On July 5, 2007, the General Accountability Office (“GAO”) released an important report regarding data breaches and incidences of identity theft in response to a request by members of the House of Representatives.1 The primary findings that emerged from this study are described below.
A. Instances of Breaches Leading to Identity Theft are Limited2—The GAO reported that 572 data breaches occurred in the U.S. between January 2005 and December 2006, affecting more than 80 million records.3 Despite this prevalence of breaches, the GAO found that “most breaches have not resulted in detected incidents of identity theft.”4 These findings were supported by an analysis of the 24 largest data breaches reported in the news media from January 2000 through June 2005.5 The GAO reported that of these 24 breaches, only three are believed to have led to detectable fraud on existing accounts and one led to an unauthorized creation of a new account.6 However, for 18 of the breaches “no clear evidence had been uncovered linking them to identity theft,” and for the remaining two cases, there was not sufficient evidence to make a determination.7
B. A Risk-Based Trigger Would Avoid Overnotification and Unnecessary Costs—The GAO stated that “the frequency of data breaches identified in this report underscores the need for entities in the public and private sectors to improve the security of sensitive personal information and further corroborates that additional federal action may be needed in this area.”8 Although the GAO made no legislative recommendations in its report, it did support the tying of a data breach notification “trigger” to a significant risk of identity theft to “avoid undue burden on organizations and unnecessary and counterproductive notifications to consumers.”9 The GAO stated that such an approach, which was recommended by the President’s Identity Theft Task Force in April 2007, may prevent businesses from notifying “consumers about minor or insignificant breaches … [that] could eventually lead to overnotification and cause consumers to spend time and money taking proactive steps that are not necessary or, alternatively, to ignore notices when action is warranted.”10
C. A National Notification Requirement May be Beneficial—The GAO suggested that a national notification requirement might be beneficial to both consumers and entities in possession of sensitive personal data. The GAO found evidence that entities would have an incentive to improve data security practices to “minimize legal liability or avoid public relations risks that may result from a publicized breach of customer data.”11 GAO also reported that a national standard could assist customers in mitigating potential risks of identity theft by proactively monitoring credit card statements, reviewing credit reports, or placing a fraud alert on credit files. The GAO suggested that a comprehensive national standard should address challenges entities face in complying with state notification requirements. These challenges include the following:
- Interpreting Ambiguous Provisions—State laws are unclear as to when notice of a data breach must be provided, particularly when dealing with a notification requirement triggered when the misuse of breached information is “reasonably possible” (e.g., when little information exists regarding criminal intent of the data thief or effectiveness of security measures to render data inaccessible).
- Addressing who is Responsible—Current state notification requirements do not clearly delineate who is responsible for providing notice to affected customers or bearing the costs of such notice. This issue is particularly troublesome where the data breach implicates third parties, such as service providers for banks that are not subject to banking regulators’ guidance requiring notice.
- Developing Clear and Effective Notification Letters—Entities require guidance regarding how to provide clear and informative notice that is distinguishable from other mail.
- Notification Requirements Impose a Burdensome Cost—The GAO reviewed a survey that estimated the average cost incurred per breach to provide notice, call center support, account management, and legal services, to be $1.4 million.12 A company will spend, on average, $54 per record breached.13
- Complying with Multiple State Laws—Entities have expressed concern about complying with differing state requirements.
- Identifying Affected Customers—Entities have difficulty identifying customers actually affected by a breach, especially when the data accessed includes a large number of records.
- Locating Affected Customers—Entities find it difficult to locate contact information for affected customers.