GAO Releases Report on Data Breaches and ID Theft, 7/05/2007.

GAO Releases Report on Data Breaches and ID Theft

July 5, 2007. The Government Accountability Office (GAO) released a report [50 pages in PDF] titled "Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown". It finds that data breaches are common, but that "most breaches have not resulted in detected incidents of identity theft".

Pending Legislation. There is no federal statute of general applicability that either mandates notification of data breaches, or preempts state statutes of the same nature. However, numerous bills have been introduced in the House and Senate. Bills pending in the current 110th Congress include the following:

HR 1685 [LOC | WW], the "Data Security Act of 2007". Rep. Tom Price (R-GA) introduced this bill on March 26, 2007. It was referred to the House Financial Services Committee (HFSC), House Commerce Committee (HCC), and the House Oversight and Government Reform Committee.
S 1260 [LOC | WW], the "Data Security Act of 2007". This is the companion bill in the Senate to HR 1685. Sen. Tom Carper (D-DE) introduced this bill on May 1, 2007. It was referred to the Senate Banking Committee.
S 239 [LOC | WW], the "Notification of Risk to Personal Data Act of 2007". Sen. Diane Feinstein (D-CA) introduced this bill on January 10, 2007. The Senate Judiciary Committee (SJC) amended and approved this bill on May 3, 2007.
S 495 [LOC | WW], the "Personal Data Privacy and Security Act of 2007". Sen. Patrick Leahy (D-VT) introduced this bill on February 6, 2007. The SJC approved it on May 3, 2007.
HR 958 [LOC | WW], the "Data Accountability and Trust Act". Rep. Bobby Rush (D-IL) introduced this bill on February 8, 2007. It was referred to the House Commerce Committee (HCC).
S 1178 [LOC | WW], the "Identity Theft Prevention Act". Sen. Daniel Inouye (D-HI) introduced this bill on April 20, 2007. The Senate Commerce Committee (SCC) amended and approved S 1178 on April 25, 2007. S 1178 includes language from S 806 [LOC | WW], the "Consumer ID Protection and Security Act", which was introduced by Sen. Mark Pryor (D-AR) on March 7, 2007. S 806 would allow consumers to freeze their credit reports. However, S 806 does not contain a data breach notification mandate. See also, story titled "Senate Commerce Committee Approves Data Breach Notification Bill" in TLJ Daily E-Mail Alert No. 1,570, April 25, 2007.

However, while there is no statute of general applicability, the GAO report notes that "federal banking regulatory agencies have issued guidance on breach notification to the banks, thrifts, and credit unions they supervise. In addition, the Office of Management and Budget has issued guidance -- developed by the President’s Identity Theft Task Force -- on responding to data breaches at federal agencies." (Footnote omitted.)

On April 30, 2007, the GAO released a report [PDF] titled "Privacy: Lessons Learned about Data Breach Notification". It pertains to loss of data by government agencies, such as the Veterans Administration's loss of a computer laptop containing personally identifiable information on approximately 26.5 Million veterans and active duty members. That report stated that "existing laws generally do not require agencies to notify affected individuals of data breaches". See also, story titled "GAO Report Addresses Data Breaches at Government Agencies" in TLJ Daily E-Mail Alert No. 1,572, May 1, 2007.

GAO Report. The just released report states that "As a result of advances in computer technology and electronic storage, many different sectors and entities now maintain electronic records containing vast amounts of personal information on virtually all American consumers. In recent years, a number of entities -- including financial service firms, retailers, universities, and government agencies -- have collectively reported the loss or theft of large amounts of sensitive personal information."

It continues that "Beginning with California in 2002, at least 36 states have enacted breach notification laws -- that is, laws that require certain entities that experience a data breach to notify individuals whose personal information was lost or stolen."

The report finds that "available evidence suggests that breaches of sensitive personal information have occurred frequently and under widely varying circumstances. For example, more than 570 data breaches have been reported in the news media from January 2005 through December 2006, according to our analysis of lists maintained by three private organizations that track such breaches. Further, a House Government Reform Committee survey of federal agencies identified more than 788 data breaches at 17 agencies from January 2003 through July 2006. Of the roughly 17,000 federally supervised banks, thrifts, and credit unions, several hundred have reported data breaches to their federal regulators over the past 2 years."

It adds that "officials in New York State -- which requires public and private entities to report data breaches to a centralized source -- reported receiving notice of 225 breaches from December 7, 2005, through October 5, 2006. Data breaches have occurred across a wide range of entities, including federal, state, and local government agencies; retailers; financial institutions; colleges and universities; and medical facilities."

The report also finds that "The extent to which data breaches result in identity theft is not well known, in large part because it can be difficult to determine the source of the data used to commit identity theft", but that "most breaches have not resulted in detected incidents of identity theft".

The GAO examined "the 24 largest breaches that appeared in the news media from January 2000 through June 2005". It found that "3 breaches appeared to have resulted in fraud on existing accounts, and 1 breach appeared to have resulted in the unauthorized creation of new accounts. For 18 of the breaches, no clear evidence had been uncovered linking them to identity theft; and for the remaining 2, we did not have sufficient information to make a determination."

The report also addresses consumer notification, which is the subject of pending bills. The report states that "Requiring consumer notification of data breaches may encourage better data security practices and help deter or mitigate harm from identity theft, but it also involves monetary costs and challenges such as determining an appropriate notification standard."

"Representatives of federal banking regulators, other government agencies, industry associations, and other affected parties told us that breach notification requirements have encouraged companies and other entities to improve their data security practices to minimize legal liability or avoid public relations risks that may result from a publicized breach of customer data."

The report adds that "notifying affected consumers of a breach gives them the opportunity to mitigate potential risk -- for example, by reviewing their credit card statements and credit reports, or placing a fraud alert on their credit files."