Study Finds No Evidence Data Breaches Increase Risk of Consumer Harm

A new joint-study from the U.S. Chamber of Commerce Technology Engagement Center (C_TEC) and the Policy and Economic Research Council (PERC) finds weak support for the commonly held belief that data breaches lead to widespread incidences of identity theft. The first-of-its-kind, comprehensive study titled “Data Flows, Technology, and the Need for National Privacy Legislation,” looked at three levels of analysis: macro (aggregate number of data breaches and identity theft rates from 2005 to 2018), micro (credit report impacts and data leaked to the dark web on 27 million consumers), and case studies (24 large data breaches between 2005 and 2018).

On the macro level, the report found that over the past decade, the number of data breaches and records breached has been increasing steadily, while the identity theft rate has stayed relatively constant, fluctuating between a low of 4.35% (in 2010) and a high of 6.63% (in 2017). Meanwhile, identity theft and fraud losses have actually been decreasing during this timeframe, while data breaches have gone up. The rate of identity theft in any given year cannot be meaningfully predicted by the number of data breaches in that year.

On the micro level, the data on 27 million consumers enrolled in credit monitoring was divided into three samples: breach-affected population (enrolled due to a breach), those paying out of pocket for credit monitoring, and those enrolled by their employers. In comparing these samples against each other, the study found that credit scores rose slightly for all three samples once credit monitoring began. Data was found on the dark web for 66% of data breach victims, compared to 70% of the general population. Rates of credit activity that might indicate identity theft were identical for all samples. There was no evidence that data breaches lead directly to consumer harm.

In 2007, the GAO looked at 24 data breaches and found “data breaches are frequent, but evidence of resulting identity theft is limited; however, full extent is unknown.” This report looked at another 24 data breaches and found that the highest observed rate of identity theft linked to a data breach was 2.5%. Between 2005 and 2018, the identity theft rate in the general population average 5.32%, over double what could be linked to a breach. The study’s findings were highly consistent with those of GAO over a decade earlier.

Report co-author and PERC President Dr. Michael Turner said, “There is a ‘Jaws effect’ here, where media coverage of data breaches feeds into widespread misperceptions about consumer risks associated with data breaches. These widespread misperceptions in turn are driving privacy legislation, with some state laws including draconian penalties and enforcement measures for breached companies regardless of a demonstration of harm. This can damage companies and the economy, and provides little incentive for data security in an era where data breaches are almost an inevitability.” Dr. Turner added, “Congress must act soon to pass a sensible, federal, and preemptive privacy law that balances consumer rights and protections with legitimate business uses of data.”

The paper will be presented at the U.S. Chamber of Commerce event “Data Done Right” on July 11, 2019, in Washington DC.