« Blogs and Academic Disciplines | Main | The Nebulous and the Constitution »

Saturday, July 30, 2005

Why Identity Theft Isn't Pretty


CNET News reports on a new survey by Nationwide Mutual Insurance that illustrates just how much trouble, aggravation, and downright pain identity theft causes victims:

Twenty-eight percent of victims have been unsuccessful in restoring their reputations, despite trying for more than a year on average, the Nationwide Mutual Insurance said in a report released Tuesday. The survey, which polled close to 1,100 victims, indicated that people spend an average of 81 hours working to resolve their cases.

"The survey shows that recovering from identity theft can be difficult, costly and stressful, but what is most alarming is that despite the time, money and personal duress victims go through, resolution is not always achieved," Kirk Herath, an associate general counsel at Nationwide Mutual, said in a statement.

More than half of all victims discovered the identity fraud themselves after noticing fraudulent credit card charges or withdrawn funds, the report indicated. It took respondents an average of five-and-a-half months after the first incident to discover the crime. Just 17 percent were notified by a creditor or bank of suspicious activity on their account.

The average sum of charges made to victims' accounts as a result of identity theft was $3,968, according to the survey. While most respondents were not held liable for the charges, 16 percent report that they had to shoulder some or all of the cost. Forty percent of respondents listed police, banks or credit issuers as difficult to work with when attempting to resolve the problem. . . .

In short, our information infrastructure is tremendously vulnerable to identity thieves and it is also not very good at helping victims of identity theft clean up the mess.   So there are problems in prevention and problems in redress.  Needless to say, that's not a pretty picture.

Posted by Daniel Solove on July 30, 2005 at 12:01 AM in Daniel Solove, Information and Technology | Permalink


TrackBack URL for this entry:

Listed below are links to weblogs that reference Why Identity Theft Isn't Pretty:


It is a mere fact somehow that not all people who have done theft and shoplifting voluntarily take education classes by free will. The court, in most cases, needs to issue an order for an individual to take court approved theft classes for his own good since he may never do it voluntarily.

Posted by: Shoplifting and theft class | Nov 8, 2015 8:28:34 AM

Isn't it a little intrusive to have a national ID system? Why should the public bear the burden of poor engingeering by an over-compensated corporation?

Posted by: Aaron Wright | Jul 31, 2005 9:00:34 AM

Another possible solution would be to make reliable information about a person more easily obtainable. If there was a national ID system, for example, with rigorous checks on the information input end (i.e., you have to go through a lot of hoops to prove you are you to make changes to it), then there would not need to be as many controls on the output end, and it would make sense to require credit reporters or credit card companies to check address changes against the one in the national system. (Having just gone through the process of getting a drivers license in Virginia, I have seen a "lot of hoops" in action.) Of course, while this might help against ID theft, it wouldn't help against stalkers.

Posted by: Bruce | Jul 30, 2005 10:04:19 PM

I agree that credit companies should be culpable for their shortsighted engineering. Are there any measures, in development or otherwise, that would help solve these problems?

Posted by: Aaron Wright | Jul 30, 2005 3:43:15 PM

Hear, hear!

One further remark for Jeff to supplement Daniel's is that these systems -- the very same systems that make it so difficult for people to keep track of their personal information -- were set up and function for the convenience of the companies who indeed should be held responsible. Their computers are structured in accessible fashion so that hackers can get into them. They use social security numbers as personal identifiers so that they can more easily share data between themselves.

The companies bear culpability because the companies created the vulnerabilities for their own benefit.

Posted by: Paul Gowder | Jul 30, 2005 11:25:22 AM


I totally disagree. The reason why ID theft is so difficult to detect is because people are so out-of-the-know when it comes to their personal information. If you only check your credit once a year, it's easy for 5 months to go by without discovering an anomaly. A thief can, with your Social Security number and date of birth, sign up for a credit card in your name, have it sent to some far flung location, and begin charging. You won't find out for a while. The bills won't be sent to your home -- they'll be sent to whatever address the ID thief supplies. And that's just one example.

The reason people don't find out until long after is because they are virtually shut out of the process. Do you know all the companies that have your personal information? Until recently, only California required companies that had a security breach compromising people's personal data to notify the individuals. What's also interesting about the study I spoke about in my post is that only 17 percent of the time were people notified by creditors about suspicious activity.

Blaming the victim is an easy way that companies try to deflect the blame from where it belongs -- on themselves. It is a cost foisted on individuals by the companies that trade in personal information. Consider the following, which I wrote in my paper, Identity Theft, Privacy, and the Architecture of Vulnerability:

A report by the Federal Deposit Insurance Corporation reprinted by the FTC suggests several tips for people to “minimize” the risk of identity theft:

-- Pay attention to your billing cycles. . . .
-- Guard your mail from theft . . . .
-- Do not give out personal information . . . .
-- Keep items with personal information in a safe place. . . .
-- Give your SSN only when absolutely necessary. . . .
-- Don’t carry your SSN card; leave it in a secure place. . . .
-- Order a copy of your credit report from each of the three major credit reporting agencies every year. . . .

The general advice is that if people take a number of steps, identity theft will be minimized. However, personal data is often collected unwittingly, without consent; SSNs are frequently used and refusal to give out one’s SSN results in considerable inconvenience; and many people cannot even name the three major credit reporting agencies, let alone request a copy of their credit reports, for which they are charged a fee. Even if people did take all these steps, the risks of identity theft are still not significantly minimized. According to an official at the FTC, “[t]here is no way you can fully immunize yourself from identity theft because the information is out there.”

One meaningful way to take preventative steps is for people to monitor their credit reports once a month. But that option wasn't given to people; instead, people are given just one free credit report a year. Moreover, other tools that people can use to prevent ID theft -- such as credit freezes and others -- are not provided to them. The point is that the law has denied people the appropriate tools to protect themselves. This is due in large part to the information industry's vigorous lobbying.

Finally, in many instances, police won't investigate complaints of ID theft. In my paper, I explain why this occurs.


Posted by: Daniel Solove | Jul 30, 2005 12:23:11 AM

Credit card companies and other institutions can't share all the blame if average respondents take five and a half months to discover a crime. Would you expect the police to catch a burglar if the victim reported the crime 5 and a half months later? Would you expect the insurance company to replace the lost goods? I'm denying the fact that identity theft is a growing, serious problem. But some responsibility for preventing it should lie with the individual.

Posted by: Jeff V. | Jul 29, 2005 11:59:20 PM

The comments to this entry are closed.