the state of identity theft in 2013
Post on 19-Oct-2014
64 views
DESCRIPTION
This white paper examines data breaches and identity theft that occurred in 2013.TRANSCRIPT
The State of Identity Theft in 2013
A National Consumers League White Paper Examining Fifteen Years of
Federal Anti-Identity Theft Consumer Protection Policies
Prepared by John D. Breyault
Vice President of Public Policy, Telecommunications and Fraud
National Consumers League 1
Thesis: Identity theft remains a pernicious threat to consumers. While the federal
government and private sector have done much to to address this issue, it is important
that legislators and regulators remain vigilant to protect consumers from this ever-
evolving fraud.
Executive Summary
May 3, 2006 was a typically beautiful spring day in Washington, DC, with temperatures in the
mid 70’s, a slight breeze and clear skies. As the work-day wound down, a data analyst from the
Department of Veterans Affairs took home a laptop and an external hard drive, as he had done
regularly for the previous four years. That night, however, the laptop and hard drive were stolen
during a burglary of the analyst’s Maryland home.2 The two devices contained unencrypted
information -- including names, dates of birth, Social Security Numbers and medical information
on more than 26.5 million active duty members of the military, National Guardsmen, Reservists,
veterans and their spouses. This theft followed a highly publicized data breach at data broker
ChoicePoint in February 2005.3 That same month, Bank of America announced that it had lost
tapes containing the Social Security Numbers and account information of more than 1.2 million
1 This white paper was underwritten by an unrestricted educational grant from Google, Inc.2 Electronic Privacy Information Center. “Veterans Affairs Data Theft.” Online: http://epic.org/privacy/vatheft/ 3 “ChoicePoint: More ID Theft Warnings,” CNN/Money. February 17, 2005. Online: http://money.cnn.com/2005/02/17/technology/personaltech/choicepoint/
© National Consumers League 2013 1
federal employees, including some members of the Senate.4 In each case, the breaches
exposed Americans to possible identity theft.
This spate of high-profile data breaches prompted President George W. Bush to issue
Executive Order 13402 on May 10, 2006. The order created the federal Identity Theft Task
Force, charging 15 federal departments and agencies with crafting a comprehensive national
strategy to combat identity theft. In April 2007, the task force issued its strategic plan, which
included 31 recommendations ranging from small incremental steps to broad policy changes.5
More than a year later, in September 2008, the task force released a report describing the
progress of the seventeen member agencies in implementing the task force’s
recommendations. While many of the recommendations had been successfully implemented,
the report noted that the implementation of others were still in progress.6 Many of the reforms
prompted by the task force have had an impact, but it remains unclear if the federal
government’s policies are keeping up with the threat of identity theft which continues to evolve.
The scope of identity theft is massive. Every year for more than a decade this form of fraud has
been the single largest source of complaints to the Federal Trade Commission.7 While the
number of consumers affected has decreased significantly from 2009-2010, more recent data
shows that this scam is once again trending in the wrong direction. In 2012, identity fraud
affected 5.26% of American consumers or 12.6 million people, the second straight year the
incidence of identity fraud increased. Losses from identity fraud also increased from $18 billion
in 2011 to $20.9 billion in 2012.8
Clearly, identity theft perpetrators are becoming more professional and more networked.
Sophisticated identity theft black markets exist to facilitate the buying and selling of
compromised identities. These black markets are supplied by growing numbers of data
breaches affecting organizations from small retailers to large banks and government agencies
4 Nowell, Paul. “Bank of America Loses Tapes With Federal Workers’ Data,” The Washington Post. February 26, 2005. Online: http://www.washingtonpost.com/wp-dyn/articles/A54823-2005Feb25.html 5 The President’s Identity Theft Task Force. Combating Identity Theft: A Strategic Plan. April 2007. Online: http://www.identitytheft.gov/reports/StrategicPlan.pdf 6 The President's Identity Theft Task Force. Task Force Report. September 2008. Online: http://www.idtheft.gov/reports/IDTReport2008.pdf 7 Federal Trade Commission, Consumer Sentinel Network Data Book for January–December 2012, February, 2013. Online: http://www.ftc.gov/sentinel/reports/sentinel-annual-reports/sentinel-cy2012.pdf 8 Javelin Strategy & Research. 2013 Identity Fraud Report: Data Breaches Become Treasure Trove for Fraudsters. February 2013.
