If you're new here, you may want to subscribe to my RSS feed. So that you can read the latest updates about Web2.0 tools, Making Money Online, Tips in SEO, Ajax and many more. Thanks for visiting ProgramimiCOM!

“Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown…” This is what United States Government Accountability (GAO) says in a report to Congressional Requesters.

Why GAO Did This Study?
As a result of advances in computer technology and electronic storage, in recent years, many entities in the private, public, and government sectors have reported the loss or theft of sensitive personal information. These breaches have raised concerns in part because they can result in identity theft—either account fraud (such as misuse of credit card numbers) or unauthorized creation of new accounts (such as opening a credit card in someone else’s name). Many states have enacted laws requiring entities that experience breaches to notify affected individuals, and Congress is considering legislation that would establish a national breach notification requirement. Policymakers, consumer advocates, and others have raised concerns that data breaches can contribute to identity theft, in which an individual’s sensitive personal information is used fraudulently. The Federal Trade Commission (FTC), which is responsible for taking complaints from victims and sharing them with law enforcement agencies, has noted that identity theft is a serious problem—millions of Americans are affected each year, and victims may face substantial costs and time to repair the damage to their good name and credit record.
Although there is no commonly agreed-upon definition, the term “data breach” generally refers to an organization’s unauthorized or unintentional exposure, disclosure, or loss of sensitive personal information, which can include personally identifiable information such as Social Security numbers (SSN) or financial information such as credit card numbers. Data breaches can take many forms and do not necessarily lead to identity theft. The term “identity theft” is broad and encompasses many types of criminal activities, including fraud on existing accounts—such as unauthorized use of a stolen credit card number—or fraudulent creation of new accounts—such as using stolen data to open a credit card account in someone else’s name. Depending on the type of information compromised and how it is misused, identity theft victims can face a range of potential harm, from the inconvenience of having a credit card reissued to substantial financial losses and damaged credit ratings.

Beginning with California in 2002, at least 36 states have enacted breach notification laws—that is, laws that require certain entities that experience a data breach to notify individuals whose personal information was lost or stolen. There is no federal statute that requires most companies or other entities to notify affected individuals of data breaches, although federal banking regulatory agencies have issued guidance on breach notification to the banks, thrifts, and credit unions they supervise. In addition, the Office of Management and Budget has issued guidance—developed by the President’s Identity Theft Task Force—on responding to data breaches at federal agencies. Because a number of bills have been introduced in Congress that would establish a national breach notification requirement, Congress asked GAO to review the costs and benefits of such a requirement and the link between data breaches and identity theft.

GAO was asked to examine (1) the incidence and circumstances of breaches of sensitive personal information; (2) the extent to which such breaches have resulted in identity theft; and (3) the potential benefits, costs, and challenges associated with breach notification requirements. To address these objectives, GAO reviewed available reports on data breaches, analyzed 24 large data breaches, and gathered information from federal and state government agencies, researchers, consumer advocates, and others.

This report focuses on breaches of sensitive personal data that can be used to commit identity theft, and not on breaches of other sensitive data, such as medical records or proprietary business information. To address the first two objectives, GAO obtained and analyzed information on data breaches that have been reported in the media and aggregated by three private research and advocacy organizations, as well as information on breaches collected by state agencies in New York and North Carolina, federal banking regulators, and federal law enforcement agencies. GAO also collected information on breaches experienced by federal agencies compiled by the House Government Reform Committee in 2006 and by the Department of Homeland Security (DHS). In addition, GAO conducted a literature search of relevant articles, reports, and studies. GAO also conducted interviews with, and obtained documents from, representatives of federal agencies, including the FTC, the Department of Justice, DHS, and the federal banking regulatory agencies; selected state government agencies and the National Association of Attorneys General; private and nonprofit research organizations; and consumer protection and privacy advocacy groups. Further, we obtained information from industry and trade associations representing key sectors—including financial services, retail sales, higher education, health care, and information services—that have experienced data breaches. In addition, for the second objective, we examined the 24 largest (in terms of number of records breached) data breaches reported by the news media from January 2000 through June 2005 and tracked by private groups. For each of these breaches, GAO reviewed media reports and other publicly available information, and conducted interviews, where possible, with representatives of the entities that experienced the breaches, in an attempt to identify any known instances of identity theft that resulted from the breaches. GAO also examined five breaches that involved federal agencies, which were selected because they represented a variety of different circumstances. For the third objective, GAO reviewed the federal banking regulatory agencies’ proposed and final guidance related to breach notification, and interviewed representatives of each agency regarding their consideration of potential costs, benefits, and challenges during development of the guidance. Further, GAO reviewed the strategic plan and other documents issued by the President’s Identity Theft Task Force. In addition, GAO conducted a review of the effects of California’s breach notification law, which included interviewing and gathering information from California state officials and selected California companies, educational institutions, and other entities subject to the law’s notification requirements.

Read the Full Report Here