Researchers say notification laws not lowering ID theft

Current Job Listings

Over the past five years, 43 U.S. states have adopted data breach notification laws, but has all of this legislation actually cut down on identity theft? Not according to researchers at Carnegie Mellon University who have published a state-by-state analysis of data supplied by the U.S. Federal Trade Commission (FTC).

"There doesn't seem to be any evidence that the laws actually reduce identity theft," said Sasha Romanosky, a Ph.D. student at Carnegie Mellon and one of the paper's authors.

Romanosky's team took a state-by-state look at FTC identity theft complaints filed between 2002 and 2006 to see whether there was a noticeable impact on complaints in states that had adopted data breach notification laws such as California's SB 1386, which compels companies and institutions to notify state residents when their personal information has been lost or stolen. The paper is set to be presented at a conference on information security economics at Dartmouth College later this month.

Since 1999, the FTC has invited identity theft victims to log information about their cases on its Web site. The data is then made accessible to law enforcement, which uses it to help analyze crime trends. A lot of people complain, but it represents only a subsection of all identity theft cases. In 2006, for example, the FTC logged 246,035 identity theft complaints, while a Javelin Strategy survey estimated that there were 8.9 million ID theft victims that year.

The FTC doesn't break down identity theft complaints on a state-by-state basis. However, the Carnegie Mellon researchers were able to access to this information using a Freedom of Information Act request. This allowed them to see whether or not there was a change in the rate of reported identity thefts before and after data breach laws went on the books. Looking at the complaints on a month-by-month basis, they didn't find any statistically significant effect, Romanosky said.

However, they found that other factors, such as the state's population, gross domestic product and fraud rate, did have a significant effect on identity theft rates.

Because reports to the FTC are incomplete, it's hard to draw conclusions from the data, said Gartner Inc. analyst Avivah Litan. But she noted that while breach laws have made lost laptops front-page news, many companies have responded to tighter laws and regulations by focusing more on compliance than on security.

Often, that's not good enough to protect customers from ID theft, she said. "If you just meet the letter of the law, you may pass an audit, but you have to pass the spirit of the law," Litan said.

Romanosky acknowledged that there may be problems in the methodology used by his team. And he noted that while the data -- compiled from self-reported complaints -- may not be perfect, the FTC database is the only source of this type of information.

In fact, there may be good reasons why breach laws have not cut down on identity theft. Many consumers simply ignore breach notification letters. And Romanosky believes that security firms are still not doing enough to protect data themselves. "In so many of these cases, the breaches occur because of ridiculous security practices," he said.

Romanosky knows something about information security in the corporate world. Before deciding to pursue his Ph.D., he worked in the security groups of companies such as Morgan Stanley and eBay.

The researchers suggested some steps to better understand identity theft. The federal government should adopt a unified breach law in order to "reduce conflict between states laws and lower the barrier for compliance," they wrote in their paper.

Also, there should be standardized notification requirements so that victims learn pertinent information about the breach, they said. Finally, the researchers noted that some kind of oversight committee should be set up as the definitive source of breach data, so that there is better information for consumers, policymakers and researchers.

Gartner's Litan offered one more observation that might explain Carnegie Mellon's findings: The fraudsters are getting better at what they do. "If you talk to the largest banks, they will tell you that fraud has really increased in the past 18 months," she said. "And they project it going up very significantly in the next two years.

"The thieves are just getting better, and there's more fraud," she said.

How collaboration apps foster digital transformation
Shop Tech Products at Amazon