© National Consumers League 2013 2
at every level. These breaches have caused millions personal records to be compromised,
allowing identity thieves to conduct their crimes with greater ease than ever before.
Progress, to be sure, has made in a number of areas. Identity thefts affecting existing consumer
accounts (e.g. credit cards, bank accounts) appear to have decreased in frequency, and the
time and expense necessary to recover from identity theft has decreased. Despite these
advances, however, the changing face of identity theft presents consumers with new worries.
However, the increasing prevalence of new account fraud, tax-related and medical identity theft
suggest that identity thieves are increasingly seeking fraud that can remain undiscovered for
longer time periods. For instance, it appears that identity thieves are becoming adept at
aggravated identity theft, particularly involving the creation of new accounts.9 A significant
concern is the increasing use of stolen identities to commit tax-related identity theft.
Government documents or benefits fraud is by far the largest and fastest-growing category of
identity theft complaints, increasing from 19.2% of identity theft complaints in 2010 to 46.4% in
2012.10 Tax or wage-related fraud complaints make up 93.5% of this category, up from 81.3% in
2010.11
This much is clear: the threat of identity theft is not going away anytime soon. It is therefore
critical that the successes achieved by the President’s Identity Theft Task Force, new consumer
protection laws and private sector data security efforts not be taken for granted. Instead,
policymakers in Congress and the Executive Branch should consider a range of reforms to
address the evolving identity theft threat. These include:
1. The President’s Identity Theft Task Force Report should be updated to reflect
reforms undertaken since 2008.
2. Congress should pass comprehensive data breach notification legislation.
9 Congressional Research Service. Identity Theft: Trends and Issues. February 15 2012. p. 16. Online: http://www.fas.org/sgp/crs/misc/R40599.pdf 10 Federal Trade Commission, Consumer Sentinel Network Data Book for January–December 2012, February, 2013. Online: http://www.ftc.gov/sentinel/reports/sentinel-annual-reports/sentinel-cy2012.pdf 11 Ibid.
© National Consumers League 2013 3
3. The Federal Trade Commission should collect and publish data on the
effectiveness of the Red Flags Rule in preventing identity theft.
4. Those who shape U.S. foreign policy should set as a key goal achieving additional
Memoranda of Understanding on identity theft with foreign governments.
5. The Federal Trade Commission and Internal Revenue Service should launch a
comprehensive effort to improve consumer protections for tax-related identity
theft.
6. The Obama Administration should explore stronger incentives and penalties to
encourage private sector businesses to better protect the personally identifiable
data they collect.
I. Identity Theft Continues to Affect Millions of
Consumers and Cost the U.S. Economy Billions
Identity theft is a serious, pernicious threat to millions of consumers annually. According to
Javelin Strategy, which publishes one of the few longitudinal studies tracking identity fraud, 12.6
million consumers were affected by identity fraud in 2012. Losses stemming from identity fraud
are estimated to total $20.9 billion annually.12 To put this total in context, $20 billion in identity
fraud losses annually is equivalent to the insured cost of a Hurricane Sandy hitting the economy
every year.13
Consumers reported in an April 2013 Zogby poll that identity theft was their biggest concern
about the Internet (39%), higher than viruses and malware (33%), government surveillance of
data (12%) or cyber-bullying and stalking (5%).14 This consumer concern about identity theft is
12 Javelin Strategy & Research. 2013 Identity Fraud Report: Data Breaches Become Treasure Trove for Fraudsters. February 2013.13 Holm, Erik and Scism, Leslie. “Sandy’s Insured Loss Tab: Up to $20 billion,” The Wall Street Journal. November 2, 2012. Online: http://online.wsj.com/news/articles/SB10001424052970204712904578092663774022062 14 Digital Advertising Alliance. “Poll: Americans Want Free Internet Content, Value Interest-Based Advertising,” Press release. April 18, 2013. Online: http://www.aboutads.info/DAA-Zogby-Poll
© National Consumers League 2013 4
reflected consistently in polling. When asked to name the most significant privacy-related threat,
61% of consumers named identity theft.15 Similarly, a 2012 Forrester survey found that
consumers’ primary privacy, safety and security concern when it comes to the Internet is having
their identities stolen.16 The fallout from identity theft victimization is especially destructive for
confidence in small businesses. Fifteen percent of identity theft victims changed their behaviors
and avoided smaller online merchants. Larger merchants are not as affected by this behavior
change.17
Data breaches are a major source of the compromised personal information that fuel identity
theft. Such breaches occur in a myriad of ways, including phishing schemes, insider attacks,
and sophisticated hacking attacks. The total impact of these breaches is massive. One study
recorded more than 2,500 incidents since 2004, affecting 1.1 billion records.18 The scope and
size of the data breach issue is directly relevant to identity theft because consumers whose data
is compromised by a breach are significantly more likely to be victims of fraud than those who
are unaffected by a breach. In 2011, 5.3% of all consumers were victims of identity fraud, while
22.5% of consumers whose data was compromised became victims of fraud.19
Data breaches clearly increase the risk of consumers becoming victims of fraud, but it appears
that identity thieves may be using stolen identity information in new and more egregious ways.
