To Thwart the Identity Thieves
By Alex Salkever
In Phoenix, a burglar allegedly lifted a computer from TriWest Healthcare Associates that holds key personal information, including Social Security numbers and health records of 500,000 U.S. Defense Dept. employees from 16 Western states. In Long Island, N.Y., a low-level clerk at tech company TCI is charged with downloading 30,000 credit reports without authorization and selling them to two accomplices for $60 a piece to assist a wide-ranging identity-theft caper. At Boston College, authorities say a computer-science student installed software to grab keystrokes on hundreds of campus computers to harvest personal information. They allege that he nabbed key data input by thousands of professors, staff, and fellow students, including hundreds of Social Security numbers.
Each of these frightening incidents occurred within the last six months. Connect the dots, and you find a uncontrolled epidemic of identity theft. It's not that no laws are on the books: All but five states have enacted their own identity-theft laws. The federal government passed the Fair Credit Reporting Act in 1996, which gives individuals better access to their credit reports. And Uncle Sam made identity theft a federal crime in 1998.
None of these measures, however, has made even a dent in the levels of ID theft. According to numbers collected by the Federal Trade Commission, reports of identity theft rose by 88% last year to 380,000 from 220,000 in 2001. The real total could be closer to 1 million victims, considering that many don't bother to report their situation to the FTC.
Some states have enacted decent laws aimed at slowing this epidemic. In July, 2003, a California state law mandating that businesses disclose database security breaches to customers takes effect. And the federal government is finally tackling the problem in earnest this year with bipartisan support for a handful of ID-theft-prevention bills. Still, something more radical is required to fix a system so fundamentally broken.
ID-theft complaints logged in the FTC's Consumer Sentinel database account for 43% all complaints. That's the highest percentage of any category for the third year running. Out-of-pocket costs for victims of ID theft skyrocketed from $160 million in 2001 to $343 million 2002, according to the FTC. Keep in mind, again, that the commission's numbers indicate only a trend and hardly capture the whole picture.
Unfortunately, the trend is crystal clear: Identity theft will grow more common in the next year. Usually, victims don't realize that someone has started using their identity until 14 months after the fact. So the recent big arrests probably indicate that ID theft will rise again substantially in 2003. Based on these types of projections, consultancy Meridien Research found that ID theft costs to banks and brokerages alone will grow from $3 billion nationwide in 2002 to $8 billion in 2006 if current laws are not changed.
For sure, change is afoot. California Senator Dianne Feinstein has introduced three bills (and a fourth is being worked out) aimed at stopping identity theft (see BW Online, 2/11/03, "'A Strong National Standard' vs. ID Theft"). The bills, among other things, require that retail establishments truncate credit-card numbers on printed receipts, penalize credit-card companies that ignore customer-fraud reports and continue to issue credit to an ID thief, prohibit the sale of Social Security numbers to the general public, and let individuals prohibit a company's sale or marketing of less-sensitive personal information like name, phone number, and e-mail address.
In past years many of these provisions would have faced tough sledding against powerful lobbyists from credit-card companies, credit agencies, and big banks. Feinstein has proposed similar bills before, and they've never gotten to a full floor vote. This year, according to Feinstein, chances for passage look much better. Constitutient outrage and shocking stories told before congressional committees have helped galvanize lawmakers. One reform advocate startled Feinstein by securing a credit card in her name after purchasing her personal information on the Internet.
The big kahuna, however, is California. The Golden State has already enacted many parts of Feinstein's legislation, and with its tech orientation and massive regional economy, California state policy can cause ripples far and wide. Effective January, 2003, businesses operating there can no longer use Social Security numbers to identify customers. Likewise, a new state law allows consumers to freeze their credit reports and stop all new additions so ID crooks can't grab new credit cards, bank accounts, or loans.
PICK A PROVIDER.
I think government needs even more radical steps than what California has undertaken and what Feinstein is proposing. First, real accountability in the credit industry must be created. What better way to do that than create a free market? Why not pass a law saying consumers will be allowed to designate one of the three existing credit-reporting agencies as their personal credit-history provider. By that same law, only my personal credit provider would be allowed to respond to credit inquiries on my behalf.
Credit-card companies and banks could easily insert this step into the credit-application process as a simple line item asking which of the big three you use. As part of the deal, allow the three credit-rating giants to charge an annual fee for this service -- something they're already doing with their subscription update services.
In essence, they would then be working not only for the companies they service but the customers paying them to guard credit histories. Trans Union, Experian, and Equifax (EFX ) would want to keep as many people on their rolls as possible for two reasons -- smaller customers lists would mean less business from big corporations as well as less revenue from individuals. In this competitive environment, the agencies would respond more readily to individual concerns. So if I think my credit bureau isn't doing a good job protecting me, I can go next door.
CLOSING A HOLE.
Next, I would establish on a national level something akin to the California database-breach law, albeit with a twist. That law has a giant loophole for ongoing criminal investigations. I would eliminate that loophole and mandate unconditional notification. Allowing a big ID-theft ring to operate unchecked while authorities investigate would levy an unacceptable social cost on individuals. And alerting them of the problem early would ultimately make ID theft less lucrative. The faster victims can respond by freezing their credit, the less money could be harvested.
I'd even add in a condition that companies facing database breaches provide lists of individuals who may be affected to the credit agencies. Activity on those accounts should receive a higher level of scrutiny.
All of these things would cost money and possibly make it more expensive to keep the credit system running. As it stands now, ID theft also exacts a steep cost. Average out-of-pocket expense to a victim runs $800 according to a 2000 study by Privacy Rights Clearinghouse, an advocacy group in San Diego. Victims generally spend hundreds of hours cleaning up their accounts, something that has no dollar value attached to it now. And as ID theft increases, individuals will be asked to pay a higher and higher price to keep the credit industry running.
True, the financial industries and other parts of the economy also pay for ID theft. But under the current system, individual victims get hit the hardest even though they rarely share any of the blame for the crime. The only way to reverse that injustice is to shift the burden and the cost to those who bear the blame.
Only when it's truly in the financial interest of business and the credit agencies to stop identity theft, will this plague be thwarted. Until lawmakers reform the credit-reporting system to conform with that simple principle, identity theft will continue to spread out of control.
Salkever is Technology editor for BusinessWeek Online and covers computer security issues weekly in his Security Net column