Protective bills have not cut ID theft, costs

January 02, 2007|By Cox News Service

When identity thieves stole sensitive information about thousands of consumers from Alpharetta, Ga.-based ChoicePoint Inc. in February 2005, it caused a national uproar.

Furious consumer advocates demanded changes in the way Social Security numbers, credit card information, and addresses are collected and kept by companies, government agencies and others. Lawmakers responded by proposing a flurry of new legislation.

Nearly two years later, though, the number and the cost of data breaches is still growing. Much of the proposed legislation designed to protect consumers is stuck in limbo. And some security experts say that data breaches that result in leaks of sensitive personal information will continue to rise in 2007 and beyond.

Linda Foley, executive director of the San Diego-based Identity Theft Resource Center, which conducts research and helps identity theft victims, said that "we're not seeing the change in behavior [by companies and others] as rapidly as we would have thought, or those numbers should have been stabilizing or going down, not up."

"I do believe we'll continue to see an increase in breaches ... not a decrease," said Troy Allen, senior vice president of Kroll Inc., a consulting firm that specializes in corporate risk management.

Already, the trends seem troublesome:

In 2005, the nonprofit Identity Theft Resource Center tracked 158 incidents of large data breaches at companies, universities and government organizations. Through October 2006, the latest period for which it has figures available, it had already tracked 192 incidents.

The cost of breaches is rising, too. According to a study of recent incidents by the Ponemon Institute research firm, data breaches cost companies an average of $182 per compromised record in legal fees and other expenses, up more than 30 percent from a year earlier. Total costs for each of the 31 incidents Ponemon studied ranged from $1 million to $22 million.

Company executives now say data security is their biggest worry. In an Internet-based survey of nearly 200 senior executives released this month by pollster Harris Interactive, more executives - 61 percent - ranked the compromise of corporate information systems as a higher concern than any other crisis, including terrorism, corporate malfeasance, product recalls or workforce violence.

Part of the reason for the higher numbers is a heightened awareness about data breaches. Led by California, whose privacy laws required ChoicePoint to reveal its watershed data breach, dozens of states have passed laws that force companies and other organizations to notify consumers when their personal information is stolen or lost.

And many companies, ChoicePoint among them, have won praise from consumer advocates for improving their business practices and taking steps to prevent data breaches.

But while some companies are cleaning up their act, universities and other public institutions are among the worst offenders when it comes to protecting sensitive information.

More than 60 percent of the breaches tracked by Foley's group in 2006 were at universities or government agencies.

Among the biggest was the April hacking of University of Texas at Austin computers that resulted in the Social Security numbers and other information of 106,000 students being released.

According to the Kroll consulting firm, the flood of legislation that followed the ChoicePoint incident yielded nothing more than requirements that companies and other organizations disclose breaches.

"There's a lot happening, it's just misguided," Allen said. "The majority of legislation passed or proposed concentrates just on what organizations have to do after they have a breach, not what to do before a breach occurs in the first place."

Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.