For example, the number of identity theft cases filed and the number of defendants convicted
both decreased in 2009 and 2010 relative to 2008. However, the numbers of aggravated identity
theft cases filed and defendants convicted have continued to increase.20
15 Ponemon Institute. 2012 Most Trusted Companies for Privacy. Pg. 2. January 28, 2013. Online: http://www.ponemon.org/local/upload/file/2012%20MTC%20Report%20FINAL.pdf 16 Enright, Allison. “Consumers worry about online privacy, but shop anyway,” Internet Retailer. May 11, 2012. Online: http://www.internetretailer.com/2012/05/11/consumers-worry-about-online-privacy-shop-anyway 17 Javelin Strategy & Research. “2013 Identity Fraud Report: Data Breaches Become Treasure Trove for Fraudsters,” Press Release. February 2013. Online: https://www.javelinstrategy.com/brochure/276 18 Verizon RISK Team. 2013 Data Breach Investigations Report. Pg. 4. May 2013. Online: http://www.verizonenterprise.com/DBIR/2013/ 19 Source: Javelin Strategy & Research. 2013 Identity Fraud Report: Data Breaches Become Treasure Trove for Fraudsters. February 2013.20 Congressional Research Service. Identity Theft: Trends and Issues. February 15 2012. p. 16. Online: http://www.fas.org/sgp/crs/misc/R40599.pdf
© National Consumers League 2013 5
Identity theft has been the most common fraud complaint to the Federal Trade Commission for
the past thirteen years.21 In response, the Commission has rightfully made the fight against
identity theft a top priority. However, trends in the complaint data are suggestive of changes in
how identity thieves are monetizing stolen information. At one time, compromised identity data
was used most often to commit credit card fraud. Now the broad category of government
documents or benefits fraud has become by far the largest and fastest-growing sub-category of
identity theft complaints. In 2010, complaints about this type of scam accounted for 19.2% of
identity theft complaints to the FTC. By 2012 this number had risen to 46.4%, outpacing credit
card fraud, bank fraud, employment-related fraud, phone or utilities fraud and loan fraud,
combined.22 This should be a wake-up call for the Obama Administration, Congress and state
authorities.
Fig. 1
Source: Federal Trade Commission. Consumer Sentinel Network Data Book (CY 2008-12)
21 Federal Trade Commission, Consumer Sentinel Network Data Book for January–December 2012, February, 2013. Online: http://www.ftc.gov/sentinel/reports/sentinel-annual-reports/sentinel-cy2012.pdf 22 Federal Trade Commission, Consumer Sentinel Network Data Book for January–December 2012, February, 2013. Online: http://www.ftc.gov/sentinel/reports/sentinel-annual-reports/sentinel-cy2012.pdf
© National Consumers League 2013 6
Within the government documents/benefits fraud category, the use of stolen identity information
to file fraudulent tax returns has historically been the dominant type of scam. Over the past
seven years, this scam has grown ever more popular among identity thieves, increasing from
63% of all government documents/benefits fraud complaints in 2006 to 93.53% of such
complaints in 2012.
