In the wake of the many high-profile data breaches, lost laptops, and other exposures of personal information, the conventional wisdom has been to pass laws governing how data is controlled, including an emphasis on security and notifying affected individuals that their data has been compromised.
But a new research report claims that data breach disclosure laws have no measurable effect on cases of identity theft, due to the many factors that hinder accurate reporting of cases of identity theft and connecting them to known breaches.
A research team at Carnegie Mellon University used data on identity theft supplied by the Federal Trade Commission (FTC) and performed analyses of states that had passed legislation governing data breaches from 2002 to 2006.
According to the researchers, "We [found] no statistically significant effect that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce."
"The lack of a significant negative effect may be due to breaches accounting for a small enough percentage of total identity thefts, dwarfing any actual crime reduction by more common causes such as lost or stolen wallet," the researchers said. "Quality of data and the possibility of reporting bias also make proper identification difficult."
In other words, there is so much identity theft from other sources that data breaches pale in comparison.
Consumer advocates noted that this is like saying that the theft of Aston Martins is insignificant because so many more Hondas are stolen.
"That's not much comfort if it's your Aston Martin. Or your identity," one observer noted.
The FTC's identity theft clearinghouse does not present a full picture of the identity theft problem, as the data comes from voluntarily submitted complaints that may be inaccurate. According to the FTC's most recent report, of the 813,899 fraud-related complaints it received in 2007, 258,427 complaints, or 32 percent, were identity theft-related.
An official survey released in 2007 by the FTC found that 8.3 million Americans claimed to be a victim of identity theft or related crimes.
The FTC does not publicly release the data on a state-by-state basis, but the research team was able to get state-level data through a Freedom of Information Act (FOIA) request. The team noted that the reliance on FTC data may harm their ultimate conclusions.
The research team argued in support of privacy researcher Chris Hoofnagle's assertion that current identity theft and breach data was too anecdotal and limited, and that institutions that suffer data breaches should release their fraud and security data, in order to provide more accurate reporting and give consumers more power in the marketplace.
The team also noted that consumers affected by breaches may not be doing enough to protect themselves or their information, and that companies may comply with breach laws, but do not exert enough serious effort to improve security procedures.
The report also supports industry assertions that corporate data breaches, such as outside attacks or lost laptops, may not be as large a contributor to identity theft as other forms of theft.
The researchers recommended a federal-level law governing data breach notifications and a common disclosure form that all institutions can use in order to reduce costs and increase consumers' reporting of any effects from a data breach.
Consumer advocates have opposed many federal data breach notification laws, on grounds that they preempt stronger state laws and replace them with weaker, industry-friendly notification rules that provide little benefit to consumers.