Much of the consumer angst about privacy is driven by the fear of becoming a victim of identity theft. As a result, new federal and state legislation is being introduced almost daily.
The resulting laws often create new obligations for financial institutions. The credit card number truncation laws passed by many states are one example. Credit file blocking is another.
Yet all this legislative activity may not be justified by the facts.
There are many reports about how widespread identity theft is and how many people are affected. Of course, all reports show it is increasing, since tracking of the crime began fairly recently, but a General Accounting Office report issued last month revealed that, surprisingly, consumer ID theft is difficult to gauge and may occur less frequently than the public perceives.
The report was issued in a letter to Sen. Dianne Feinstein, D-Calif., and defines identity theft as the stealing of personal identifying information, such as Social Security number, date of birth, and mother's maiden name, and fraudulently using that information to establish credit or take over existing accounts.
The report states that it is difficult to fully or accurately quantify the prevalence of identity theft, but estimates that the crime involves from 250,000 to 750,000 victims annually. These numbers are not supported by the findings in the report.
How Accurate Are the Numbers?
The report contains many qualifiers and assumptions: "There are no comprehensive statistics," the prevalence of identity theft is "not specifically or comprehensively quantifiable," and there is "no information to gauge the extent to which these assumptions are valid." Yet the report still attempts to quantify identity theft. However, the numbers in the findings are much lower than the numbers in the conclusion.
Consumer reporting agencies said about 90,000 individuals placed fraud alerts on their consumer reports in 2001. Since the first piece of advice given to victims is to provide victim statements to consumer reporting agencies for inclusion in their consumer report, one would think that consumer reporting agencies have a reasonable estimate of the number of victims.
The much-publicized FTC Identity Theft Data Clearinghouse reported about 94,000 calls over a two-year period. The Social Security Administration Office of the Inspector General reported about 65,000 calls concerning Social Security number misuse, but those calls do not necessarily indicate identity theft. The Federal Bureau of Investigation reported 645 arrests in 2000, a decline from the previous year.
What About the Cost?
Even without a definitive number of victims, there should be a calculable cost to identity theft. As cited in the report, MasterCard and Visa estimate their identity theft fraud losses at $114.3 million in 2000.
However, the GAO, which uses a definition of identity theft similar to that of the two institutions - use of another person's identifying information to take over an existing account or to make fraudulent applications - seems to find this number too low.
The GAO appears to prefer statistics regarding losses reported by MasterCard and Visa in the $1 billion range. This figure includes all payment card fraud, including losses from lost and counterfeit cards.
Even the higher number constitutes only one-tenth of 1% or less of member banks' annual sales volume, and the GAO acknowledges that all of these losses are borne by financial institutions, not consumers.
Finally, the GAO report discusses losses to consumers. Identity theft is a serious crime, and even though consumers may not generally suffer financial losses from identity theft, they do suffer emotional and other nonmonetary harm, as well as lost time, that needs to be considered and alleviated if possible.
But even the level of consumer harm cited in the report is at variance with the general perception.
As noted above, the FTC Identity Theft Clearinghouse received over 94,100 complaints from victims in a two-year period. Of these, 2,633 reported actual out-of-pocket expenses (2.8%); 7,000 were denied credit or other financial services (7.4%); and 3,500 lost time trying to resolve their problems (3.7%). Thus, only about 14% of the consumers who called the FTC suffered any harm at all.
Identity theft harms people who may not be aware that they have been victimized until much later. It is a crime that is often unpreventable. Congress has passed a law that makes identity theft a crime against the consumer, not just against the financial institution. Many states have passed similar legislation.
Law enforcement agencies in various jurisdictions are working toward coordinating their prosecution of identity theft. Financial institutions and credit bureaus have improved their processes to simplify and shorten the time it takes victims to get their lives back in order.
It may be that more can be done to assist victims. However, the prevalence of the crime should not be exaggerated and used as an excuse for every new privacy law. The GAO report should be used to debunk the exaggerated numbers, rather than to rubber stamp arguments that more privacy laws are necessary.
