Perspective: A call for rational discourse on identity theft

The Federal Trade Commission last week announced the long-awaited follow-up to its 2003 Identity Theft Survey Report. The 100-page report boils down to one extraordinary finding: identity theft occurs far less today than reported in 2003, both in numbers of people affected and amount of goods stolen.

The reduction in the FTC's estimates is truly astounding. The FTC now says identity theft affects 8.3 million American adults annually as opposed to 9.9 million in 2003. The estimated annual loss from identity theft has declined to $15.6 billion from the $47.6 billion in the earlier survey. In a nutshell, the FTC sees the problem as one third the size it estimated in 2003.

It is ironic, then, that in the years since this study was first released, the outcry over identity theft and data breaches has only increased. Since 2005 alone, one privacy group has counted more than 216 million data records of U.S. residents that have been exposed to data breaches. And numerous research reports corroborate the high, and ever-rising, data breach costs incurred by organizations.

ID Analytics recently explored the actual risks posed by data breaches by examining more than a dozen breaches spanning 10 million consumer identities. Our findings were consistent with the FTC's in that we found no indication that data breaches have caused a spike in new account identity fraud.

What else did we learn? Very few identities were misused following a data breach. Even in the most egregious breaches, the rate of misuse was never higher than 0.5 percent. And in breaches with more than 100,000 identities?-the ones that get major press?-less than 0.01 percent (1 in 10,000 identities) experienced identity fraud.

Given the national obsession with data breaches, the FTC's announcement of a decline in identity theft came as a surprise to many. But it only confirms what we've learned: that many data breaches are accidental (tapes that get lost in delivery) or incidental (thieves are only after the computer hardware they steal, not the data within) and pose modest risk. Even where the intent of a breach appears to be the targeting of personal information, thieves face resource constraints on how they are able to use the data.

In the future, of course, this may change. For the time being, however, the FTC research should be considered a call for rational discourse on identity theft. Data breaches should be seen as one of a continuum of identity risks--not a cause for panic, but rather a trigger for preparation and action, where corporate resources can be focused on actual risk.

The latest research by the Ponemon Institute indicates that the average cost of a data breach to an organization is $6.3 million, or about $197 per lost or stolen data record. Ultimately, when organizations pay these ever-increasing costs of notification, we all end up victimized--particularly as fewer resources are available for other fraud-fighting efforts.

Let's refocus efforts where they are most needed: enhancing internal security, evaluating the actual harm caused by a breach, establishing efficient identity authentication, providing effective identity monitoring, and most importantly, assisting those victims of identity theft.

Biography
Thomas Oscherwitz is vice president of government affairs and chief privacy officer of ID Analytics, an identity risk management company in San Diego. From 1999 to 2004, he was counsel to Sen. Dianne Feinstein, D-Calif., and represented her on the Senate Judiciary subcommittee on terrorism, technology and homeland security.

More Perspectives

[digitalshaman]

so what? identity theft = positional piracy

... let's see ... where to start ... uhhh ... so what? if people are
willing to go here to and fore with cookies and unfiltered
downloading of code that might as well be poison ... you're
surprised by the lack of interest in rational discourse?

the lowest common denominator is the cost of bandwidth to
support lots of useless on-line content ... and in many cases
that bandwidth is us ...

privacy is just another word for nothing left to lose (to
paraphrase)

[zanely]

My loss vs. your risk

As long as organizations view the theft of consumer information that has been entrusted to them as a risk that they can take if they choose to bear the recovery cost, we will continue to see cases of negligent handling of our personal information by careless firms. If there were criminal sanctions in place for failing to secure and safeguard sensitive consumer information, there would be very little identity theft due to report.

[Save_Me_from_my_Govt]

My loss vs. your risk:

Well put!

Of course, they are looking at this only from the perspective of lost/stolen data in data-processing sense. They aren't including the losses and hassles from stolen identities caused by illegal aliens getting your ID and using it, possibly for years, to fly under the radar of the Social Security Administration, Immigration, and state/local governments. (You might not find out until you go to retire, and then suddenly your account is "not quite right."

[Mproject]

Microsotf is doomed

This is the end of Microsoft.

[TruSpeak]

I agree!

Repent! The end of the world is coming!!!

LOL

[jasonganson]

Identity theft is ignored

The government claims of identity theft going down is because they ignore use of different social security numbers. Case in point, one of many in South Dakota. One person has 31 different social security numbers, no arrest, no prosecution. Annie White of the Social Security Administration says that this in under investigation 2 years ago still no action. Google southdakotagov for court documents that this person has used different social security numbers to pass no account checks with out fear of prosecution, open credit accounts, get loans and not have to pay it back.

Identity theft is going down because it is ignored by law enforcement and the FTC.

[wbenton]

Who can say for sure?

If I had just stolen a 150 million database of personal user information. I would be afraid to use that stolen information right away as it could lead the authorities to my door-step.

That said... If I were truely interested in using such info, I would wait a while until the feds laxed their stance. Whether that would take a few months, a year or more, or what ever... you would have to ask the actual pros who do this for a living on that.

How long accounts of people whom have had their information stolen is unknown to me, but known to both those who watch it and those who try to evade their system.

That said... who's to say that records hijacked back in 2005 are not being exploited today? Do they really follow that long?

As for the numbers reported... (* LOL *)

Sounds to me like somebody flunked out in their math class! (* CHUCKLE *)

Walt