Another day, another installment in our aperiodic :-) series "Nobody Is That Dumb ... Oh, Wait!" featuring GAO report on data breaches [PDF]. As you recall :-), a blog post under that rubric should contain the word "assclown."
So, the report in question seem to imply that
a) there is no link between data loss/theft and subsequent identity theft, and
b) as a result, mandatory notifications (such as those prescribed by CA 1386) are a waste of resources.
But you know what? Data theft (as well as, mind you, a negligent data loss!) is a crime even if whoever took off with the data didn't use it for nefarious purposes. To me it sounds akin to "the bank robber who didn't spend the money on more crimes" or (more remote ...) "a carjacker who didn't cause a traffic incident." Mandatory notifications are a means to reduce data loss/theft, and are thus needed with no regards to how the stolen data is used!
BTW, SANS called it deeply flawed (their analysis of it is here), but it is also stupid in light of the above.
Dr Anton Chuvakin
