Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Training Info Sec and Privacy For Incident Response; Many Issues Overlap | Main | Microsoft's Charney Agrees That Information Security and Privacy Pros Must Work Together »

Average Cost of ID Theft Per Victim is $31,356

Finally, a report that looks much more accurate with regard to how much identity theft costs the VICTIMS of a privacy breach. Most reported victim costs that I have seen in the past seemed much too low considering all the time that victims talked about trying to repair and recover from identity theft, and how much resources it took, the many years it often takes, and so on.

An InformationWeek article, "Identity Theft: Costs More, Tech Less" reports, "the median actual dollar loss for identity theft victims was $31,356."

Much higher than the $740 - $5,720 ranges per victim that other researchers have typically cited.

This is based upon research of 470 U.S. Secret Service cases, so the data is not as subjective as most such reports which often rely upon best guesses and estimates...often from the company that caused the breach and not from the victims themselves, or from any other consumer-focused resources.

Here's a very interesting and revealing passage from the report:

""Analysis of the methods employed by the offenders showed that Internet and/or other technological devices were used in approximately half of the cases," the report says. "In some cases, the offenders began with a non-technological act, such as mail theft, to obtain the personal identifying information, but then used devices such as digital cameras, computers, scanners, laminators, and cell phones to produce and distribute fraudulent documents. While the use of the Internet as a criminal tool had a presence, it did not appear to be a necessity for most offenders to reach their goals."

Among the 517 cases analyzed, 102 included the use of the Internet. Nontechnological means of identity theft -- mail theft, mail rerouting, and Dumpster diving -- occurred in 106 cases.

Another unexpected finding is that in half of the identity theft cases analyzed, the crime began in a business. In 274 cases where a point of compromise could be identified, businesses accounted for 50% (137) of the breaches.


"There are a lot of cases where businesses provide the points of compromise," said Gordon.

While about two-thirds of the cases did not involve insiders, one third did. "A third of the cases involved identity theft through employment," said Gordon.

"Those numbers we think are significant."

Of the 176 cases where the point of vulnerability was the offender's place of employment, 77 involved the retail industry, more than twice as many as occurred private companies, banks, or government agencies."


Something that I, along with many other privacy proponents, have often pointed out about privacy breaches is that:

* Many identity theft cases are not performed via technology. I've blogged about this many times, such as here and here.


* Poor controls at the workplace allow malicious employees to take advantage of their coworkers and customers and commit crime and fraud with their PII. I've also blogged about this, such as here and here.

Tags:                  
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on October 24, 2007 12:21 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/554

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.