The Cost of ID Theft, Part 2: Fixing the System

As the number of identity theft victims continues to mount, so has the amount of data and information related to such events — and the time and resources devoted to better understanding, analyzing and devising measures that can better prevent such occurrences, as is seen in Part 1 of this series.

“The stakes are already quite high when it comes to data loss: According to Gartner and the Ponemon Institute, the loss of a single record — not financial fraud — is around (US)$197. If you take the extremely conservative estimate from the same research that said that in 2007, 127 million records were lost, you get around $25 billion in direct losses,” noted Uriel Maimon, senior researcher for security firm RSA.

“It’s no wonder that when The Wall Street Journal in September 2006 analyzed the trailing stock price of public companies that had suffered a breach earlier in 2006, they found that, on average, the company’s stock price had lost 12 percent of its value since the breach.”

Data Breaches: The Cost to Businesses

The costs as well as the volume of ID thefts continue to rise. Estimated business losses per victim increased by about $7,500 from 2003 to 2004, from $41,717 to $49,254, according to the Identity Theft Resource Center. The number of records contained in reported data breaches compiled and analyzed in the study ranged from 4,000 to more than 125,000. The costs were proportionately higher for larger data breaches.

While the average cost of a data breach was $6.3 million, the costs of dealing with actual data breaches and ID theft declined for both individuals and businesses as new laws and regulations have been enacted that provide free or low-cost credit monitoring. Businesses are being required to notify all data breach victims, and are finding more effective and lower-cost methods and means of addressing the problem.

The cost of notifying customers decreased 40 percent in 2007 from 2006, to $15 per record compromised while the cost of free credit monitoring and services to 2 percent of total costs, down from 5 percent of costs in 2006 and 7 percent in 2005, according to the study.

The cost of lost business is likely to be larger and more significant than actual cash losses and expenses related to remediation, however. The average customer churn for businesses surveyed that had suffered a breach was 2.67 percent, noted Kevin Bocek, director of product marketing for encryption firm PGP.

“Even back in 2005, consumers took data breaches seriously: 20 percent of US consumers that were impacted by a data breach terminated business with the company responsible for the breach; 40 percent of U.S. consumers that were impacted by a data breach were considering stopping business with the company responsible for the breach,” Bocek said as he recounted responses to Ponemon’s 2005 “National Consumer Survey on Data Security Breach Notification.”

Failing to encrypt stored data is “one of the most egregious errors” being made by organizations, maintained Randy Abrams, director of technical education at security firm ESET. “Consumer information should always be encrypted. If media is lost or stolen in transit, it is not going to be used for identity theft or anything else if it is encrypted. Similarly, consumer information, student information, taxpayer information and the like must be encrypted anywhere it is stored. The only reason a stolen computer or hard drive can compromise personal information of thousands of people is because of gross incompetence.”

Changing Laws and Regulations

It takes lots of time, effort and data to put what can be considered a reliable price on ID theft — information that is essential to crafting policies, procedures and designing and building better systems to prevent it. Data hasn’t been lacking, much to the chagrin of the growing numbers of individuals and businesses that have fallen victim to data breaches and ID theft, and awareness has grown as better monitoring and reporting efforts have been established.

As the cost of ID theft continues on its upward trend, governments have taken action to assist victims and require organizations to comply with minimum preventive personal privacy security standards and public data breach disclosure and reporting requirements. “In the U.S., more states are passing laws pertaining to data privacy and security. Thirty-eight so far have laws on the books related to breach notification, for example,” the Ponemon Institute’s Mike Spinney told the E-Commerce Times.

While this demonstrates that lawmakers are coming to grips with the problem, it is also making the legal and regulatory environment something of a hodgepodge of sometimes conflicting state requirements that result in greater difficulties, and costs, to companies’ compliance efforts, he continued. “It’s making the regulatory environment difficult for companies who may find themselves within the jurisdiction of several states with laws that may be incompatible.”

More Needs to Be Done

“As long as personal information is a commodity that does not belong to the consumer, as is the case in the U.S. — in stark contrast to some European countries — identity theft will be facilitated,” added ESET’s Abrams. “The nature of the ownership of personal information is an enabler of identity theft that is sanctioned by the U.S. government through antiprivacy legislation.”

Credit reporting companies can and should help mitigate the risk of identity theft by more and better sharing of information with consumers, according to Abrams. “The consumer should have complete control over what information is shared and always be able to see how their information is used at no cost. Blocking visibility helps increase the success of criminals engaging in identity theft.”

The federal government needs to step in, said the Ponemon Institute’s Spinney. “The federal government needs to pass a comprehensive data breach law that will unify the issue for business, while still offering good protection for consumers … [but] with a presidential election cycle in full swing, we won’t see any meaningful progress on this or likely any ID theft front at the federal level until 2009 at the earliest.”

“Ultimately all this spending and awareness will help,” opined ID theft expert Robert Siciliano. “For financial identity theft, the immediate solution lies in consumers investing in services that will flag their credit, preventing new financial accounts to be opened under their names. However, this will not prevent criminal identity theft, which is when someone poses as you and commits crimes using your identifying documents.”

The Real ID Act is the next step in bringing on a much more secure form of identification, Siciliano added. “While privacy advocates are against it, anyone who understands fundamentals such as ‘layers of security’ will not mind giving up a bit of so called ‘privacy’ to secure who they are in identifying documents.”

The Cost of ID Theft, Part 1: Beyond Dollars and Cents