Tax identity theft theft occurs when thieves use personal information, such as a consumer’s
Social Security Number and full name to submit fraudulent tax returns and obtain refunds to
which they are not entitled. In 2011 alone, approximately 1.1 million suspicious tax returns were
identified, resulting in $3.6 billion in potentially fraudulent refunds paid by the IRS due to identity
theft.23
Fig. 2
Source: Federal Trade Commission. Consumer Sentinel Network Data Book (CY 2008-12)
23 Treasury Inspector General for Tax Administration. “Identity Theft: IRS Detection Has Improved, Yet Billions Still Lost in 2011 Returns,” Press Release. November 7, 2013. Online: http://www.treasury.gov/tigta/press/press_tigta-2013-39.htm
© National Consumers League 2013 7
While the nature of identity theft is changing, the scope of the problem clearly remains massive.
Consumers are still concerned about the threat of identity theft and rightfully so. While the direct
cost to consumers of being a victim in money and time have decreased, the indirect costs to the
economy, taxpayers and confidence in the Internet are no less worrisome.
II. Background On Federal Anti-Identity Theft Efforts
Since the 1970s, consumers have benefitted from legislation that safeguards their finances from
misuse, providing a basic level of identity theft protection. For example the Fair Credit Reporting
Act imposes a duty on consumer reporting agencies to ensure that the information they report is
accurate. The FCRA also gives consumers right to file suit for violation of the Act. The Fair
Credit Billing Act provides consumers with an opportunity to receive an explanation and proof of
charges that may have been made by an imposter. The FCBA also gives consumers the right to
have unauthorized charges removed from their accounts. Finally, the Electronic Funds Transfer
Act limits consumers’ liability for unauthorized electronic fund transfers as long as they notify
their financial institution in a timely manner.
The cumulative effect of these 1970’s-era laws is that much of the financial cost of fraud
stemming from identity theft is borne not by consumers themselves, but by financial institutions
instead. By the late 1990’s, the rise of Internet-fueled identity theft exposed the limitations of
these laws. Congress took an important first step in attacking the identity theft problem with the
passage of the Identity Theft Assumption and Deterrence Act of 1998, which made identity theft
a federal crime. This was followed by the Fair and Accurate Credit Transactions Act of 2003
(FACTA), which directed the FTC to work with credit card issues to improve security
procedures.24 FACTA also gave consumers the right to request a free credit report from each of
the major credit reporting bureaus every twelve months and to have a fraud alert placed on their
credit reports if they suspected identity theft. In 2004, the Identity Theft Penalty Enhancement
24 FACTA’s requirement that the FTC work with businesses to implement security safeguards led to the creation of the Red Flags Rule. This Rule requires many financial institutions and creditors to implement written Identity Theft Prevention Programs to identity the warning signs (“red flags”) of identity theft in their day-to-day operations. The Red Flags Rule went into effect on December 31, 2010. For additional information, see the Federal Trade Commission's “Fighting Identity Theft with the Red Flags Rule: A How-to Guide for Business.” Online: http://www.business.ftc.gov/privacy-and-security/red-flags-rule
© National Consumers League 2013 8
Act established additional penalties for aggravated identity theft. Most recently, the 2008 Identity
Theft Enforcement and Restitution Act authorized restitution for the time spent by victims
recovering from the harm caused by an actual or intended identity theft.
In addition to legislative action increasing consumer protections against identity theft, significant
reforms have been undertaken by Executive Branch agencies to address the threat of data
breaches and the resulting danger of identity theft. In 2006, following a spate of high-profile data
breaches, President George W. Bush issued Executive Order 13402. The Order created the
federal Identity Theft Task Force, charging 15 federal departments and agencies with crafting a
comprehensive national strategy to more effectively combat identity theft. In April 2007, the task
force issued its strategic plan, which included 31 recommendations, ranging from small,
incremental steps to broad policy changes.25
Notable recommendations from the Task Force included:
● Reducing the use of Social Security Numbers by federal agencies;
● Establishing national standards for private sector protection of personal data;
● Promoting a nation data breach notification standard;
● Implementing a broad and sustained consumer, industry and public sector awareness
campaign regarding identity theft; and
● Creating a National Identity Theft Law Enforcement Center to coordinate enforcement
resources targeted at identity theft.
