Originally posted by Adam Levin on August 6, 2015 on huffingtonpost.com.
Last weekend, TheUpshot published the most dangerous identity theft threat: the non-expert’s tendency to underestimate the magnitude of problem. The piece in question argued that the consequences of most identity theft have been exaggerated (by identity theft experts like me), and that, “only a tiny number of people exposed by leaks end up paying any costs.”
The main source for TheUpshot’s argument seems to be the 2015 Identity Fraud Report (covering data from 2014) published by Javelin Strategy and Research, which found a dramatic increase in account takeovers (i.e., when a fraudster is able to get through the authentication process on an existing credit account and make charges) but an overall decrease in the amount of money lost to identity-related fraud.
To think that the 2015 Javelin report minimizes the threat of mega data breaches to consumers is to misread it. To suggest that the threat is overstated is both simplistic and harmful to consumers. The article focuses too much on account takeover resulting from big-name hacks like Target (a very common form of identity theft). Meanwhile, it gives nowhere near enough attention to the very real and long-lasting effects of more serious forms of identity theft – the kind that’s committed using Social Security numbers – and the equally big-name hacks like Anthem, Premera, and the Office of Personnel Management that exposed millions of records containing that data.
The Buck Doesn’t Stop With the Bank
TheUpshot dismisses the consumer cost of most data breaches (beyond lost time and annoyance) because “several laws protect consumers from bearing almost any financial losses related to hackers.” TheUpshot continues, “…banks and merchants, like Target, must bear the cost. But even their losses have been dropping in recent years, as data security experts have learned new strategies to prevent intrusions from turning into theft.”
First of all, banks do not bear all the costs if they can help it. They pass it along to the company that caused the problem in the form of fines and penalties, and in some cases the company is only alleged to be the cause of the problem. It is very hard for small businesses to fight card companies on these charges. So when it happens, it can be a near extinction-level event, or force price changes. And, of course, that cost often manifests itself at the consumer level.
Additionally, according to at least one recent report, the cost of a data breach to businesses has not been going down, as stated by TheUpshot. On May 27, IBM and the Ponemon Institute jointly reported the cost per breached record had increased by 12% over the preceding year, from $145 to $154, and that the average total cost of a data breach to an enterprise rose a not inconsiderable 23% to $3.79 million.
And it bears repeating: While it’s all very populist and fair-weather foppery to say that companies like Target and Home Depot can foot the bill of a breach, the same cannot be said of smaller businesses–after all, breaches are not confined to big companies.
5% Is a Huge Number
TheUpshot’s big reveal: “The more troubling identity theft, in which new accounts are opened in an unsuspecting person’s name, make up only 5 percent of the total figure given by Javelin.”
To the uninitiated eye, 5% sounds like a small number. But it’s missing context.
“Although we have no data to support what percentage of breaches turn into identity theft cases,” according to Brent Montgomery, Fraud Operations Manager at my company IDT911, “5% is a lot.”
In 2014 there were 12.7 million identity fraud victims, according to Javelin. Just 5% of that total is 635,000 consumers–hardly a negligible number.
Montgomery then highlighted the essence of the problem here: “There are so many breaches on a daily basis that information can be pieced together from one breach to another giving a criminal all they need to complete the puzzle.”
TheUpshot fails to account for the long tail of identity theft–the fact that scams are pieced together using data harvested from countless individual and corporate compromises oftentimes sold and resold on the data black market. A scam that happens today may use data that was compromised three years ago–especially when Social Security numbers are involved since their only expiration date is when the holder of those nine digits expires.
Another problem with using the Javelin report is that the data is extrapolated from a relatively small sample of the population, whereas the Federal Trade Commission’s Consumer Sentinel Network Data Book for January-December 2014 is driven by hundreds of thousands of pieces of consumer-reported data. That matters here because on page 13 of the Sentinel report, you will find a higher incidence of new account creation (12.5%) than fraud on existing accounts (4.9%).
There Are Very Serious Identity Theft Threats
While instances of new account fraud and some signs of existing account takeover can show up on your credit reports (you can get them for free once a year on AnnualCreditReport.com), other types of identity theft are less detectable – until they really cause damage. Of greater concern is what does happen to consumers whose information falls into the wrong hands–specifically their most sensitive information. Mentioned nowhere in the article is tax fraud, a crime that is most definitely on the rise and cannot be resolved easily or quickly (think: 6-12 months). Equally absent in this Panglossian take on what really is an identity theft epidemic: medical identity theft, which is extremely difficult to detect, equally difficult to resolve and can have potentially life-threatening consequences.
The bottom line is that while it’s easy to dismiss identity theft experts as being the equivalent of “the soap company that advertises how many different types of bacteria are on a subway pole without mentioning how unlikely it is that any of those bacteria would make you sick,” it is irresponsible to downplay the various serious risks now facing millions of Americans whose most sensitive personal information has been exposed in the breaches of Anthem, Premera, Sony Pictures and the Office of Personnel Management, to name a few. The threat for them is very real, and long-term–perhaps a lifetime.