GAO Releases Report on Data Breaches and ID Theft

July 5, 2007. The Government Accountability Office (GAO) released a report [50 pages in PDF] titled "Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown". It finds that data breaches are common, but that "most breaches have not resulted in detected incidents of identity theft".

Pending Legislation. There is no federal statute of general applicability that either mandates notification of data breaches, or preempts state statutes of the same nature. However, numerous bills have been introduced in the House and Senate. Bills pending in the current 110th Congress include the following:

However, while there is no statute of general applicability, the GAO report notes that "federal banking regulatory agencies have issued guidance on breach notification to the banks, thrifts, and credit unions they supervise. In addition, the Office of Management and Budget has issued guidance -- developed by the Presidentís Identity Theft Task Force -- on responding to data breaches at federal agencies." (Footnote omitted.)

On April 30, 2007, the GAO released a report [PDF] titled "Privacy: Lessons Learned about Data Breach Notification". It pertains to loss of data by government agencies, such as the Veterans Administration's loss of a computer laptop containing personally identifiable information on approximately 26.5 Million veterans and active duty members. That report stated that "existing laws generally do not require agencies to notify affected individuals of data breaches". See also, story titled "GAO Report Addresses Data Breaches at Government Agencies" in TLJ Daily E-Mail Alert No. 1,572, May 1, 2007.

GAO Report. The just released report states that "As a result of advances in computer technology and electronic storage, many different sectors and entities now maintain electronic records containing vast amounts of personal information on virtually all American consumers. In recent years, a number of entities -- including financial service firms, retailers, universities, and government agencies -- have collectively reported the loss or theft of large amounts of sensitive personal information."

It continues that "Beginning with California in 2002, at least 36 states have enacted breach notification laws -- that is, laws that require certain entities that experience a data breach to notify individuals whose personal information was lost or stolen."

The report finds that "available evidence suggests that breaches of sensitive personal information have occurred frequently and under widely varying circumstances. For example, more than 570 data breaches have been reported in the news media from January 2005 through December 2006, according to our analysis of lists maintained by three private organizations that track such breaches. Further, a House Government Reform Committee survey of federal agencies identified more than 788 data breaches at 17 agencies from January 2003 through July 2006. Of the roughly 17,000 federally supervised banks, thrifts, and credit unions, several hundred have reported data breaches to their federal regulators over the past 2 years."

It adds that "officials in New York State -- which requires public and private entities to report data breaches to a centralized source -- reported receiving notice of 225 breaches from December 7, 2005, through October 5, 2006. Data breaches have occurred across a wide range of entities, including federal, state, and local government agencies; retailers; financial institutions; colleges and universities; and medical facilities."

The report also finds that "The extent to which data breaches result in identity theft is not well known, in large part because it can be difficult to determine the source of the data used to commit identity theft", but that "most breaches have not resulted in detected incidents of identity theft".

The GAO examined "the 24 largest breaches that appeared in the news media from January 2000 through June 2005". It found that "3 breaches appeared to have resulted in fraud on existing accounts, and 1 breach appeared to have resulted in the unauthorized creation of new accounts. For 18 of the breaches, no clear evidence had been uncovered linking them to identity theft; and for the remaining 2, we did not have sufficient information to make a determination."

The report also addresses consumer notification, which is the subject of pending bills. The report states that "Requiring consumer notification of data breaches may encourage better data security practices and help deter or mitigate harm from identity theft, but it also involves monetary costs and challenges such as determining an appropriate notification standard."

"Representatives of federal banking regulators, other government agencies, industry associations, and other affected parties told us that breach notification requirements have encouraged companies and other entities to improve their data security practices to minimize legal liability or avoid public relations risks that may result from a publicized breach of customer data."

The report adds that "notifying affected consumers of a breach gives them the opportunity to mitigate potential risk -- for example, by reviewing their credit card statements and credit reports, or placing a fraud alert on their credit files."