A June 2007 report issued by the Government Accountability Office (GAO) revealed that breaches of sensitive personal information are frequent and occur across all sectors and industries. The GAO used data from the Privacy Rights Clearinghouse, Attrition, and the Identity Theft Resource Center to conclude that more than 570 data breaches were reported in the news media from January 2005 through December 2006. Many more probably go unreported. (See the Latest Data Loss Incidents feed on our home page and the Open Security Foundation for a complete history). But the GAO also determined that “the extent to which data breaches have resulted in identity theft is not well known, largely because of the difficulty of determining the source of the data used to commit identity theft.”
While the report makes no recommendations, its authors state that consumer notification laws may improve data security and mitigate the harm caused by data breaches. They also say that current regulations are inconsistent between States, and are not always clear on how organizations can comply with the law. Further, the costs of compliance can be high. A 2006 Ponemon Institute survey reported 31 companies that incurred an average cost of $1.4 million per breach. In light of these factors, the report concludes with an advisory comment to Congress. A risk-based approach to Federal breach notification requirements “could avoid undue burden on organizations and unnecessary and counterproductive notifications of breaches that present little risk.”
►
Search This Site
Tip Sheet
Links
Get Content (RSS)
Posts
All Comments