Data Mine: Stopping Identity Theft

Note

This year has been bad for my identity. In May, Time Warner, my former employer, sent me a letter informing me that they had lost backup tapes containing the names and Social Security numbers of their current and former U.S.-based employees. In June, it was announced that 40 million credit card numbers had been compromised by a computer hack into payment-transfer company CardSystems Solutions. In September, I learned that the CardSystems break-in had affected me. By now, virtually everyone knows someone who has had their data lost or identity stolen. From February—when a high-profile break-in at consumer-data broker ChoicePoint resulted in the loss of 145,000 records—until the CardSystems break-in, businesses, universities, and government agencies lost an additional ten million records. The increase in data theft has led to an increase in identity theft, in which petty thieves, organized crime, and terrorists use personal data to fraudulently obtain cash, credit, false identification, and travel documents. According to an August 2005 Experian/Gallup poll, nearly one in five Americans has experienced some form of identity theft.

Worse, this number is likely to rise. Lost data is like asbestos: The harmful consequences of exposure may take years to materialize. On average, victims do not become aware of identity theft for 14 months, but, in some cases, it can take up to ten years. And, once the theft is discovered, victims are left alone to clean up the mess. They have to report the theft to local law enforcement and to federal authorities, alert the credit bureaus, monitor their own credit reports, and separately notify each and every institution that allowed the fraudulent accounts to be set up. As a result, it takes victims, on average, 600 hours of their personal time and more than $1,000 in out-of-pocket expenses to clean up their records.

In the wake of all the bad news surrounding data theft, Congress is starting to pay attention. It is currently considering no fewer than ten bills to regulate how companies handle consumer data. But none of these measures go far enough in addressing data loss or identity theft. Although Congress realizes that the problem is getting worse (several senators were even among the 1.2 million federal workers affected when Bank of America lost personal data in February), it is reluctant to regulate personal data. Its flow has become too important, not just to the economy, but to homeland security and politics as well.

But, if nothing effective is done, in five years, today's data and identity theft numbers will seem small by comparison. Even as it defends the flow of information, Congress must adopt better solutions to prevent its abuse. Most important of all, Congress must do a better job of addressing fraud so all the costs don't just fall on the victims.

The growth in data loss and identity theft has been driven in large part by technology. Since 1995, the cost of digital storage has declined from roughly $700 to $1 per gigabyte. The processing speed of computer chips increased exponentially over the same period, allowing more data to be stored and managed more cheaply.

So, while you can now wirelessly download music onto your iPod or laptop computer, criminals can target and steal gigabytes of personal data with similar ease. In addition, while you are shopping for everything from groceries to mortgages on the Internet, thieves are shopping for your information. In other words, as your job has been made easier by technology, so has theirs.

Bad guys aren't the only ones trying to hunt you down online, though. As advertisers have sought greater return on their dollar, they are increasingly relying on personal data to target ads based on gender, age, and geography. That trend has driven the growth of companies—such as ChoicePoint and LexisNexis—that amass this information and sell it to the highest bidder, making it valuable information to steal.

The "black helicopter" crowd will also feel vindicated to know that the government is tracking them, too. In June, it was revealed that the Transportation Security Administration's (TSA) new passenger-screening program, Secure Flight, was buying and storing personal information on American citizens and comparing reservation records against commercial databases used by banking, home mortgage, and credit card companies. At the same time, companies as diverse as FedEx, Western Union, and AOL are helping the feds and law enforcement by allowing them to look at portions of their customer and subscriber data.

In some cases, privacy concerns and public outcry have been sufficient to shut down government projects, as with the Defense Department's infamous Total Information Awareness project and the TSA's capps ii airline passenger-screening program. But the push to renew the Patriot Act and expand the ability of law enforcement to demand business records without a warrant is a clear sign that government will continue to access personal data to fight the war on terrorism.

And, despite appropriate hand-wringing over the public's privacy rights, Congress has its own dog in the fight. The growing availability of all this personal data has served them well as political campaigns have begun to catch up with modern marketing. The 2004 presidential campaign marked the beginning of the widespread use of consumer data to better target voters in a national political contest. One data broker, Aristotle International, has sold voter information—including your name, address, phone number, size of household, income, and whether you have an "ethnic" surname—to nearly half of the 535 members of Congress.