A progress report released by the task force in September 2008 detailed the federal
government’s progress in implementing the strategic plan. Notable reforms undertaken as a
result of the Task Force’s recommendations included (but were not limited to):
● Task Force member agencies have significantly reduced their use of Social Security
Numbers;
● Federal agencies have increased the use of encryption technology on laptops and other
mobile data devices containing agency data;
25 The President’s Identity Theft Task Force. Combating Identity Theft: A Strategic Plan. April 2007. Online: http://www.identitytheft.gov/reports/StrategicPlan.pdf
© National Consumers League 2013 9
● Congress passed the Identity Theft Enforcement and Restitution Act, which addressed a
number of deficiencies in the federal criminal related to identity theft while giving
consumers an avenue for restitution for losses stemming from identity theft;
● Numerous identity theft databases (e.g. the FTC’s Identity Theft Data Clearinghouse)
and joint enforcement coordination efforts have been undertaken to make enforcement
efforts more efficient; and
● Identity theft coordinators have been established in each U.S. Attorney’s Office to
coordinate anti-identity theft efforts between these offices and the Department of
Justice.26
While a number of the task force’s recommendations had been successfully implemented, many
were still in progress as of the publication of the 2008 report. A notable example is the failure of
Congress to pass a comprehensive national data breach notification law. As of November 2013,
46 states as well as the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands
have passed state data breach notification laws.27 This has created significant challenges given
the national scope of many data breaches.28
The implementation of these consumer protections has correlated with a significant reduction in
the incidence of certain types of identity theft, particularly schemes involving credit card fraud,
bank fraud and loan fraud. This trend is also reflected in federal identity theft cases filed and
defendants convicted, the rates of which peaked in 2007 and declined in each of the following
three years.29
Whether these trends are a direct result of the new protections implemented by the federal
government is unclear. However, we know that identity thieves tend to seek out schemes that
offer the most profit with the least risk, so it seems plausible that these reforms are having an
effect on the broader problem.
26 See generally: The President’s Identity Theft Task Force. Task Force Report. September 2008. Pgs. 6-49. Online: http://www.idtheft.gov/reports/IDTReport2008.pdf 27 National Conference of State Legislatures. “State Security Breach Notification Laws.” Online: http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx 28 For additional discussion on this topic see: Geer, David. “Data breach notification laws, state and federal: A review with commentary for security C-levels,” CSO. November 1, 2013. Online: http://www.csoonline.com/article/742430/data-breach-notification-laws-state-and-federal?page=1 29 Congressional Research Service. Identity Theft: Trends and Issues. February 15 2012. p. 16. Online: http://www.fas.org/sgp/crs/misc/R40599.pdf
© National Consumers League 2013 10
III. Recommendations for Responding to Evolving
Identity Theft Threats
Consumers and law enforcement agencies have powerful tools at their disposal to attack the
identity theft problem. However, as with other types of cyber crimes, identity thieves are nothing
if not resilient and adaptable. For example, they appear to be shifting their activities towards tax-
related identity theft, potentially as a way to avoid stronger countermeasures at financial
institutions.
Significant structural challenges that enable identity theft also remain an issue. In particular, the
raw fuel for identity theft − compromised personal information − is more widely available than
ever thanks to the explosion of data collection by the private and public sector. More information
under the control of more organizations necessarily means that more data will be compromised.
It should not be surprising, then, that reports of data breaches are becoming an almost daily
news item. Since 2005, the non-profit Privacy Rights Clearinghouse has recorded more than
4,000 data breaches -- more than one per day for nine straight years.30 It is a near-certainty that
many more breaches have gone unreported.31 The glut of data breaches may even be driving
down the price of stolen identities in the cybercriminal underground due to oversupply.32
The professionalization of identity theft also poses new challenges. Whereas in the past identity
theft may have been about establishing bragging rights within the hacker community, today it is
30 Privacy Rights Clearinghouse. “Chronology of Data Breaches,” (Accessed November 24, 2013). Online: https://www.privacyrights.org/data-breach31 A dramatic visualization of the growing number of of data breaches was recently created by London-based author and data-journalist David McCandless who plotted the world’s biggest data breaches on a time scale to illustrate the growing threat. Online: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ 32 Higgins, Kelly Jackson. “Glut in Stolen Identities Forces Price Cut in Cyberunderground,” Dark Reading. November 19, 2013. Online: http://www.darkreading.com/attacks-breaches/glut-in-stolen-identities-forces-price-c/240164089
© National Consumers League 2013 11
a thoroughly organized money-making criminal enterprise.33 Numerous black markets for stolen
identity information exist online, some even featuring help desk support.34
While There are steps that consumers can take to mitigate their risk of identity theft, the onus
must not be on the individual consumer - weak passwords are not the cause of massive ID
theft. Consumers of course should monitor credit reports, install anti-virus software,
keepcomputer operating systems up-to-date andmaintaining strong passwords to name but a
few. However,given the explosive growth of data breaches, the ability to control vulnerability to
identity theft is largely out of consumers’ control.
