A new study suggests consumers whose credit cards are lost or stolen
or whose personal information is accidentally compromised face little
risk of becoming victims of identity theft.
The analysis, released late on Wednesday, in a report commissioned by
the United States government, also found that even in the most
dangerous data breaches -- where thieves access social security
numbers and other sensitive information on consumers they have
deliberately targeted -- only about 1 in 1,000 victims had their
identities stolen.
ID Analytics, the San Diego, California-based fraud detection company
that performed the analysis, said it looked at four recent data
breaches involving a total of 500,000 consumers. It declined to
provide the names of the companies involved in the breaches, but Mike
Cook, ID Analytics co-founder, said one of them was a top five
U.S. bank.
After six months of study, comparing compromised information against
credit applications, ID Analytics said it discovered something
counterintuitive: The smaller the breach, the greater the likelihood
the information was subsequently used by fraudsters to hijack the
identity of victims.
"If you're in a breach of 100, 200 or 250 names, there's a pretty high
probability that you're identity is going to be used," said Mike Cook,
ID Analytics' co-founder.
"The reason for that is if you look at how long it takes a fraudster
to use an identity, they can roughly use 100 to 250 in a year. But as
the size of the breach grows, it drops off pretty drastically."
A study conducted earlier this year by Javelin Strategy and Research,
which mirrored the methodology of an earlier Federal Trade Commission
study, found that 9.3 million Americans said they had been victimized
by identity thieves during the preceding 12 months.
ID Analytics said it discovered that identity thieves have a hard time
using a stolen credit cards to hijack the identity of cardholders
because the cards are usually quickly canceled -- and because piecing
together an identity based on the information on the card is hard
work. Not one of the card breaches it studied resulted in a subsequent
identity takeover.
While the findings will provide some comfort to consumers whose credit
cards are lost or lifted or whose sensitive information is compromised
when, for instance, a laptop is stolen, as recently happened at
Chicago-based Boeing Co., some of ID Analytics' suggestions could be
controversial.
The company suggests, for instance, that companies shouldn't always
notify consumers of data breaches because they may be unnecessarily
alarming people who stand little chance of being victimized.
That's likely to rankle consumer watchdogs, who are pushing Congress
to enact a law, sponsored by Sen. Arlen Specter (news, bio, voting
record), Republican of Pennsylvania, and Sen. Patrick Leahy (news,
bio, voting record), Democrat of Vermont, that requires companies to
implement tough data security standards and to notify consumers, law
enforcement and credit-reporting agencies whenever there's a breach.
"As far as notifications, we think there are certain instances where
businesses might want to notify consumers and certain instances where
they might not to inform them," said Cook.
"For instance, if they lose data, and they don't know where it is, we
think too many notices may not be a good thing. They should probably
monitor that and spend dollars on consumers who are actually harmed,
rather than spending dollars on 10 million consumers" most of whom
won't be affected.
Copyright 2005 Reuters Limited.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily.
For more news stories, please go to:
http://telecom-digest.org/td-extra/newstoday.html
To discuss this report, please go to:
http://telecom-digest.org/forum.html
Reuters News Wire (reuters@telecom-digest.org)