The June GAO report, Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown [GAO-07-737 (pdf)] was released today.
Looking through it, it is clear that they relied heavily on data and statistics provided by Attrition.org, the Privacy Rights Clearinghouse, the Identity Theft Resource Center, and reports obtained from NY and NC under FOIA by Chris Walsh.
Although it is encouraging that that the government is actually using the data that these organizations and individuals have worked so hard to compile, some of the implications suggested by the GAO report are troubling from the perspective of a privacy advocate. From the GAO abstract:
The extent to which data breaches have resulted in identity theft is not well known, largely because of the difficulty of determining the source of the data used to commit identity theft. However, available data and interviews with researchers, law enforcement officials, and industry representatives indicated that most breaches have not resulted in detected incidents of identity theft, particularly the unauthorized creation of new accounts. For example, in reviewing the 24 largest breaches reported in the media from January 2000 through June 2005, GAO found that 3 included evidence of resulting fraud on existing accounts and 1 included evidence of unauthorized creation of new accounts. For 18 of the breaches, no clear evidence had been uncovered linking them to identity theft; and for the remaining 2, there was not sufficient information to make a determination. Requiring affected consumers to be notified of a data breach may encourage better security practices and help mitigate potential harm, but it also presents certain costs and challenges. Notification requirements can create incentives for entities to improve data security practices to minimize legal liability or avoid public relations risks that may result from a publicized breach. Also, consumers alerted to a breach can take measures to prevent or mitigate identity theft, such as monitoring their credit card statements and credit reports. At the same time, breach notification requirements have associated costs, such as expenses to develop incident response plans and identify and notify affected individuals. Further, an expansive requirement could result in notification of breaches that present little or no risk, perhaps leading consumers to disregard notices altogether. Federal banking regulators and the President’s Identity Theft Task Force have advocated a notification standard–the conditions requiring notification–that is risk based, allowing individuals to take appropriate measures where the risk of harm exists, while ensuring they are only notified in cases where the level of risk warrants such action. Should Congress choose to enact a federal notification requirement, use of such a risk-based standard could avoid undue burden on organizations and unnecessary and counterproductive notifications of breaches that present little risk.
So will these chronologies backfire and be used to support the argument that there should not be mandatory notification for all breaches? The report was requested by those who specifically wanted to gather data on the relative costs and benefits of disclosure and notification, and it is not insignificant that the GAO reported:
For example, 31 companies that responded to a 2006 survey said they incurred an average of $1.4 million per breach, for costs such as mailing notification letters, call center expenses, courtesy discounts or services, and legal fees. (p. 6).
Previously unreported data contained within the report also suggest that there are so many breaches that the costs of notifications could be staggering:
For example, officials of the FBIâ€™s Cyber Division told us that presently it has more than 1,300 pending cases of computer or network intrusions where data breaches resulted from unauthorized electronic access to computer systems, such as hackings, at public and private organizations.19. Officials at the Secret Service, which investigates certain cases where financial information has been lost or stolen, told us that in 2006, the service opened 327 cases involving network intrusions or other breaches at retailers, banks, credit card processors, telephone companies, educational institutions, and other organizations. Officials noted that they have seen a steady increase in the number of data breaches since 1986, when they began tracking computer fraud violations. (p. 12)
The numbers contained with the GAO report confirm what many of us have suggested time and time again — there are many breaches we do not hear about. And if we were able to calculate the cost of disclosure and notification for all breaches that might fall under a strict federal disclosure and notification law, the costs annually could certainly be tremendous.
From the perspective of a privacy advocate, it is unacceptable to fail to notify on the basis of cost — or on the basis of a paternalistic argument that notifications might become meaningless if they are too common. Even if others do not think that there is a real or significant risk to me, if my data are stolen, lost, or otherwise exposed, I want to be informed so that I can decide for myself what action, if any, I want to take — including no longer dealing with whoever did not adequately secure my information.
