Separating myth from reality in ID theft
Despite big leaks and public perception of threat, few people whose personal information is exposed are ever victimized.
A laptop had been stolen from the University of California at Berkeley in March, and stored on it was personal information on 98,369 graduate students or graduate-school applicants, including Hayes.
The breach--which exposed names, dates of birth, addresses and Social Security numbers--was widely reported in the media, and the school created a special Web site to help individuals who found themselves suddenly vulnerable.
What's new:
Widespread media reports have given rise to much misinformation and confusion around the issue of identity theft.
Bottom line:
Though headlines create the perception of rampant hackings or corporate blunders, few people whose personal information is exposed are ever victimized.
• FAQ: Identity fraud uncovered
• Calendar: What Congress is up to
• More stories on identity theft
In the months since, however, not a single case of stolen identity related to the incident has been reported. The laptop was recovered in September, and police believe that the thief was interested only in the computer, not in the information in its files.
"I have not seen any ramifications," Hayes said.
It is always possible that a crime may yet occur or has simply gone unnoticed. But the Berkeley incident underscores the reality of ID theft, which is often portrayed as a scourge in our increasingly digital society. Though headlines create the perception of rampant hackings or corporate blunders, few people whose personal information is exposed are ever victimized.
Widespread media reports have given rise to much misinformation and confusion around the issue. Many people believe that shopping or banking online increases the risk, for example, though the chances of fraud are far greater in the brick-and-mortar world.
Online and off
Just 12 percent of identity fraud cases last year occurred because the victim was active online, while 63 percent happened as the target used traditional channels, according to a survey by Javelin Strategy & Research, which tracks such data. The information is based on a survey in which 54.1 percent of ID theft victims were able to identify how fraudsters obtained their personal information.
"The most extreme forms of identity fraud are pretty rare," said James Van Dyke, an analyst at Javelin. He identified true ID fraud as those cases in which an individual used another person's name to take out a loan, apply for a credit line or even post bail after an arrest.
"The most extreme forms of identity fraud are pretty rare."
Moreover, in those cases when online consumers do fall victim to fraud, they find out faster and suffer much lower financial losses than victims who relied on more traditional means of interaction, such as paper statements from banks--an average per incident of $551 as opposed to $4,543, according to the Javelin survey.
About two-thirds of what is reported as ID theft today is credit card fraud, which cardholders are protected against by federal law, according to Federal Trade Commission data released earlier this year. Legally, the maximum liability for a consumer in credit card fraud is $50, but all major credit card companies have "zero liability" policies.
The FTC study found that most victims were able to solve their problems within a week. And even though credit card fraud is far more prevalent than full-scale identity theft, the aggregate of both categories is relatively small.
To assess the chances of falling victim to such crimes, consider these statistics: In 2003, 10 million U.S. residents were the victim of ID theft, according to the FTC; by comparison, in the same year, 20 million people got into a car crash, according to the Insurance Information Institute.
"Of all data compromises, only about 2 percent of the accounts that are compromised are ever used fraudulently," said Rosetta Jones, a
spokeswoman for credit card company Visa USA. "You really are talking about a very small percentage of accounts that will ultimately result in fraud, which means very few consumers are impacted."One reason for the persistent worrying over ID theft is the sheer numbers involved in many security lapses. Since February, more than 50 million personal records have been exposed in dozens of incidents, according to information compiled by the Privacy Rights Clearinghouse.
"It really is not possible for industry people to state conclusively that security breaches don't lead to identity theft."
The causes of the breaches include hacking, lost data backup tapes, dishonest insiders, lost or stolen computers, and exposure of data because it was not stored securely. But when the number of ID theft victims for this year is tallied, there won't likely be a clear link with the data breaches, Van Dyke said.
"I would be surprised if we see a strong correlation between some of these massive data breaches and individual fraud loss," the Javelin analyst said.
