Identity Theft

We last wrote about identity theft in March, but more evidence of the growing problem has been compiled. The Federal Trade Commission released a survey in September reporting that over the past five years, 27.3 million Americans have been the victims of identity theft, nearly 10 million just in the past year. The FTC's estimates are based on a telephone survey it conducted over four days last spring. Identity theft was defined as misuse of personal information open new credit card accounts, take out new loans or fill out legal forms such as crime reports or leases. It also included misuse of existing credit cards, bank and telephone accounts. The FTC recorded about 162,000 complaints last year, more than five times the 31,000 reported in 2000, but the survey made it clear that the number of ID theft victims is far higher than the number of individuals who file complaints. Losses to businesses and financial institutions totaled almost $48 billion. Consumer victims of identity theft reported more than $5 billion of out-of-pocket expenses, and collectively spent 297 million hours resolving problems related to the thefts.

How do identity thieves obtain personal information about consumers that they can exploit? The FTC study found that 23% of identity theft occurred because personal information such as drivers licenses, credit cards or mail was lost or stolen. Another 13% of cases involve theft of personal information during a transaction, perhaps from a credit card receipt taken during or after a purchase, or through telephone and Internet sales. About 14% of victims said that their personal information was taken and misused by someone they know - a family member or household employee. Perhaps not surprisingly, the remaining 49% of all victims don't know how their personal information was obtained by the thief.

The FTC's director of Consumer Protection, Howard Beales, told the Wall Street Journal, "We knew this was a problem before we did this report, we just didn't have any idea of the contour of the problem." He also noted that they had found no evidence that identity theft resulted from the deliberate sharing of consumer information between businesses or across corporate affiliates. This, of course, has been a key issue in this year's debate over reform to the federal Fair Credit Reporting Act, as well as ongoing debate in the states over privacy protections. To prevent ID theft, Beales urged consumers to keep close track of all credit card receipts (which often have complete account numbers printed on them), make purchases only over well-established Internet sites, and order a copy of their credit report once a year in order to detect any unauthorized new account activity. One of the key ID theft prevention measures in the FCRA bills that passed the House of Representatives in September was that consumers be entitled to one free credit report per year.

On a slightly contrarian note, some of the FTC's findings were challenged by Avivah Litan, vice president and research director of financial services for Gartner Inc., a consulting firm. Litan had collaborated with the FTC on its study. She maintains that the FTC overstated the actual number of ID theft victims because of an overly broad definition of what constitutes ID theft. Apparently, the data show that 11 million U.S. adults (5.5% of the population) were victims of credit card theft between May 2002 and May 2003. During the same period, 7 million adults were victims of identity theft. Litan says the FTC lumped the two groups together. Her explanation of the difference between the two groups makes some sense.

Credit card theft occurs when a thief steals a person's credit card or card number and make unauthorized charges. In contrast, identity theft occurs when a thief takes key pieces of personal information and opens accounts in the victims name. Litan argues that the two instances are treated very differently by creditors, and have different consequences for victims. She told Thomson Publishing's CardLine newsletter, "A victim of credit card theft is innocent until proven guilty. The victim and the card issuer know that a theft has occurred because they can see unauthorized charges occurring." The victim typically has very limited or zero liability for such charges, and the process for challenging and removing them from an account involves little more than a telephone call to the card issuer's 800 number. In contrast, "a victim of identity theft is presumed guilty until proven innocent." When a thief opens an account in a victim's name and fails to pay the balance, the creditor assumes that the account owner has just chosen not pay. Moreover, this can go on for an extended time period without the victim even being aware of it, with much more serious consequences for the victim.

These distinctions do seem useful to make as officials grapple with the growing problem of identity theft. Still, whether the correct number of ID theft victims is 7 million or 10 million, the problem is serious by either measure.