Data breaches have, so far, been rarely used for financial fraud, a new study on recent incidents has shown.

ID Analytics announced findings from a survey on four recent data breaches involving a half-million identities and said that "the calculated fraudulent misuse rate for consumer victims of the analyzed breach with the highest rate of misuse was 0.098 percent – less than one in 1,000 identities."

The San Diego-based company said it separates breaches into different categories: identity-level breaches, where names and Social Security number have been stolen, and account-level breaches, which involve the theft of account numbers.

ID Analytics said the degree of risk involved depends on whether the data breach was the result of a hacking incident by a malicious user trying to gain access to data or an unintentional loss of data, such as lost tapes.

The company found that it may not be cost effective for criminals to attempt financial fraud after a breach. Because it takes about five minutes to fill out a credit application, according to the company, it would take a fraudster working full-time over 50 years to fully use a confiscated file containing a million identities.

Mike Cook, company co-founder and vice president of product, said better educated criminals could lead to a higher percentage of misuse in the future.

"As there becomes more awareness, an offshoot is that we are also educating the fraudsters," he said. "If someone were to obtain data and sell it in packages on the internet, there would be a lot more people working on the data."

Bruce Schneier, Counterpane founder and chief technology officer, said on his "Schneier on Security" weblog that the results are "something I've been saying for a while."

Schneier, the author of "Applied Cryptography," said that, although breach notifications can have a "boy who cried wolf" effect on some people, they're valuable because of the financial deterrent they present to companies.

"The main security value of notification requirements is the cost. By increasing the cost to companies of data thefts, the goal is for them to increase their security," he said. "Direct fines would be a better way of dealing with the economic externality, but the notification law is all we've got right now. I don't support eliminating it until there's something else in its place."

www.idanalytics.com www.schneier.com