Data Breach Notifications:Victims Face Four Times Higher Risk of Fraud

Abstract

Overview

If a consumer gets a data breach notification letter, they are four times more likely to suffer identity fraud within the next year. Data breach notifications were intended to help consumers take protective action when their private data is exposed. But there seems to be a disconnect between data breach notifications and consumer understanding of possible outcomes of data breaches. New data shows that consumers who have received data breach notifications within the past year are at a much greater risk for fraud than the typical consumer. Yet, these same consumers rarely attribute the fraud to their data breach exposure. This report also contains an update of data breaches for 2009, implications of changes to the legislative landscape, and the technical means by which data breaches occur. Finally, a timeline of several of the recent, most egregious data breaches in U.S. history (including who, how, where and when) is included.

Primary Questions

• Is there a link between data breach notification letters and identity fraud?
• Are data breach notification letters working?
• In the face of escalating data breaches, what should financial institutions and other companies do to protect brands and customer loyalty?
• How do victims respond to breach notification, and how does this impact their relationship with their financial institution?
• Are paper or electronic records most vulnerable?
• How are criminals obtaining data records?

Methodology

This report is mainly based on consumer data collected from Javelin' s annual Identity Fraud Survey. The survey is conducted each year using computer-assisted telephone interviewing (CATI) via random-digit dialing from 4,784 respondents in October 2008, 5,075 respondents in October 2007, and 5,000 respondents in October 2006. The surveys targeted respondents based on representative proportions of gender, age and income compared to the overall U.S. online population.

For questions answered by all 4,784 respondents, the maximum margin of sampling error is +/- 1.4% at the 95% confidence level.

For questions answered by all 487 identity fraud victims, the maximum margin of sampling error is +/- 4.4% at the 95% confidence level.

For questions answered by a proportion of all identity fraud victims, the maximum margin of sampling error varies and is greater than +/- 4.4% at the 95% confidence level.

Some data also came from Dataloss.db.org, an open community research project that documents known and reported data loss incidents worldwide.

Some data also came from the Identity Theft Resource Center, a non-profit organization that compiles information about public data breaches to help understand and prevent identity theft. This information was accessed at www.idtheftcenter.org on Sept. 30, 2009 and was used to help compile figures 8-12.