The risk-based approach to data breach notification adopted by federal bank regulators and favored by a presidential task force would be the best standard for Congress to base a national notification requirement on, according to the General Accountability Office.

The risk-based standard has the advantages of allowing individuals to take action when a real threat exists, while sparing businesses the costs of notification and changing accounts when it doesn’t, the GAO noted.

“Should Congress choose to enact a federal notification requirement, use of such a risk-based standard could avoid (the) undue burden on organizations and unnecessary and counterproductive notifications of breaches that present little risk,” the Congressional watchdog concluded after reviewing five and a half years of the largest data heists.

The findings were not, however, couched as recommendations. “This report contains no recommendations,” the report said in the “What the GAO Recommends” portion of its summary.

The study of the 24 largest data breaches between January 2000 and June 2005 found that few resulted in actual identity theft, defined as the misuse of credit card or bank account numbers or the unauthorized creation of new accounts.

“The extent to which data breaches have resulted in identity theft is not well known, largely because of the difficulty of determining the source of the data used to commit identity theft,” the report said. “However, available data and interviews with researchers, law enforcement officials, and industry representatives indicated that most breaches have not resulted in detected incidents of identity theft, particularly the unauthorized creation of new accounts.”

Of the two dozen breaches studied, only three showed evidence that fraud had resulted on existing accounts, and one showed evidence of unauthorized creation of new accounts. The report did not deal with the devastating losses that can be caused, for example, by just one ongoing breach like the recent TJX case.

No clear evidence linked 18 of the breaches studied by GAO to identity theft. No determination could be made for the remaining 2 breaches for lack of complete information.

Just how and when to require notification must be balanced with the costs of doing so, taking into account the small number of breaches that actually result in injury to consumers and institutions, the report concluded.

“Requiring consumer notification of data breaches may encourage better data security practices and help deter or mitigate harm from identity theft, but it also involves monetary costs and challenges such as determining an appropriate notification standard,” the report said.

Federal banking regulators and other government agencies as well as industry associations told the GAO that breach notification requirements have encouraged companies and other entities to improve their data security practices in an effort to minimize legal liability or avoid the public relations disasters that follow revelation of a data breach.

Notification also has the advantage of giving customers an opportunity to mitigate potential risk by reviewing statements and putting fraud alerts on credit files, the study found. “Some privacy advocates and others have noted that even when the risk of actual financial harm is low, breach notification is still important because individuals have a basic right to know how their personal information is being handled and when it has been compromised,” the report noted.

The downside is, of course, cost, and this is why the GAO concluded that the risk-based approach makes the most sense for any national standard.

It made note of a 2006 survey in which 31 companies responded that they had incurred an average of $1.4 million per breach for costs that included mailing notification letters, call center expenses, courtesy discounts or services, and legal fees. The organizations making notifications told the GAO they were also challenged by the lack of clarity of some state statutes, difficulty identifying and locating affected individuals, and difficulty complying with various other state requirements.

While the National Association of Attorneys General would like to see a broad approach that would guarantee a greater level of protection to consumers, the GAO favors the narrower risk-based approach of the federal banking regulators.