Link Between Data Breaches And ID Theft Unclear, GAO Reports

Data breaches have become a sad fact of life for any organization that uses, stores, or trades in digital information. But a Government Accountability Office report issued Thursday indicates that, while the amount of information lost or stolen is disturbing, it's very difficult to prove that these breaches often lead to identity theft.

In fact, the GAO examined the 24 largest -- in terms of number of records compromised -- data breaches reported in the news from January 2000 through June 2005, as well as five breaches that involved federal agencies, but found that the extent to which data breaches resulted in identity theft is not well known. Even if someone is the victim of identity theft, it's difficult to figure out how that person's sensitive personal information fell into the wrong hands.

Of the 24 breaches GAO studied, three included evidence of resulting fraud on existing accounts, while only one included evidence of unauthorized creation of new accounts. The agency could not find clear evidence of any link to identity theft for 18 of the breaches, and information about the remaining two breaches was inconclusive.

This may come as small consolation to the 2.3 million customers of Fidelity National, an arm of Fidelity National Information Services, whose bank account and credit card information may have been stolen. A former senior-level database administrator was fired for taking and selling the information to several direct marketing companies. Fidelity made this announcement earlier in the week, just before the July 4 holiday.

This low ratio of identity theft per stolen personal data could be explained in any number of ways, according to the GAO. Identity theft victims often don't know how their personal information was obtained. In addition, law enforcement officials told the agency that in some cases, stolen data may be held for a year or more before being used to commit identity theft. Add to this the fact that issues of privacy and confidentiality make it difficult for organizations to conduct comprehensive studies of data breaches and identity theft.

While the correlation between data breaches and identity theft is unclear, there's no mistaking that data breaches are a growing problem. More than 570 data breaches were reported in the news media from January 2005 through December 2006, and often the incidents varied significantly in size and occurred across a wide range of entities, including federal, state, and local government agencies; retailers; financial institutions; colleges and universities; and medical facilities, the GAO found.

Law enforcement is feeling the strain. The FBI's Cyber Division told the GAO that it's currently working on more than 1,300 pending cases of computer or network intrusions where data breaches resulted from unauthorized electronic access to computer systems, such as hackings, at public and private organizations. The Secret Service in 2006 alone opened 327 cases involving network intrusions or data breaches, specifically where financial information was lost or stolen.

Legislators have been working at the state level to protect citizens from identity theft resulting from a data breach. As of April, at least 36 states had enacted some form of law requiring that affected individuals be notified in the event of a data breach; California's law, enacted in 2002, was the first such state requirement. There is no federal law that specifically addresses breach notification.