Government Data Breach Study

The Government Accountability Office (GAO) released a report last week on data breaches and resulting identity theft.

The GAO was asked to investigate the incidence of data breaches, the extent to which those breaches resulted in identity theft, and the potential costs & benefits associated with breach notification. This information will be used by Congress to help determine the outcome of National breach notification legislature.

The GAO studied the impact of the 24 largest data breaches from 2000 to 2005. The audit found that breaches of sensitive personal information have occurred frequently – 570 cases being reported between 2005 and 2006.

The audit states that it was hard determine if identity theft had resulted from a data breach, but that 4 of the 24 breaches investigated did lead to identity theft. In most cases, data breached is more likely to result in fraudulent use of bank or credit card information rather than the creation of new accounts (identity theft).

The report indicates that while National data breach notification could strengthen security practices and mitigate the outcome of a breach, it does come with its own costs and challenges. The circumstances of a breach (type of information breached and how it occurred) can greatly affect the potential risk of identity theft. Therefore, the GOA recommends that, should Congress adopt a Federal notification requirement, it should use a risk-based standard that requires notification only in cases where the level or risk warrants such action.

Via Lisa Hoffman Tags: government accountability office, gao, data breach, identity theft, legislature, breach legislature, data breach law, notification, breach notification