Given these operational and structural challenges, policymakers must adapt to ensure that the
gains made over the previous seven years of anti-identity theft work are not reversed. To begin
a dialogue on this issue, we urge policymakers to consider the following recommendations:
1. Update the President’s Identity Theft Task Force Report. This will enable
policymakers and advocates to better evaluate the impact of actions taken in response
to the Task Force’s recommendations since 2008 and discuss new reforms that may be
necessary given the changing nature of identity theft.
2. Congress should pass comprehensive data breach notification legislation. The 46
state data breach notification laws frequently conflict and may confuse consumers who
receive notifications. Given the national (and in many cases, international) scope of data
breaches, a national standard for notification is warranted. The most stringent state data
breach notification laws should serve as the basis for a federal standard.
3. The Federal Trade Commission should collect and publish data on the
effectiveness of the Red Flags Rule in preventing identity theft. A key provision of
FACTA directed the FTC to work with the private sector to create a Red Flags Rule to
enhance protections against identity theft in the business community. The full
enforcement of the Rule was delayed until the end of 2010. The FTC should evaluate
whether the Rule is affecting identity theft rates and, if necessary, consider
strengthening the Rule to improve consumer protections.
33 McAfee Security Advice Center. “The Evolution of Cybercrime,” Spring 2011. Online: http://home.mcafee.com/advicecenter/?id=rs_na_sp11article1 34 Higgins, Kelly Jackson. “Glut in Stolen Identities Forces Price Cut in Cyberunderground,” Dark Reading. November 19, 2013. Online: http://www.darkreading.com/attacks-breaches/glut-in-stolen-identities-forces-price-c/240164089
© National Consumers League 2013 12
4. Those who shape U.S. foreign policy should set as a key goal achieving additional
Memoranda of Understanding on identity theft with foreign governments. The
international nature of much identity theft demands cooperation between U.S. law
enforcement agencies and their foreign counterparts. This is greatly facilitated when
there are clear rules and procedures governing the sharing of information between
international partners.
5. Federal regulators should launch a comprehensive effort to improve consumer
protections from tax-related identity theft. Identity thieves taking advantage of the
U.S. tax collection system has become a major cause for concern. Consumer should be
empowered to take preemptive action to protect themselves from tax-related identity
theft. The IRS should expand the availability of PIN technology to consumers that
request it, not just identified victims of identity theft.
6. Explore additional incentives and penalties to encourage private sector
businesses to better protect the personally identifiable data they collect. Limiting
consumer liability for fraudulent credit and debit card purchases has been a key driver of
improved fraud protection in the financial services industry. Policymakers should explore
whether similar reforms would incentivize the private sector to increase data security
standards.
IV. Conclusion
Identity theft is a pernicious threat that affects millions of American consumers annually, costs
the U.S. economy and taxpayers billions of dollars, and reduces confidence in the Internet and
small businesses. It has been more than fifteen years since Congress passed its first law
specifically targeting the identity theft problem. It has been more than seven years since a
Presidential level task force was convened to improve the federal government and private
sector’s response to the problem of identity theft.
While these efforts have shown some success, it is clear that identity theft remains a problem of
massive proportions. It is therefore imperative that policymakers, advocates and the general
public recommit themselves to reducing the plague of of identity theft. There are a number of
reforms that would help to achieve this objective, several of which are discussed in this report.
© National Consumers League 2013 13
We urge Congress and federal regulators to consider the continuing threat of identity theft and
maintain their vigilance against this serious crime.
© National Consumers League 2013 14