Lost Data Doesn't Necessarily Lead to CrimesThe year 2005 will likely go down in history as the year of the data security breach. It was a year in which CardSystems Solutions Inc. revealed a security breach that exposed data on potentially more than 40 million payment-card accounts. DSW Shoe Warehouse disclosed the theft of credit-card data on 1.4 million customers. Information brokers LexisNexis and ChoicePoint revealed breaches involving millions of sensitive records. It was also the year of lost data, with UPS, Citigroup, Bank of America, Ameritrade, and Time Warner all reporting losses of backup tapes containing sensitive data.
But beyond all the hoopla, what is the likely economic impact of these and other data breaches? Do some data breaches pose more of a risk than others? What can financial institutions do to prevent and detect identity theft?
Hard numbers are difficult to come by. According to the Federal Trade Commission, some 246,570 identity theft cases were recorded in its Sentinel consumer fraud database in 2004; the FTC defines ID theft broadly as the appropriation of personal information such as a Social Security number or credit card account number to commit fraud or theft.
Others take a finer-grained approach, creating two buckets of identity crime: account fraud (in which a person's account number is stolen and used to commit fraud) and identity theft (in which existing accounts are taken over or new ones created using the victim's Social Security number and other data).
To put some meat on the bare-bones statistics, ID Analytics Inc., an identity-theft risk management company, studied four high-level identity crime cases involving approximately half a million consumer identities. Two of them involved account fraud, and two involved identity theft. The company analyzed transactions for suspicious activity using its proprietary fraud detection technology, Graph Theoretic Anomaly Detection, which sifts data for clues, such as a single Social Security number associated with two or more individuals.
The findings suggest that the fears stirred by identity-type data losses may be overblown. While identity theft poses the greatest threat to consumers, ID Analytics found that the highest rate of misuse of victims' identities was less than one-tenth of one percent of all identities compromisedâ€”or less than one in 1,000.
The findings also suggest that the likelihood of criminal misuse is correlated with the type of data breach. Deliberate hacking of a database produced the highest rate of crime, followed by inadvertent access to sensitive data (such as data that is accessed on a stolen laptop). Losses of data, such as tapes falling off a truck, were considered to be the least likely breeches to result in subsequent crimes.
The findings confirm what can be intuitively grasped about criminal intent: The more targeted and focused the attempt to siphon off personal data, the greater the likelihood it will lead to fraud. While the CardSystems breach resulted in millions of accounts being exposed, the likelihood that more than a tiny fraction will be used to commit crime is quite small. "The smaller the breach the higher the likelihood of misuse," says Mike Cook, co-founder of ID Analytics. "A smaller breach is more worrisome."
One of the factors mitigating against the criminal use of data is the sheer length of time it takes to commit fraud. It takes about five minutes to fill out a credit application. At that rate it would take a single thief working 6.5 hours a day, five days a week, 50 weeks a year---over 50 years to create one million phony identities.
That's no cause for rejoicing, however; once a victim's identity has been stolen, the thief can sit on it for a while, then spring it to life after the heat's died down. For this reason, "any company has to perform due diligence on lost data" for a long time after the breach has occurred, says Cook. "Someone can slowly milk identities and after 15 months have an uptick in a use," he says. "It's important for all companies that have a breach to use technology to determine who's been harmed."
Andrew Miller is a freelance writer specializing in financial services and information technology. He holds an MBA from Columbia University and a Master's in computer science from Rensselaer Polytechnic Institute. He has held jobs at CMP Media, MetLife, and Gartner.