The GAO report does mention consumer and privacy advocates’ position about “right to know” at a number of points in their report. Perhaps their strongest references is where they write:
Respecting Consumersâ€™ Right to Know. Some consumer advocates and others have argued that consumers have a right to know how their information is being handled. According to this view, basic rights of privacy dictate that consumers should be informed when their personal information has been compromised, even if the risk of harm is minimal. The principle that individuals should have ready means of learning about the use of their personal information is embedded in the Fair Information Practices, a set of internationally recognized privacy protection principles.52 (p. 33)
As we have noted in the past, care is needed in defining appropriate criteria for data breaches that merit notification.60 The frequency of data breaches identified in this report suggests that a national breach notification requirement may be beneficial, in large part because of its role in further encouraging entities to improve their data security practices. (p. 39)
Worded that way, the main argument for notification seems to be that it would encourage better security practices. But in my opinion, the strongest argument for notification is right to know what has happened to my personal and private information. The GAO report continues (emphasis added by me):
However, because breaches vary in the risk they present, and because most breaches have not resulted in detected incidents of identity theft, a notification that is risk based appears appropriate. Should Congress choose to enact a federal breach notification requirement, use of the risk-based approaches that the federal banking regulators and the Presidentâ€™s Identity Theft Task Force advocate could avoid undue burden on organizations and unnecessary and counterproductive notifications to consumers. (pp. 39-40)
Not only do the GAO findings lend themselves to the antithesis of what privacy advocates want, their findings may also result in less efforts to secure medical or health-related information. Seen at HIPAA Blog today:
GAO Report: to paraphrase the Government Accountability Office’s new report, data breaches happen fairly often, but cases of identity theft coming out of those breaches are pretty rare; at least as far as we can tell. That seems right — there are plenty of data breaches that aren’t caused by someone trying to get data, but rather by someone failing to fully protect the data; in those instances, it’s unlikely that anyone would improperly access or receive the data, and if they did, they would be unlikely to use it for nefarious purposes. An even in instances of “active” data interception, there are probably plenty of such cases where the party accessing the information isn’t trying to engage in identity theft (or isn’t able to do so for some reason — perhaps the data isn’t enough, or the hacker lacks the skills), but is just a cybervandal. I think you can extrapolate that cases where the data is healthcare information are even less harmful; first of all, the data usually doesn’t have any commercial value to the data thief, so it’s even less likely to be targeted; and if it’s accessed, it’s less likely to be used. Still, no reason not to stay vigilant and make sure you comply with your requirements under HIPAA (not to mention general ethical and business reasons), but also some comfort in case there is a breach.
Apart from the fact that the GAO report did not really look into health care breaches, protected health information (PHI) may include the patient’s SSN and financial details, and can be used for credit card fraud and new-account fraud — just like the possible outcome of any hack or non-PHI breach. Additionally, health care information — including Medicare or insurance numbers — is highly desirable to those rings of criminals engaged in Medicare fraud. Criminals engaged in Medicare or Medicaid fraud need patient info that they can use in their schemes. They may recruit patients to provide their information with the lure of free treatment or other benefits, or they may partner with thieves inside health care facilities who steal the information for them. Anyone who has not knowingly provided their information to these criminals is at risk of medical identity theft, which can create the same hassles as “regular ID theft,” but which can also corrupt the accuracy of the patient’s health care records and exhaust their health care benefits. Then, too, consider these previously unreported data, contained within the GAO report:
The American Hospital Association collected information, at our request, in October 2006 from a nonrepresentative group of 46 large hospitals on breaches of sensitive personal information (excluding medical records) that they had experienced since January 2003. Collectively, 13 of the 46 hospitals reported a total of 17 data breach incidents.31 …. three had resulted in fraudulent activity on existing accounts and another three resulted in other forms of identity theft, including one case where the information was used to file false income tax refunds. The identity theft in these cases involved small numbers of victimsâ€”usually just one. (pp. 16 and 17)
As the GAO notes, their sample was not representative and only included large hospitals. Had they included smaller facilities and medical clinics, one might find that there are cases where dozens of individuals have become victims of ID theft. In one case involving theft of information to file for false tax refunds, information on over 400 hospital patients was stolen by an employee; the information from 163 of those accounts was used to file false tax refunds.
Thus, even though the GAO report acknowledges that the full extent of the problem is not known and they state, “This report contains no recommendations,” (p. 7) , and even though they recommended and continue to recommend greater security (p. 17), I fear that their overall message is that it is appropriate to use risk-based criteria for notification and that we will see this report and the underlying breach chronologies used to support a risk-based notification statute.
Yes, I know that the point of some chronologies or databases was to promote and facilitate research, but for some, part of the point was to illustrate how common breaches are, how much we do not know, and how much we need mandatory disclosure and notification so that we can begin to determine what the real rates and risks are. It would be a shame if all of the hard work of Attrition.org, the Privacy Rights Clearinghouse, and the Identity Theft Resource Center were used to support withholding information from us.