The Cost of ID Theft, Part 1: Beyond Dollars and Cents
Private, personally identifying information is everywhere, from portable computers and digital devices, to the Internet and private networks. This data can be obtained so easily -- either through technology or more mundane means -- and its theft is so often glamorized on film, that it is starting to attract a younger generation to criminal ranks.
The scope of ID theft has grown so quickly that it now takes up a substantial -- and growing -- portion of law enforcement resources. Personal ID theft more than tripled in the U.S. in 2007, according to USA Today.
Records containing personal data on more than 215 million U.S. residents have been exposed due to security breaches since January 2005, according to the Privacy Rights Clearinghouse. Those for whom a breach turns into something far worse -- actual ID theft -- the financial and emotional burdens can be tremendous.
ID Theft in Dollars and Cents
The average cost of an identity fraud case closed by the U.S. Secret Service was US$31,000 between 2000 and 2006, according to a study by the Center for Identity Management and Information Protection. Among more than 700 cases, dollar losses ranged from zero to $13 million.
The ultimate cost to ID theft victims varies across industries, Uriel Maimon, senior researcher for the software firm RSA, told the E-Commerce Times. "In the banking and electronic commerce industries, the end user is usually indemnified, and most of the damage is done to the business," said Maimon. "The end users are usually affected by the trauma and paperwork of the experience but can usually recuperate most of their losses."
The economic cost of remediation has been coming down. Thanks to recent changes in legislation and business practices, remediation efforts don't cost much money for people who are victims of a security breach and hence potential victims of ID theft.
Fraud alerts, security freezes and credit reports for such cases are free or cheap and are relatively straightforward to set up, since organizations are required to provide them. For example, free annual credit reports are now obligatory under federal law. Losses can mount and become serious quickly, however, if a security breach turns into financial fraud or criminal ID theft.
Cases of criminal identity theft, where the impostor uses the victim's identity when arrested or cited, are increasingly reported, according to the Identity Theft Resource Center. Criminals are also using victims' Social Security numbers to work, collect welfare or unemployment, and get medical benefits.
Getting Your Money Back
Though the costs of remediation have declined, victims have been recouping less of losses claimed. While there are concrete steps to fixing the causes and effects of ID theft, the process is usually drawn out by a variety of factors. The effort of recovering can have serious long-term consequences.
"Headaches and the frustration of proving you are you and not an identity thief aside, identity theft is costly," maintained John Livingston, CEO of Absolute Software, which has been working with computer manufacturers to install the company's Computrace LoJack security and tracking system on computers before they reach store shelves.
"In 2004, consumers could expect to recover 80 percent of the money they lost due to identity theft. By 2006, that had dropped to 54 percent. Businesses can expect to pay an average of $197 per customer record should they lose a laptop containing the sensitive information of their customers," Livingston told the E-Commerce Times.
A Waste of Time and Energy
Victims in 2004 spent an average of 330 hours, often stretching out over a period of years, recovering from ID theft and crime, compared to 600 hours in 2003, according to ITRC studies. ITRC attributes the range in 2004's reported hours -- from three hours to 5,840 -- to the severity of the identity theft. A lost credit card typically takes fewer hours to solve than the use of your Social Security number by a would-be evil twin.
In both years, about a third of respondents said that they spent a period of four to six months recovering from ID theft. In 2004, only 11 percent of people said they had been dealing with their ID fraud case for seven months two a year. In 2003, 23 percent had wrestled with a case for nearly a year. However, in 70 percent of cases studied in 2004, people noted that they continued to find negative ID information on their records after more than a year, up from 66 percent in 2003.
Problems associated with ID theft don't stop when the crooks are caught or remediation efforts end. After-effects include increased insurance and credit card fees, difficulties finding a job, higher interest rates and fighting collection agencies and credit card issuers who refuse to clear their records despite substantiating evidence. "This 'tail' may continue for more than 10 years after the crime was first discovered," according to the ITRC.
Disturbingly, ID theft is often committed by family members and friends. Forty-three percent of victims in the ITRC's 2004 study believed they knew their impostor; 14 percent said that it was an employee of a business that had their information. "There continues to be a lack of understanding by friends, family and the general public regarding the emotional impact of this crime on the victims, both short term and long term," writes the ITRC's Linda Foley in its ID Theft 2007-2008 review and predictions report.
The emotional impact of ID theft on victims is akin to that felt by victims of more violent crime, according to the ITRC. "Some victims feel dirty, defiled, ashamed and embarrassed, and undeserving of assistance. Others report a split with a significant other or spouse and of being unsupported by family members," according to the study.
More than 40 percent of respondents in both years' samples reported "stressed family life," perhaps due to their displaced anger. Nine percent and 16 percent in the respective surveys responded that their relationships were "on the rocks" or ended as a result of their victimization.
Digital ID Theft
Much attention has been devoted to Internet and computer ID theft, but it turns out that the majority of ID fraud cases are the result of more traditional methods. "The most frequent type of employment from which personal identifying information or documents were stolen was retail, including stores, car dealerships, gas stations, casinos, restaurants, hotels, hospitals, and doctors' offices," reported the ITRC authors, among which included professors at Utica College's economic crime and investigations programs.
"Identity theft is not an invention of the computer age. Mailbox and dumpster diving still account for a significant amount of the information used to affect identity theft, however computers are an enabling technology," noted Randy Abrams, security software firm ESET's director of technical education.
"While the Internet is not the culprit, it has become a tool that identity thieves have embraced and abuse to find victims and commit fraudulent activities. Scamsters continue to exploit Web sites that promote online auctions and want ads, job hunting, dating and social networking to find victims," the ITRC's Linda Foley writes. Scams appear in predictable phony form letters for everything from lotteries, jury duty, IRS audits and Nigerian businesses to fake requests for financial account verification, money laundering and check cashing.
The longer the security breach and potential ID theft goes unrecognized, or remediation is postponed, the greater risk you run of serious criminal ID theft. In 2004, 37.5 percent of those surveyed in the ITRC's study reported that they found out about their ID theft within three months, down from 48 percent in 2003.
Eighteen percent of respondents in 2004 said that it took them four years or more to discover that their identities had been misused, a 100 percent increase from 2003.