The hysteria over identity theft

Fact #2: Not every compromised record turns into an identity-theft case. In some cases, like the much-ballyhooed theft of the Department of Veterans Affairs data, the thieves were actually after the stolen laptops rather than the data inside them. Even in cases where the criminals target databases specifically to steal identities, the percentage of people who become victims is apparently relatively small. In the ChoicePoint database breach of 163,000 people's records, for example, a Nigerian national was convicted of stealing 16 people's identities. (Law enforcement officials say privately there have been more victims, but their numbers are in the hundreds rather than the thousands.)

One study by ID Analytics that analyzed four high-profile database breaches estimated that the highest "misuse" rate was 0.098%, or fewer than one person for every 1,000 who had their personal information exposed. Even when data makes its way onto the Internet, where identity thieves buy and sell information on clandestine Web sites and chat rooms, only about 2% of the people whose identities are compromised actually experience identity theft, said Mike Cook, ID Analytics co-founder.

Does that mean companies shouldn't have to fess up when our data is lost, stolen or hacked by thieves? Hardly. Consumers still need the heads-up when their data has been compromised. Even if the threat is small, the consequences can be enormous. Also, we shouldn't underestimate the power of public disclosure (read: shaming) to get companies to finally start handling our data more carefully.

Fact #3: Identity theft is still a big deal. Even when we exclude credit card fraud, ID theft appears to be more common than other risks we greatly fear, such as contracting cancer, going broke or getting divorced.

Using the Justice Department statistics and excluding the cases of credit card fraud, we're still left with nearly 1.9 million households experiencing the more serious types of identity theft in a six-month period. If we annualize that figure to 3.7 million households, the ID theft rate is 3.3% (assuming 115 million U.S. households, per the most recent Census Bureau figures).

Clearly, we're not talking about a pandemic, but there's no question that identity theft is common enough to be a legitimate consumer concern. The bottom line is that we need to be vigilant about our personal information and demand that companies be vigilant as well. We shouldn't let the ID theft naysayers minimize the potential threat. But neither should we allow our own paranoia to exaggerate it, or lead us to buy products and services that only drain our wallets without substantially improving our security.

Here are the real problems

Now here are the types of identity theft that should really worry us, and what we should do about them:

New account fraud. This is the kind of identity theft consumers most fear -- as they should. The costs tend to be higher (a median of $800 per victim in the Justice Department study, compared with $300 for credit card fraud and $400 for identity theft in general) and the fight to clear their names can be tougher. Whereas half of the people who reported credit card fraud were able to resolve the problem in an hour or less, according to the FTC study, half the people who reported new account fraud needed 10 hours or more to fix the problem. The average time spent: 60 hours.

And consumers are far more likely to have ongoing problems when the identity theft involves new accounts. In the Justice Department study, 78% of households reporting credit card fraud said the theft had stopped, compared to 65% of those who experienced theft of other existing accounts and 54% of those who reported new account fraud and other misuse of personal information (see "Stolen innocence: Child identity theft").

What to do: One thing, and one thing only, stops new account fraud: credit report freezes. The fraud alerts that the credit bureaus recommend can be ignored by lenders, and at least one study contends that the alerts often aren't properly shared among the bureaus, leaving consumers vulnerable. Freezes work, and should be made available to everyone.

Of course, credit freezes typically involve costs (often $10 or so to institute the freeze at each bureau, plus another $10 per bureau to lift) and hassle (you can't take advantage of instant credit offers, and unfreezing your account to get credit can take a few days). So even though the option should be available, you probably don't need to use it if you're not already an ID theft victim or at high risk of becoming one. "High risk" means you know or suspect someone has swiped your information (see "8 signs you may know an identity thief") or you've been told you're the victim of a targeted database breach (as opposed to lost computer tapes or a stolen laptop).

Even then, you should be more concerned about lost identifying information -- Social Security number, address, date of birth -- than mere "account level" data such as credit card numbers.

"If the consumer's been told (the database breach) involves account-level information that fell off a truck," ID Analytics' Cook said, "I would have no concerns at all (about the information being misused)."

Credit monitoring, in which your credit reports are trolled for suspicious activity, is an option that can help you spot (but not prevent) identity theft. As with credit freezes, it's an option that can be costly and unnecessary. Most people who aren't at high risk for identity theft are probably fine just pulling their credit reports a couple of times a year; the first look is free.

Checking-account breaches. Credit card companies have gotten so good at detecting fraud (Visa's estimated fraud losses are about 7 cents per $100 charged, compared with 19 cents in 1991) that thieves moved on to easier targets: bank accounts. A bank account breach is especially nettlesome since the money's gone and your checks are often bouncing by the time you discover the problem. Some victims have discovered, to their chagrin, that their banks aren't exactly helpful in dealing with these frauds ( see "Banks hang fraud victims out to dry"). And as noted above, this type of fraud is more likely to be ongoing than credit card fraud.

The good news is that mounting losses and regulatory pressure have led more banks to tightening their security through strong authentication procedures, fraud-detection software and other methods, said Gartner researcher Avivah Litan.

What to do: Consumers can combat checking-account breaches by not falling for phishing, pharming and other schemes designed to elicit online IDs, passwords and account numbers. It can also help to use electronic transactions rather than paper checks and to closely monitor bank accounts for suspicious transactions (see "Fraud, identity theft grow at ATMs">.

Medical identity theft. Compared with the new account or checking account fraud, this crime is still relatively uncommon (an estimated 198,000 victims in the FTC study) but still of concern. In medical ID theft, someone uses your Social Security number, health insurance information or other personal data at hospitals or doctor's offices, and you wind up with the bill. Many medical ID theft victims don't realize there's a problem until the collectors start calling. Then they get to fight with the collection agencies, health-care providers and credit bureaus to try to clear their names. (The Los Angeles Times has reported on this phenomenon.) Perhaps even more troubling, the impostor's medical information can be mixed in with your own records, causing confusion and the potential for fatal mistakes.

What to do: Monitoring insurance statements, credit reports and medical records can help detect this fraud and give the consumer an early start on resolving it. But health-care providers and insurers need to have better identity authentication procedures as well.

Liz Pulliam Weston's latest book, "Easy Money: How to Simplify Your Finances and Get What You Want Out of Life," is now available. Columns by Weston, the Web's most-read personal-finance writer and winner of the 2007 Clarion Award for online journalism, appear every Monday and Thursday, exclusively on MSN Money. She also answers reader questions on the Your Money message board.

Updated Feb. 10, 2009

< previous |  1 | 2 |