Identity Theft

Identity theft is one of the fastest growing crimes in America.

A 2003 Federal Trade Commission (FTC) survey found that 27.3 million Americans were victims of identity theft in the previous five years.1 Identity theft complaints to the FTC increased by more than 52 percent from 2002 to 2004.2

Businesses and consumers alike lose billions of dollars annually to identity theft.

Identity thieves steal $48 billion from businesses and $5 billion from consumers annually, according to the FTC.3 Thieves take funds out of a victim’s bank account, charge purchases to existing credit accounts, or open new credit card, store, utility or telephone accounts. When the thief fails to pay the bills, the new creditors try to collect from the victim, often damaging the victim’s credit. The average victim loses about $6,383—up from $5,249 in 2003—and 40 hours of time trying to resolve the problem.4

Security breaches make identity theft possible.

To steal an identity, the thief needs access to personal data, such as social security, bank account, or credit card numbers. In 2005 alone, there were more than 80 major security breaches of personal data involving financial institutions, data brokers, businesses, government agencies, and universities. The personal data of more than 50 million Americans were stolen.5 For example, in 2005:

The personal data of 145,000 Americans—including names, addresses, social security numbers and credit reports—were stolen from ChoicePoint, a credential-verification service.
Bank of America lost a backup tape with the names, addresses, social security numbers and credit account numbers of 1.2 million customers.
The passwords of 310,000 Lexis-Nexis clients were compromised, giving thieves access to names, addresses, social security numbers and driver’s license numbers.
Time Warner lost backup tapes with personal data on 600,000 current and former employees, including their social security numbers.
A MasterCard database that contained 40 million credit card records was hacked.

If notified of security breaches, customers could take precautions to protect their credit.

Federal law does not require companies to notify customers when personal data has been lost or stolen. If warned of security breaches, customers could place a fraud alert on their credit reports and take extra care when reviewing account statements. In addition, requiring notification of security breaches gives companies more incentive to guard the security of personal data.

If empowered to place a security freeze on their credit records, customers could prevent new account fraud.

When an identity thief tries to open a new account in the name of a victim, the company that would grant credit first checks the victim’s credit record at one of the three major credit bureaus—Experian, Equifax or TransUnion. A security freeze allows customers to obtain a passcode, like an ATM PIN. Credit bureaus are prohibited from releasing credit reports without the passcode, so identity thieves cannot get new accounts approved. The best form of security freeze borrows from the convenience of online banking—the consumer can easily place or lift the freeze using the passcode, with changes taking effect almost immediately.

Federal law allows states to protect customers from identity theft.

The Fair and Accurate Credit Transactions Act (FACTA), enacted in December 2003, did not interfere with most state authority to prevent and mitigate identity theft, to require that personal data be held securely, and to mandate that consumers be notified when there has been a breach in the security of their personal information.

States have enacted security breach notification laws.

Thirty-three states (AZ, AR, CA, CO, CT, DE, FL, GA, HI, ID, IL, IN, KS, LA, ME, MN, MT, NE, NV, NH, NJ, NY, NC, ND, OH, OK, PA, RI, TN, TX, UT, WA, WI) have enacted legislation that requires companies to notify individuals when a security breach occurs that makes them susceptible to identity theft. Twelve of these states (AZ, CO, HI, ID, KS, NE, NH, OH, OK, PA, UT, WI) enacted their laws in 2006.

States have enacted security freeze laws.

Twenty-five states (CA, CO, CT, DE, FL, HI, IL, KS, KY, LA, ME, MN, NV, NH, NJ, NY, NC, OK, RI, SD, UT, TX, VT, WA, WI) have versions of security freeze legislation, 13 (DE, FL, HI, KS, KY, MN, NH, NY, OK, RI, SD, UT, WI) enacted them in 2006. Fourteen states (CA, CO, CT, DE, FL, KY, LA, ME, NV, NJ, NY, NC, RI, VT) make the security freeze available to all consumers, which maximizes its value as a preventive tool. Washington offers the freeze to identity theft victims, but uses a broad definition that includes those who have received notice that the security of their personal information has been breached.

Identity theft cases have declined over the past three years—an indication that state laws are having an effect.

In 2003, 10.1 million people reported that they had become victims of identity theft. That number dropped to 9.3 million in 2005 and to 8.9 million in 2006 as states have adopted identity theft protection statutes.6

This policy summary relies in large part on information from U.S. PIRG and Consumers Union.7

Endnotes

Federal Trade Commission, “Identity Theft Survey Report,” September 2003.
Federal Trade Commission, “National and State Trends in Fraud & Identity Theft: January-December 2004,” February 1, 2005.
“Identity Theft Survey Report.”
Better Business Bureau and Javelin Strategy & Research, “Update to the Federal Trade Commission’s Identity Theft Survey Report,” January 2006.
Privacy Rights Clearinghouse, “A Chronology of Data Breaches Reported Since the ChoicePoint Incident,” October 19, 2005.
“Update to the Federal Trade Commission’s Identity Theft Survey Report.”
For a comprehensive discussion of identity theft and model legislation addressing nine separate topics, see “The Clean Credit and Identity Theft Protection Act: Model State Laws,” Public Interest Research Groups and Consumers Union, November 2005.

Updates