THE UNFORTUNATE story of ChoicePoint Inc., a company that sold private data on about 145,000 people to criminals, illuminates a small part of the larger problem of identity theft. The Federal Trade Commission estimates that about 10 million Americans are victims of identity theft each year and that the annual cost to the economy comes to $50 billion. Some of this theft is unsophisticated -- laptops full of personal data disappear, stolen credit cards get used to make unauthorized purchases -- but a lot occurs online. Thieves hack into your bank's computer system and help themselves to your account numbers. Or they send scam e-mails encouraging you to renew your account on eBay by providing your name and other particulars. Or they infect your computer with "spyware" that can extract information from your hard drive. Once a villain has your name, date of birth, address and Social Security number, you are permanently in danger. Your shadow could take out an auto loan or go on a credit card spree today. Or he could strike five years down the road.
The first line of defense against identity theft must come from individuals. You can call the three major credit reporting agencies to see if any new credit cards or other loans have been taken out in your name, unbeknownst to you. If you fear that your data have been compromised, you can ask the reporting agencies to put a "fraud alert" on your account, so new credit cards cannot be issued without some extra checking that the alleged you is really you. Of course, this is a nuisance, but it's a minor nuisance set against the vast convenience of computers and electronic payment systems.
_____Today's Post Editorials_____
|
| |
|
Credit card companies and other lenders can also do their part here. They already query unusual purchases to check whether the cardholder really made them. They could extend this caution by searching for suspicious patterns in ordering up new credit cards or loans. For example, a change of address that's followed a few weeks later by a request for a new credit card is often a sign of fraud.
This nongovernmental response to identity theft can be bolstered by technology. New software can check whether an e-mail really comes from the person listed in the "from" line, and even where the sender is physically located. Many scam e-mails purporting to be from eBay or your bank or some other local institution actually come from foreign criminals, so geographic "sender ID" technology could foil such attacks. Nike Inc. and the Food and Drug Administration already use versions of this technology. Given that e-mail scamming -- known as "phishing" -- is growing exponentially, other organizations are likely to follow.
But the second line of defense against identity theft will involve the government. This is not the preferred option, since laws are often a poor way of chasing fast-moving technology; a 2003 law against spamming has accomplished little. But some states have experimented with legislation that deserves to go national. California gives people the option of doing more than placing a fraud alert on their credit history, which can only be extended beyond 90 days if the threat of fraud is documented; instead, Californians can freeze their credit data indefinitely, so no new loans will be extended to themselves or their shadows. California also requires corporations whose data have been compromised to inform affected individuals. Congress should consider extending this prin- ciple nationwide as well.
The ChoicePoint story raises a final question. Should it be legal for companies to make a business out of selling your Social Security number to whomever wants to buy? There are benefits to the wide availability of data: Adopted children can track down their birth parents; estate executors can track down heirs. But it's not clear that these uses require or justify a market in Social Security numbers -- especially when you consider the danger that you aren't the only you.
