December 8, 2005

Fears Over Identity Theft Are Overblown: U.S. Study

CHICAGO -- A new study suggests consumers whose credit cards are lost or stolen or whose personal information is accidentally compromised face little risk of becoming victims of identity theft.

The analysis, released late on Wednesday, also found that even in the most dangerous data breaches -- where thieves access social security numbers and other sensitive information on consumers they have deliberately targeted -- only about 1 in 1,000 victims had their identities stolen.

ID Analytics, the San Diego, California-based fraud detection company that performed the analysis, said it looked at four recent data breaches involving a total of 500,000 consumers. It declined to provide the names of the companies involved in the breaches, but Mike Cook, ID Analytics co-founder, said one of them was a top five U.S. bank.

After six months of study, comparing compromised information against credit applications, ID Analytics said it discovered something counterintuitive: The smaller the breach, the greater the likelihood the information was subsequently used by fraudsters to hijack the identity of victims.

"If you're in a breach of 100, 200 or 250 names, there's a pretty high probability that you're identity is going to be used," said Mike Cook, ID Analytics' co-founder.

"The reason for that is if you look at how long it takes a fraudster to use an identity, they can roughly use 100 to 250 in a year. But as the size of the breach grows, it drops off pretty drastically."

A study conducted earlier this year by Javelin Strategy and Research, which mirrored the methodology of an earlier Federal Trade Commission study, found that 9.3 million Americans said they had been victimized by identity thieves during the preceding 12 months.

ID Analytics said it discovered that identity thieves have a hard time using a stolen credit cards to hijack the identity of cardholders because the cards are usually quickly canceled -- and because piecing together an identity based on the information on the card is hard work. Not one of the card breaches it studied resulted in a subsequent identity takeover.

While the findings will provide some comfort to consumers whose credit cards are lost or lifted or whose sensitive information is compromised when, for instance, a laptop is stolen, as recently happened at Chicago-based Boeing Co., some of ID Analytics' suggestions could be controversial.

The company suggests, for instance, that companies shouldn't always notify consumers of data breaches because they may be unnecessarily alarming people who stand little chance of being victimized.

That's likely to rankle consumer watchdogs, who are pushing Congress to enact a law, sponsored by Sen. Arlen Specter, Republican of Pennsylvania, and Sen. Patrick Leahy, Democrat of Vermont, that requires companies to implement tough data security standards and to notify consumers, law enforcement and credit-reporting agencies whenever there's a breach.

"As far as notifications, we think there are certain instances where businesses might want to notify consumers and certain instances where they might not to inform them," said Cook.

"For instance, if they lose data, and they don't know where it is, we think too many notices may not be a good thing. They should probably monitor that and spend dollars on consumers who are actually harmed, rather than spending dollars on 10 million consumers" most of whom won't be affected.