By Fred H. Cate
Saturday, October 14, 2006
Identity theft is getting a lot of attention these days -- from news stories about missing laptops and lost data to television commercials for fraud prevention and credit monitoring services. Congress has held hearings, and members have issued forecasts of an impending plague of identity theft. Rep. Edward Markey (D-Mass.), in a statement typical of many of his congressional colleagues, said that "Social Security numbers and date-of-birth information are pure gold in the hands of identity thieves, who quickly convert them into credit cards and cash equivalents to perpetrate massive frauds."
When a laptop was stolen from the home of a Department of Veterans Affairs employee this year, newspapers across the nation editorialized about the dangers facing the people whose data were on the computer. The Post alone published more than 40 stories and wrote that "26.5 million veterans were placed at risk of identity theft." The VA notified all 26.5 million of them and asked Congress for $160.5 million to cover the cost of one year of credit monitoring for the veterans.
Then the laptop was recovered -- the data untouched and the risk of identity theft shown to be nonexistent.
The happy ending to the VA saga should have come as no surprise. The fact is that few if any such breaches lead to identity theft or other consumer injuries.
A 2005 study by ID Analytics, which operates a nationwide fraud-detection network, found that even when the missing information included credit card numbers or other account-level data, the risk of identity theft was no greater than for accounts from which no information was lost or stolen. Two years after a theft, only one out of every 1,020 account holders whose information had been stolen -- less than one-tenth of 1 percent -- had been targets of any attempted fraud.
The reasons are not hard to discern.
First, the term security "breach" is so broad that it includes cases, such as that of the VA employee, in which the target of the theft was equipment, not data. In fact, most security breaches involve the accidental loss of information or equipment rather than a deliberate attack on data.
Second, identity theft is most commonly the result of data being obtained directly from victims, not through security breaches. According to a 2005 Javelin Strategy & Research survey, for the half of victims of identity-based fraud who knew where their information had been obtained, the most common source was a "lost or stolen wallet, checkbook, or credit card."
Thirty-five percent of identity-theft cases in which the perpetrator was identified involved a "family member or relative," and 18 percent a friend or neighbor. That means that roughly half of all known identity thieves were not strangers. Another 23 percent of such cases involved dishonest employees. All together, three-fourths of identity theft cases did not involve access to the kind of third-party data obtained through a security breach.
Third, identify theft affects far fewer Americans than the hype suggests. Although the figure most commonly cited in the media is 10 million U.S. victims a year, in April the Justice Department put the number at 3.6 million for the second half of 2004.
But more than half of those cases (two-thirds, according to the Federal Trade Commission) actually involve credit card fraud. This is good news, because Congress long ago limited consumer liability for credit card fraud to $50, and the universal industry practice is to waive that charge.
The Justice Department estimates that there were only 538,700 cases of true identity theft (those in which personal information was used to open accounts in the victim's name) in the second half of 2004. The FTC received about 250,000 identity-theft complaints in 2005. Moreover, research shows that identity theft is on the decline.
The danger of the security breach frenzy is not merely that it exaggerates the risk of identity theft and the role that security breaches play but that it ignores greater threats, such as the involvement of organized crime and the emergence of new and harder-to-detect frauds, that menace our increasingly information-dependent society.
The writer is director of the Indiana University Center for Applied Cybersecurity Research and a distinguished professor of law and adjunct professor of informatics.