ID Theft In US Continues Apace Despite Data Breach Laws

A Slashdot posting from yesterday points to an article in TechWorld about Carnegie Mellon researchers' published analysis of the ineffectiveness of data breach notification laws adopted by 43 US states.

"There doesn't seem to be any evidence that the laws actually reduce identity theft," said Sasha Romanosky, a Ph.D student at Carnegie Mellon who is one of the paper's authors.

Nevertheless, they did find that other factors, such as the state's population, gross domestic product and fraud rate did have a significant effect on identity theft rates.

Gartner analyst Avivah Litan points out that it is hard to draw conclusions from the data because FTC reports are incomplete. She notes that while breach laws have made front-page news out of lost laptops, most companies respond to tighter laws and regulations by concentrating on compliance rather than on security.

Often, that's not good enough to protect customers from ID theft, she said.

"If you just meet the letter of the law you may pass an audit, but you have to pass the spirit of the law."

See Techworld for more information.