GAO: Data Breaches Rarely Lead To ID Theft
"Yep, breaches have no impact whatsoever. Trust me on this..."
The Government Accountability Office released a report yesterday stating that it was difficult to link data breaches to confirmed cases of identity theft. The GAO also recommended that agencies and businesses adopt a "risk-based standard" for notifying affected people about data breaches. You can read the report here, and my article about it here.
I think the idea of trusting a business or government agency to handle its own internal review or risk study for a breach is akin to going hunting with *** Cheney and expecting to not get shot in the face. Of COURSE they're going to say there's no risk to consumers and that the costs of notification, credit monitoring, etc., aren't necessary. For the vast majority of companies and gov't agencies who have let data get exposed, a breach is just the cost of doing business.
I might entertain the idea that a neutral third-party actor could be entrusted to handle the risk audit--someone from the Identity Theft Resource Center, perhaps. Otherwise the idea is just stupid on its face. Shame on the GAO for dropping the ball on this important issue.