Over the past five years, 43 US states have adopted data breach notification laws, but has all of this legislation actually cut down on identity theft? Not according to researchers at Carnegie Mellon University who have published a state-by-state analysis of data supplied by the US Federal Trade Commission (FTC).
"There doesn't seem to be any evidence that the laws actually reduce identity theft," said Sasha Romanosky, a Ph.D student at Carnegie Mellon who is one of the paper's authors.
Romanosky's team took a state-by-state look at FTC identity theft complaints filed between 2002 and 2006 to see whether there was a noticeable impact on complaints in states that had adopted data breach notification laws such as California's SB 1386, which compels companies and institutions to notify state residents when their personal information has been lost or stolen. Their paper is set to be presented at a conference on Information Security Economics held at Dartmouth College later this month.
Since 1999 the FTC has invited identity theft victims to log information about their cases on its Web site. The data are then made accessible to law enforcement, which uses the information to help analyze crime trends. A lot of people complain, but it represents only a subsection of all identity theft cases. In 2006, for example, the FTC logged 246,035 identity theft complaints, while a Javelin Strategy survey estimated that there were 8.9 million ID theft victims that year.
The FTC doesn't break down identity theft complaints on a state-by-state basis. However, the Carnegie Mellon researchers were able to access to this information using a Freedom of Information Act request. This allowed them to see whether or not there was a change in the rate of reported identity thefts before and after data breach laws went on the books. Looking at the complaints on a month-by-month basis, they didn't find any statistically significant effect, Romanosky said.
However, they found that other factors, such as the state's population, gross domestic product and fraud rate did have a significant effect on identity theft rates.
Because reports to the FTC are incomplete, it's hard to draw conclusions from the data, said Gartner analyst Avivah Litan. But she noted that while breach laws have made lost laptops front-page news, many companies have responded to tighter laws and regulations by focusing more on compliance than on security.
Often, that's not good enough to protect customers from ID theft, she said. "If you just meet the letter of the law you may pass an audit, but you have to pass the spirit of the law."
Romanosky admits that there may be problems in the methodology used by his team. And while he noted that the data -- compiled from self-reported complaints -- may not be perfect, the FTC database is the only source of this type of information.
In fact, there may be good reasons that explain why breach laws have not cut down on identity theft. Many consumers simply ignore breach notification letters. And Romanosky believes that security firms are still not doing enough to protect data themselves. "In so many of these cases, the breaches occur because of ridiculous security practices," he said.
Romanosky knows something about information security in the corporate world. Before deciding to pursue his Ph.D, he worked in the security groups of companies such as Morgan Stanley and eBay.
The researchers suggest a few next steps to better understand identity theft. The federal government should adopt a unified breach law in order to "reduce conflict between states laws and lower the barrier for compliance," they write in their paper.
Also, there should be standardized notification requirements so that victims learn pertinent information about the breach. Finally, they said that some kind of oversight committee should be set up as the definitive source of breach data, so that there is better information for consumers, policy makers, and researchers.
Gartner's Litan offered one more observation that might explain Carnegie Mellon's findings: The fraudsters are also getting better at what they do, she added. "If you talk to the largest banks, they will tell you that fraud has really increased in the past 18 months," she said. "And they project it going up very significantly in the next two years."
"The thieves are just getting better and there's more fraud," she said.