We have heard a great deal about identity theft over the last few years, and the ever-increasing risk in the age of the Internet of having our names and credit ruined by imposters. An entire industry of cybersecurity generated from the hype. These fears crescendoed when reports of lost and stolen laptops from various federal agencies arose over the past few months, computers which held the personal data of hundreds of thousands of taxpayers.

But does the problem really exist on the level claimed by the security providers and the media that reports breathlessly on identity theft? In today's Washington Post, Professor Fred Cate of Indiana University says the risk has been vastly overrated by government and industry officials. The researcher for cybersecurity says that most identity theft comes from more mundane sources:

Identity theft is getting a lot of attention these days -- from news stories about missing laptops and lost data to television commercials for fraud prevention and credit monitoring services. Congress has held hearings, and members have issued forecasts of an impending plague of identity theft. Rep. Edward Markey (D-Mass.), in a statement typical of many of his congressional colleagues, said that "Social Security numbers and date-of-birth information are pure gold in the hands of identity thieves, who quickly convert them into credit cards and cash equivalents to perpetrate massive frauds."

When a laptop was stolen from the home of a Department of Veterans Affairs employee this year, newspapers across the nation editorialized about the dangers facing the people whose data were on the computer. The Post alone published more than 40 stories and wrote that "26.5 million veterans were placed at risk of identity theft." The VA notified all 26.5 million of them and asked Congress for $160.5 million to cover the cost of one year of credit monitoring for the veterans.

Then the laptop was recovered -- the data untouched and the risk of identity theft shown to be nonexistent.

The happy ending to the VA saga should have come as no surprise. The fact is that few if any such breaches lead to identity theft or other consumer injuries.

Cate notes that a study by a national fraud-detection network puts the attempted identity thefts from stolen hardware at no higher rate than any other kind of identity theft. The people who stole the laptops probably never realized what they had, and even if they might, probably lacked the resources to exploit it. The overall rate of one attempted fraud per 1,020 stolen accounts approximates the overall risk of fraud, according to Cate. Hardware thefts have no greater likelihood of generating identity theft.

In fact, the study showed that half of all identity theft and fraud comes from the mechanism most people would have suspected before the age of the Internet: a lost or stolen wallet, checkbook, and/or credit card. And it gets even more personal than that. For the cases in which the perpetrator is identified, 35% are family members of the victim, and another 18% are friends or neighbors. People who have their identities stolen or manipulated for fraud are more likely to know the fraudster personally. Another 23% comes from dishonest employees where victims shop. That accounts for 74% of all identity fraud, even today.

The government has published estimates of what it calls identity fraud that reach up to 10 million cases every year. However, the vast majority of those cases are routine credit-card fraud, and consumers have a limited liability for such crimes. Congress passed a $50 cap on consumer responsibility for charges on lost or stolen credit cards, and most companies don't bother to bill victims at all.

So while the government and the media broadcast the scary numbers of exploding victimhood, how many cases of <>true identity theft have we found? In the last half of 2004, the Justice Department estimated only 538,700 cases in which the victim's information was used to set up fraudulent accounts. The put out a more public estimate of 3.6 million cases, which included those cases that only involved th use of stolen credit-card information. In 2005, the FTC only investigated 250,000 cases of real identity theft.

Does this mean we can be foolish with our Social Security numbers and leave personal data around with impunity? Of course not, and one of the reasons why the cases of real identity fraud are dropping is probably the increased awareness of the risk. We can stop buying the hype from the media and from the myriad of security products that prey on the overblown fears of Internet predators and recognize that the risk is manageable.

Trackback Pings

TrackBack URL for this entry is