Congress is considering about a dozen bills regarding consumer data. The proposals—including one introduced by Senator Patrick Leahy after his own data was lost by Bank of America—focus on requiring data vendors to promptly notify consumers when their data is stolen. While this is a logical first step, the benefits of notification are limited. According to one large vendor, less than 4 percent of victims who received notices took advantage of free credit-monitoring after their data was lost. For those who do reply, the protection offered is scant. I replied to Time Warner's notification, but the protection they provided was good for only twelve months. Notification does not limit harm to me if my identity is eventually stolen. Nor does it help me fix my credit or reclaim my identity. The burden of cleaning up the mess becomes the responsibility of victims, with little help from whomever lost the data.

Another problem with the legislation being proposed is that much of it focuses on vendors like ChoicePoint and LexisNexis. In fact, your favorite store, your credit card company, and your alma mater pose equal or greater risks. Of the 47 data-loss incidents in the first half of 2005 reported by the watchdog group Privacy Rights Clearinghouse, universities were the most frequent culprits, followed by companies and the government. And, in terms of the sheer amount of data lost, the financial industry was in a league of its own, losing nearly four times more data—if you include CardSystems, over 25 times more—per incident than retail companies, the next biggest culprits. By comparison, the sins of brokers like ChoicePoint and LexisNexis seem trivial.

Other proposed solutions that seek to give consumers greater control over the use and sharing of their information—akin to the data privacy rules in Europe—are also problematic. To begin with, the number of organizations already in possession of our data is huge, and, for the most part, we gave it to them willingly. So such an approach is really a rear-guard measure. Like it or not, the level of interest by companies and the government to use our personal data for business, marketing, and national security purposes is enormous, legitimate, and, in many ways, desirable. Given the commercial and government interests at stake, significant restrictions on data use in the United States are unlikely.

So how do we protect data and safeguard identities? BJ's Wholesale Club, which exposed 40,000 customer credit card numbers in March 2004, settled a Federal Trade Commission (FTC) complaint by agreeing to bolster security: have outside security audits every other year for the next 20 years, encrypt stored and transported data, set time limits on how long data is stored, and install better wireless security. Congress should take a page from BJ's settlement and push to strengthen security for institutions that handle large amounts of data. While compliance will cost money up front, the investment will help reduce the costs of lost data in the future and increase consumer confidence.

At least one of the bills in Congress envisions giving the FTC an additional $60 million per year to help identity theft victims. But this is a pittance compared with the billions lost to identity theft every year. Congress is also considering allowing consumers to freeze access to their credit reports. Under credit freezes, which are already allowed in a dozen or so states, no new credit can be issued under an individual's name until the consumer lifts the freeze, a much stronger protection than fraud alerts or notification requirements.

But Peter Swire, chief privacy counselor under President Clinton, has suggested what might be the most compelling solution—a $50 cap and automatic dispute resolution for identity theft losses, similar to the basic anti-fraud provisions for credit cards. If a criminal steals your credit card number, the card issuer pays for unauthorized purchases above $50 and investigates disputed charges. Once credit card companies were put on the hook for fraud losses in the 1970s, they found ways to cut fraud dramatically. To be sure, a $50 rule for identity theft would be more difficult. Identity thieves target not only credit cards, but also car loans, home loans, and bank accounts, as well as identification and travel documents. When credit cards are stolen, consumers simply call the issuer of their card. With identity theft, the responsible party is far less clear. The company or agency that lost the data? The institution that made the loan or issued false documents? Credit reporting agencies? Some federal agency?

Although there are challenges in designing such a system for identity theft, the idea is still promising: Have the big organizations in the middle of the system address the fraud, and don't let all the costs fall on innocent victims.

For any solution to work, it must dramatically shift liability to data owners while better protecting consumers. The bills before Congress fail on this front. Business interests want to keep using data to grow profits, and they will continue to lobby in favor of self-regulation, as they have for years. Homeland security officials want to use more data to aid counterterrorism efforts, and politicians want to use more data to win elections. What will it take for Congress to do the right thing? Maybe the best thing that could happen would be for someone to take Leahy's lost data problem one step further and actually steal his identity, too. And, while they're at it, they should also steal Senator Bill Frist's identity—just to ensure bipartisan support.

Daniel B. Prieto is a homeland security expert at Harvard University's Belfer Center for Science and International Affairs and a former executive at America Online.