Identity Theft & Fraud
For awhile we have all known identity theft has been the fastest growing crime in the United States. In fact, during fiscal year 2006 the Justice Department increased the number of identity theft cases it prosecuted by 94% from 2005.1The Identity Theft Resource Center (ITRC) estimates there are 10 million victims of identity theft a year which means every minute about 19 people become new victims. While this number is staggering, it could be just the tip of the iceberg. CIO Magazine’s President, Michael Friedenberg predicts identity theft will reach epic proportions in 2007 and that ultimately the CIO will be held responsible for data security and maintaining customer trust.
Most of the identity theft and fraud statistics available today relate to incidents of “account fraud,” which is unauthorized use of someone else’s account, and “true identity fraud,” which is using someone’s name and information to open up a new account such as a credit card, car loan or mortgage. A more threatening form of identity theft and one harder to detect is “synthetic identity theft,” which is when a fraudster combines identity elements of real people to create a fabricated identity. According to a statistical analysis conducted by ID Analytics, synthetic identity fraud comprises 88.3% of all identity fraud events and 73.8% of the total dollars lost by US businesses.
Data Breaches
In February 2005 one of the largest data brokers, Choicepoint, announced that identity thieves opened accounts to access the company’s databases of personal information on consumers. Since then, the Privacy Rights Clearinghouse has tracked the number of reported incidences of compromised data records that contain sensitive information identity thieves find useful, such as social security numbers, account numbers and driver’s license numbers. At the end of January 2007, the organization shows that 100,738,417 records have been involved in security breaches.
These incidents occur in a variety of industries including government, education, finance and retail and cover accidental breaches such as misplaced or stolen laptops as well as intentional crimes involving improperly secured websites and databases.
Prior to the incident with Choicepoint, many consumers were unaware that data broker companies existed and were able to compile profiles of them based on information available from what is commonly referred to as public data records. A general misconception about the term public data records is that these records are open to the public and easily accessible. The term public in this scenario is used to describe the information that legally comes from the public domain versus credit data. Public data sources include information from property records, driver’s license and motor vehicle registrations among others, all of which are not readily available to the public at large and in some instances not available at all.
Since data brokers do not need permission to collect and sell consumer information, many are calling for regulation to establish how companies can collect and use personal information. Specifically, Daniel Solove and Chris Jay Hoofnagle, called for the collection of such information by data broker to be consistent with the Fair Information Practice Principles in their paper titled “The Model Regime of Privacy Protection.”6 Specific legislative suggestions discussed include a way in which consumers have the ability to correct erroneous information that may exist within aggregated data brokers and the negative affects identity theft has on credit reports.
While credit bureaus offer fraud alerts and monitoring there is still confusion about the steps needed to clear one’s fraudulent information. And most data brokers currently do not provide similar services. As Shelia Gorden, Director of Victim Services at the ITRC states, “Many think that credit monitoring services will completely protect them. In truth these services only play a partial role in notifying consumers of potential financial identity theft cases.”7 Addressing this issue presents an excellent market opportunity for companies willing to take on the challenge by providing services to monitor and correct information in personal information files.
Consumer Privacy
Hand in hand with data breaches is the issue of consumer privacy. With the Fair Credit Reporting Act in 1970 consumers have been protected from the disclosure of inaccurate and arbitrary personal information held by consumer reporting agencies. However, this act does not restrict the amount or type of information that can be collected.