But not everyone agrees. "Almost half the victims don't know how their identity was stolen. It really is not possible for industry people to state conclusively that security breaches don't lead to identity theft," said Beth Givens, director at the Privacy Rights Clearinghouse. "ID theft is at epidemic proportions."
Pinpointing the problem
Another reason behind exaggerated fears is confusion over the term "identity theft" itself. "It really is a misnomer," Van Dyke said. An identity can't be stolen but can be used fraudulently, he explains; hence, experts prefer to use the term "identity fraud."
Within the definition of identity fraud, researchers distinguish between "existing account fraud," such as credit card fraud, and "new account fraud," where new accounts are established in the victim's name.
"I don't believe the incidents of true identity theft are as high as the general public might think," said Cheryl Charles, a senior director at BITS, a business strategy and technology group in the Financial Services Roundtable, which represents 100 of the largest U.S. financial institutions.
"The online environment is really pretty safe. Most identity fraud tends to occur in the paper environment," she said.
Having data fall off a truck does not typically result in a crime that costs someone money. "Even though the loss of data is a concern, it doesn't mean it will lead to actual identity theft," Charles said. "Just having access to the information does not mean somebody could succeed in committing identity fraud."
Perception, however, is reality for many people. So despite evidence of relative safety, nearly 80 percent of U.S. residents fear identity fraud, and that angst is keeping nearly half of registered U.S. voters from conducting business online, according to two separate surveys published over the summer.
And when ID fraud does occur, the consequences can be costly. In 2004, Javelin's research found that the average loss due to identity fraud was $5,686 per victim and in the more serious category of "new account fraud," $12,646.
Several years ago, identity fraud was labeled by the FTC as the fastest-growing crime in the United States. In a 2003 survey, the agency said 10.1 million U.S. residents had suffered from it in the previous 12 months, with $51.4 billion lost. In a follow-up study a year later, Javelin identified 9.3 million victims with $52.6 billion in losses.
Anecdotal evidence for 2005 shows that the numbers will stay flat, Van Dyke said. "The good news is that identity fraud is no longer the
nation's fastest-growing crime," he said. "The bad news is that it is not going away. Instead, it is holding steady."The wide reports of ID theft have made people more vigilant, which all sides agree is a good thing. For one thing, "we need to do a better job of not keeping our paper available," said Charles, who recommends canceling paper statements from a bank, credit card issuer or a utility company.
Keeping watch
Hayes monitors her credit card and bank account daily via the Internet and requests a credit report twice a year. Though she has not fallen victim to fraud from the U.C. Berkeley incident, she has had other experiences with identity theft.
"The online environment is really pretty safe. Most identity fraud tends to occur in the paper environment."
Five years ago, someone bought a cell phone in her name, unbeknownst to her, until a collection agency came looking for money. It took some effort, but the mess was cleaned up, and her credit score restored.
"I think we need a whole better system," said Hayes. "Identifying people by their Social Security number simply isn't working."
Like many other careful consumers, Hayes now shreds all documents that contain sensitive information before she discards them. About 10 million shredders are sold every year worldwide, according to shredder manufacturer Fellowes of Itasca, Ill.
"We have seen significant sales growth," said John Fellowes, director for shredders at the company that bears his name. "The industry is up about 10 to 15 percent over the previous year."
But experts point out that, while shredding is smart, only 2.5 percent of ID theft cases last year was linked to dumpster diving. By contrast, 8 percent was traced back to the mailbox, a much cleaner way to find identifying information. Almost one-third of all fraud occurred because of a lost or stolen wallet.
As a result, though some fear of ID theft is justified, experts in the field stress that it should not dominate anyone's life.
"There are certain things that are just silly to do in today's world, like throwing out your tax documents and credit card statements in a plastic bag on your curb without first shredding them," said Monique Einhorn, an attorney at the FTC. Nevertheless, she added: "People have to balance their own paranoia and security issues against convenience."