Privacy Advisor

VIEWPOINT-Data Breaches and Identity Theft: Trends, Misperceptions and Opportunities

February 1, 2007

Anne Wallace

The year 2006 will be remembered as "The Year of the Breach" by many privacy professionals. The theft of a laptop from the home of a Veterans Administration employee, which appeared to put millions of veterans at risk of identity theft, galvanized the news media. The Federal Trade Commission's (FTC) stunning $10 million fine against ChoicePoint for failing to adequately secure consumers' sensitive data also garnered its share of the 2006 media spotlight - as did the HP pretexting scandal stemming from the botched board room leak probe.

Last month, the public learned the details of data breaches at TJX, the parent company of T.J. Maxx, Marshalls and other stores. As intrusions continue to plague colleges and universities, healthcare companies and other businesses this early in the year, 2007 does not hold much promise for a reversal in the string of data breaches, which now, sadly, seem commonplace.  

The 110th Congress is paying special attention to data breaches, an area that U.S. Rep. Barney Frank, D-Mass., the new chairman of the House Financial Services Committee, has identified as an important consumer protection issue. As federal and state policymakers consider legislation, it is important to communicate what we know about the link between data breaches and actual cases of identity theft.

The Identity Theft Assistance Center, or ITAC, has processed thousands of verified cases of identity theft since 2004. ITAC, an initiative of The Financial Services Roundtable, is funded by its member companies to provide free victim assistance to customers and to detect and prevent fraud. ITAC has landmark data sharing agreements with the FTC, U.S. Postal Inspection Service and regional agencies, to help law enforcement catch and convict criminals. The public/private ITAC model is currently under consideration for implementation in the United Kingdom.

Because ITAC deals in verified cases of identity theft (which we define as fraudulent new accounts and account takeovers, as opposed to transactional fraud, such as illegal use of a credit card), we are in a unique position to pinpoint the causes of identity theft. We have been able to draw some conclusions about these linkages based on our own data as well as data from other sources. To assess the current state of knowledge - and to share best practices on data breaches - ITAC recently brought together leaders from business, government, law enforcement and the legal and crisis communications communities at a forum, "Data Breaches: Preparation, Communication and Response."

We asked forum participants to help separate the myths from the realities about data breaches; how to plan, communicate and manage a breach; provide an overview of the regulatory, legislative and legal landscapes; and how to work effectively with law enforcement. What follows are some of our findings:

Statistically, few cases of identity theft result from data breaches.
As can be expected, deliberate breaches, such as the hacking of a company's information systems, result in more cases of identity theft than less-targeted breaches, such as the theft of a laptop. ITAC recently surveyed 201 victims of identity theft who used ITAC's victim assistance service. Ninety-six respondents (47 percent) knew the source of their identity theft. Of those 96, only four respondents (4.21 percent) indicated the crime was a result of a data breach.

The potential for identity theft depends on the nature of the data compromised.
The risk associated with data breach varies widely. Accessing the information contained on a card's magnetic strip is like hitting the jackpot for fraudsters, whereas obtaining just account numbers is a losing ticket. As a result, companies are segregating "high value" data in order to prevent thieves from acquiring sufficient data to perpetrate identity theft, or eliminating the storage of certain data altogether.

Data breaches are expensive.
The potential cost of a data breach includes out-of-pocket costs associated with notifying affected individuals as well as legal and audit expenses; the loss of current or potential customers; the provision of free services, such as credit monitoring; and call center expenses. One estimate puts out-of-pocket costs at $182 per compromised record, according to The Ponemon Institute.

Companies must communicate quickly and candidly with consumers about the circumstances of the breach.

The risk to reputation to companies can be greater than the out-of-pocket costs of the breach. Companies that experience a breach must communicate quickly and accurately with consumers, regulators and the news media, to clarify the risk to consumers and to avoid escalation of the incident in the media. Crisis communications experts recommend choosing an articulate spokesperson who is knowledgeable and sensitive to the concerns of the individuals affected by the breach.

Companies must adopt and implement data breach policies and procedures.
The internal response team should represent multiple disciplines within the company, including information technology, security, legal and public relations. Some companies manage data breaches under their corporate crisis management plan, the same plan that is used to respond to natural and manmade disasters. Companies also are encouraged to have a systemized program in place in anticipation of a breach to empower consumers that may be at risk. These programs include breach notification, credit monitoring and identity theft victim assistance.

There is no U.S. federal law related to data breaches.
At least 33 states have enacted laws regarding data breaches with varying requirements and definitions. These state laws use different "risk-based triggers" for notifying consumers in the event of a breach. For financial services companies and thousands of other businesses that operate across state lines, this legal patchwork makes compliance costly and inefficient. Uniform national standards would benefit consumers and industry.

Companies that handle sensitive consumer data are encouraged to partner with law enforcement.

Depending on the nature of the breach, organizations may be required to notify law enforcement, as well any regulators, about a breach. Companies are encouraged to establish a working relationship with the regional Secret Service, FBI or U.S. Postal Inspection Service before a breach occurs. Law enforcement also suggests that companies involve information technology employees as part of the crisis team, and require them to establish and protect the chain of custody of evidence. If the chain is broken when IT personnel attempt to restore the integrity of systems following a breach, the criminal prosecution may be jeopardized.

Consumer lawsuits regarding data breaches have been unsuccessful…for now.
Consumers generally have not prevailed in lawsuits against companies that experienced a data breach due to lack of damages and the difficulty of proving a duty of care and causation. Corporate plaintiffs have been more successful, for example, in cases where credit card issuers sued retailers for failing to protect consumer information.

Organizations are investing heavily in technology to prevent fraud, including more robust authentication and encryption. We can't expect consumers to appreciate the value of these investments, because their expectations for safeguarding their data will always exceed our most brilliant IT solutions. Given the damage breaches cause to a company's reputation, companies would be well-served by preparing for how they will communicate when customers are at their most vulnerable.
Anne Wallace is Executive Director of the Identity Theft Assistance Corporation, the not-for-profit corporation that operates the Identity Theft Assistance Center (ITAC). A nationally recognized expert in privacy and financial services, Wallace held senior legal positions in the private sector and government, and most recently, led the privacy consulting practice at KPMG Consulting. For more information, visit