Requiring Banks to Disclose Identity Theft Statistics
posted by Daniel Solove
Kudos to my friend Chris Hoofnagle (Samuelson Clinic at Berkeley Law School) who had his paper on SSRN written about by the New York Times:
The Senate Judiciary Committee’s subcommittee on terrorism, technology and homeland security will take up the issue in a scheduled hearing today titled “Identity Theft: Innovative Solutions for an Evolving Problem.” . . . .
The subcommittee will also hear a radical new idea on a way to obtain reliable numbers on the extent of identity theft.
The proposal, submitted by Chris Jay Hoofnagle, a lawyer and senior fellow at the Berkeley Center for Law and Technology at the University of California, recommends that lending institutions like banks and credit card companies, and payment firms like PayPal, be required to report their internal figures on fraud and identity theft publicly.
Unfortunately, as is typical with the mainstream media, no information is provided about how to locate Chris’s paper let alone a hyperlink. In his paper, Identity Theft: Making the Known Unknowns Known, Chris proposes that banks be compelled to disclose identity theft data. From the abstract:
There is widespread agreement that identity theft causes financial damage to consumers, lending institutions, retail establishments, and the economy as a whole. Surprisingly, there is little good public information available about the scope of the crime and the actual damages it inflicts. The publicly available data on identity theft come mainly from survey research. Methodologically, these survey polls of the public suffer from being both under and overinclusive in measuring the problem. As a result, low estimates attribute tens of billions of dollars in costs to the economy and consumers, the highest estimates place losses in the hundreds of billions.
To identify proper interventions and appropriately allocate resources we need comprehensive, hard data on the scope and effect of identity theft. One way to provide concrete data is to require lending institutions to publicly report figures on identity theft. Such public reporting will help identify the relative need for intervention and the likely efficacy of interventions. These disclosures are necessary to provide a sound baseline for investment by businesses and action by regulators. They are also warranted because the public pays the price of identity theft directly when they are the victim, and indirectly through higher fees, interest rates, and because the losses are tax subsidized.
The author hypothesizes that if lending institutions reported limited information about identity theft, it would reveal that identity theft is both more prevalent and economically damaging than currently acknowledged, in part because of the rise of synthetic identity theft, a form that cannot be measured by victim surveys because they are unaware of the crime. Furthermore, the disclosure requirement would birth an anti-identity theft market, and the prevalence and severity of the crime would decrease dramatically as institutions compete to offer the safest financial products to consumers.
For all those interested in identity theft, Chris’s paper is definitely worth reading. In the New York Times article, I have a brief quote which sums up my positive reaction to the proposal yet a practical concern:
Daniel J. Solove, an associate professor at George Washington University Law School, says that blame for identity theft is generally directed at criminals and victims who are lax with their personal data — not companies that fail to protect customer accounts. Direct reporting “brings attention to the fact that financial institutions contribute significantly to the problem, and it will make them more accountable,” he said.
Mr. Solove supports the direct reporting proposal, although he fears that banks will be motivated to challenge customer reports of identity theft, because mounting fraud will make them look bad.
Toward the end of the the New York Times article is a quote from a policy advisor at an industry trade group that strikes me as a bit silly:
The financial services industry opposes the plan. Doug Johnson, a senior policy adviser at the American Bankers Association, an industry trade group, said that revealing internal bank data on identity theft would not do much to help fight the problem. He said that it might actually distract financial institutions, which now privately share information among themselves and collaborate to fashion antifraud techniques.
Complying with the direct reporting proposal would “take our eye off the ball,” he said. “We should be watching what’s happening today, not what happened in the past.”
March 22, 2007 at 1:48 am
Posted in: Privacy, Privacy (Consumer Privacy), Privacy (ID Theft)
Print This Post
Responses (1)
Sam Kamees - April 14, 2008 at 12:20 pm
No doubt that identity theft is a growing problem with few solutions. With no input from “past occurrences” from those who track such data, effective solutions will lag behind criminal activity every time.
From the banks POV there is a public faith issue. This issue doesn’t spring from the banks refusing to share their data but from the good faith perception of the general public that the banks are untrustworthy should it be found that the financial institutions that drive our economy have been lax in their own security measures.
To see just how fearsome the trust issue is to banks, ask yourself these questions. What would I do if I found out my bank had a security breach? When was the last time I heard of a prosecuted case of nonfeasance?
This issue is a double edged sword. We rely on our financial institutions to cover our backs by keeping information secure but we need them to disclose information on the effectiveness of those security measures in order to prevent identity theft from moving forward.
Until a compromise can be reached, we will never get the upper hand on identity theft.
Leave a Reply