24, 2007
Google proposes global privacy standardSeptember 13, 2007
The reduction in the FTC's estimates is truly astounding. The FTC now says identity theft affects 8.3 million American adults annually as opposed to 9.9 million in 2003. The estimated annual loss from identity theft has declined to $15.6 billion from the $47.6 billion in the earlier survey. In a nutshell, the FTC sees the problem as one third the size it estimated in 2003.
It is ironic, then, that in the years since this study was first released, the outcry over identity theft and data breaches has only increased. Since 2005 alone, one privacy group has counted more than 216 million data records of U.S. residents that have been exposed to data breaches. And numerous research reports corroborate the high, and ever-rising, data breach costs incurred by organizations.
ID Analytics recently explored the actual risks posed by data breaches by examining more than a dozen breaches spanning 10 million consumer identities. Our findings were consistent with the FTC's in that we found no indication that data breaches have caused a spike in new account identity fraud.
What else did we learn? Very few identities were misused following a data breach. Even in the most egregious breaches, the rate of misuse was never higher than 0.5 percent. And in breaches with more than 100,000 identities?-the ones that get major press?-less than 0.01 percent (1 in 10,000 identities) experienced identity fraud.
Given the national obsession with data breaches, the FTC's announcement of a decline in identity theft came as a surprise to many. But it only confirms what we've learned: that many data breaches are accidental (tapes that get lost in delivery) or incidental (thieves are only after the computer hardware they steal, not the data within) and pose modest risk. Even where the intent of a breach appears to be the targeting of personal information, thieves face resource constraints on how they are able to use the data.
In the future, of course, this may change. For the time being, however, the FTC research should be considered a call for rational discourse on identity theft. Data breaches should be seen as one of a continuum of identity risks--not a cause for panic, but rather a trigger for preparation and action, where corporate resources can be focused on actual risk.
The latest research by the Ponemon Institute indicates that the average cost of a data breach to an organization is $6.3 million, or about $197 per lost or stolen data record. Ultimately, when organizations pay these ever-increasing costs of notification, we all end up victimized--particularly as fewer resources are available for other fraud-fighting efforts.
Let's refocus efforts where they are most needed: enhancing internal security, evaluating the actual harm caused by a breach, establishing efficient identity authentication, providing effective identity monitoring, and most importantly, assisting those victims of identity theft.
Thomas Oscherwitz is vice president of government affairs and chief privacy officer of ID Analytics, an identity risk management company in San Diego. From 1999 to 2004, he was counsel to Sen. Dianne Feinstein, D-Calif., and represented her on the Senate Judiciary subcommittee on terrorism, technology and homeland security.
7 commentsJoin the conversation! Add your comment