Saturday, July 07, 2007

Why the GAO report on Identity Theft might show that disclosure works!

I came across a thoughtful post about the recent GAO report on identity theft and data breaches written by Dissent, who blogs at the Chronicles of Dissent. This is a well-written analysis, and after reading it, I was inspired to think a few things through.

In Dissents own words:


The June GAO report, Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown [GAO-07-737 (pdf)] was released today.

Looking through it, it is clear that they relied heavily on data and statistics provided by Attrition.org, the Privacy Rights Clearinghouse, the Identity Theft ResourceCenter, and reports obtained from NY and NC under FOIA by Chris Walsh.

Although it is encouraging that that the government is actually using the data that these organizations and individuals have worked so hard to compile, some of the implications suggested by the GAO report are troubling from the perspective of a privacy advocate.


Of note, Dissent is affiliated with PogoWasRight.org, which is affiliated with Attrition.org, one of the sources tracking the never-ending saga of data breaches.

I'm going to link to the full article, which I think is a valuable read for anyone interested in this subject. Then I will give my personal opinion.

Chronicles of Dissent post, here.

Identity theft seems to a growing problem, at least whenever anyone takes the time to track the statistics. If this is true, then why would known data breaches result in very few cases of identity theft?

The answer is simple, when a data breach is exposed, it isn't as easy to use!

When a data breach occurs, the human element (compromised) normally takes a lot of measures to protect their information. In fact, an entire industry (identity theft protection services) has come about, which is automating the process. This makes it harder, and probably, a lot more dangerous to use the information.

Everyone involved in studying this admits there are a lot of compromises no one knows about. These unknown compromises are probably, where most of the information being used to steal identities is coming from. After all, they don't want to waste their time on information that won't work, or even worse, put them at risk of getting caught.

One of the reasons the problem is growing is that not many of them are getting caught (my opinion).

At best, once a breach is known, someone is going to have to hold on to the information for later use (after people and organizations let their guard down).

Perhaps, these highly publicized data breaches have stopped the information from being used? If this is the case, it's certainly a good argument for mandatory notification.

In closing, our personal information has been put in too many places, that don't seem to be protected very well. The reason for this is pretty simple, also. There is a tremendous amount of money being made from selling it to market products.

As long as our information is being used for a profit and isn't being protected properly, it's only fair that those profiting should be held liable for all the notifications and clean-up.

Of course, I'm also in favor of going after the people compromising the information with a little more gusto. Since this costs money, I have no doubt, who should be helping to pay for that, also.

*Update to article 7/10/07 - Dissent owns PogoWasRight and is no longer affiliated with Attrition.org. He was kind enough to add a comment to this post, which can be viewed at the bottom of this post, here.

No one can ever be certain of anything until things become more transparent. This is why I often add that some of my thoughts are purely opinion, based on my observations of this phenomenon. I am always open to considering all points of view, and in fact, learn a lot by doing so.




(Courtesy of Flickr)

1 comment:

Dissent said...

Thanks for the kind words about my blog entry. In the interests of full disclosure:

1. I am more than "affiliated" with PogoWasRight.org. I own the site. :)

2. I am no longer affiliated with Attrition.org in any way. They continue to maintain their resources on larger-scale data losses, while PogoWasRight.org continues to report both large incidents and lots of smaller ones that you will not find on their site.

As to your comment that perhaps disclosure accounts for stolen or compromised PII not being used or misused: I wish it were so, but given the often long lag between incident and detection, or between incident and exposure or notification, I doubt that disclosure really explains most cases where compromised data have not been used.

If detection and disclosure were quick, it could serve a protective function, but that's unlikely to happen because even if a breach is detected immediately, law enforcement may want things kept quiet while they investigate.

That said, if we really want to understand what's going on, then we need more data and more transparency, not less, and any attempt to use a risk-based criteria seems premature and counterproductive to greater understanding.