Identity theft? What identity theft? | InfoWorld | Column | 2007-07-20 | By Roger A. Grimes:

Whew! We can relax.

The GAO reports that identity theft really isn’t a problem. The problem, apparently, is that the process of notifying consumers whenever their personal financial information has been compromised is confusing us simple-minded folks.

Yes, I’ve got that right. It’s not a comedic headline from The Onion.

The SANS NewsBites, one of my top information sources on security news, turned me on to The United States Government Accountability Office’s new report to congressional requesters called Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft is Limited; However, the Full Extent is Unknown. The 50-page report was developed to assist Congress with crafting all the various data breach notification legislation being proposed (the Data Security Act of 2007 (H.R. 1685), Data Accountability and Trust Act (H.R. 958), Identity Theft Prevention Act (S. 1178), and the Personal Data Privacy and Security Act of 2007 (S. 495), to name a few.) Overall, it’s not an entirely bad report, but it comes to nebulous conclusions.

For example, the report concludes that, although online criminal masterminds are stealing tens of millions of financial identities, apparently they are inept at using the captured information ... maybe. The GAO examined the 24 largest data breaches from January 2000 to June 2005 and concluded that only four led to unauthorized financial activity. Who would have thought that all the malicious pros would be content with filling their hard drives with useless information?

We can all rest better, right? Further, although the report grants that notifying affected consumers has some value, it often seems more concerned about shielding the vendor than protecting the consumer:

"At the same time, breach notification requirements have associated costs, such as expenses to develop incident response plans and identify and notify affected individuals. Further, an expansive requirement could result in notification of breaches that present little or no risk, perhaps leading consumers to disregard notices altogether."

I love our GAO watchdog. It normally does a wonderful job of catching accounting irregularities, malfeasance, and government misstatements. Am I complaining only because its conclusion doesn't agree with my strong opinions on the subject? Perhaps, but I know something doesn't add up.

Not only did one-third of all U.S. adults have their financial identity information stolen or lost in 2006 alone (as covered in several of my previous columns), but I think we all know someone who has been the victim of identity theft, and I don't mean merely that their identity information was taken.

I do a fair amount of public speaking to large audiences across the country. Since the middle of 2006, I've been quizzing almost every audience to give a show of hands if they had their identity information used by an unauthorized party. Wherever I go, the proportion of victims is pretty consistent at one out of nine audience members. My informal survey is not statistically meaningful in a macro sense, but the demonstration is enough to show that we've got a serious, widespread problem.

How can our government help protect us if it won't even admit that there's a problem? Even if the problem is one out of 1,000, should we be debating whether or not to notify affected consumers?

You know this dubious GAO study will end up being cited by all the companies who wish to avoid reporting responsibilities. I bet it's already being copied and sprayed around Congress like a garden soaker hose. "

(Read Original Article - Via InfoWorld | Column | 2007-07-20 | By Roger A. Grimes .)