A call for rational discourse on identity theft
ID Analytics' Thomas Oscherwitz writes that while ID theft losses are dropping, the debate has become ever more shrill.
The reduction in the FTC's estimates is truly astounding. The FTC now says identity theft affects 8.3 million American adults annually as opposed to 9.9 million in 2003. The estimated annual loss from identity theft has declined to $15.6 billion from the $47.6 billion in the earlier survey. In a nutshell, the FTC sees the problem as one third the size it estimated in 2003.
It is ironic, then, that in the years since this study was first released, the outcry over identity theft and data breaches has only increased. Since 2005 alone, one privacy group has counted more than 216 million data records of U.S. residents that have been exposed to data breaches. And numerous research reports corroborate the high, and ever-rising, data breach costs incurred by organizations.
ID Analytics recently explored the actual risks posed by data breaches by examining more than a dozen breaches spanning 10 million consumer identities. Our findings were consistent with the FTC's in that we found no indication that data breaches have caused a spike in new account identity fraud.
What else did we learn? Very few identities were misused following a data breach. Even in the most egregious breaches, the rate of misuse was never higher than 0.5 percent. And in breaches with more than 100,000 identities?-the ones that get major press?-less than 0.01 percent (1 in 10,000 identities) experienced identity fraud.
Given the national obsession with data breaches, the FTC's announcement of a decline in identity theft came as a surprise to many. But it only confirms what we've learned: that many data breaches are accidental (tapes that get lost in delivery) or incidental (thieves are only after the computer hardware they steal, not the data within) and pose modest risk. Even where the intent of a breach appears to be the targeting of personal information, thieves face resource constraints on how they are able to use the data.
In the future, of course, this may change. For the time being, however, the FTC research should be considered a call for rational discourse on identity theft. Data breaches should be seen as one of a continuum of identity risks--not a cause for panic, but rather a trigger for preparation and action, where corporate resources can be focused on actual risk.
The latest research by the Ponemon Institute indicates that the average cost of a data breach to an organization is $6.3 million, or about $197 per lost or stolen data record. Ultimately, when organizations pay these ever-increasing costs of notification, we all end up victimized--particularly as fewer resources are available for other fraud-fighting efforts.
Let's refocus efforts where they are most needed: enhancing internal security, evaluating the actual harm caused by a breach, establishing efficient identity authentication, providing effective identity monitoring, and most importantly, assisting those victims of identity theft.