Requiring Banks to Disclose Identity Theft Statistics

Daniel Solove
Founder of TeachPrivacy

Bank

Kudos to my friend Chris Hoofnagle (Samuelson Clinic at Berkeley Law School) who had his paper on SSRN written about by the New York Times:

The Senate Judiciary Committee’s subcommittee on terrorism, technology and homeland security will take up the issue in a scheduled hearing today titled “Identity Theft: Innovative Solutions for an Evolving Problem.” . . . .

The subcommittee will also hear a radical new idea on a way to obtain reliable numbers on the extent of identity theft.

The proposal, submitted by Chris Jay Hoofnagle, a lawyer and senior fellow at the Berkeley Center for Law and Technology at the University of California, recommends that lending institutions like banks and credit card companies, and payment firms like PayPal, be required to report their internal figures on fraud and identity theft publicly.

Unfortunately, as is typical with the mainstream media, no information is provided about how to locate Chris’s paper let alone a hyperlink. In his paper, Identity Theft: Making the Known Unknowns Known, Chris proposes that banks be compelled to disclose identity theft data. From the abstract:

There is widespread agreement that identity theft causes financial damage to consumers, lending institutions, retail establishments, and the economy as a whole. Surprisingly, there is little good public information available about the scope of the crime and the actual damages it inflicts. The publicly available data on identity theft come mainly from survey research. Methodologically, these survey polls of the public suffer from being both under and overinclusive in measuring the problem. As a result, low estimates attribute tens of billions of dollars in costs to the economy and consumers, the highest estimates place losses in the hundreds of billions.

To identify proper interventions and appropriately allocate resources we need comprehensive, hard data on the scope and effect of identity theft. One way to provide concrete data is to require lending institutions to publicly report figures on identity theft. Such public reporting will help identify the relative need for intervention and the likely efficacy of interventions. These disclosures are necessary to provide a sound baseline for investment by businesses and action by regulators. They are also warranted because the public pays the price of identity theft directly when they are the victim, and indirectly through higher fees, interest rates, and because the losses are tax subsidized.

The author hypothesizes that if lending institutions reported limited information about identity theft, it would reveal that identity theft is both more prevalent and economically damaging than currently acknowledged, in part because of the rise of synthetic identity theft, a form that cannot be measured by victim surveys because they are unaware of the crime. Furthermore, the disclosure requirement would birth an anti-identity theft market, and the prevalence and severity of the crime would decrease dramatically as institutions compete to offer the safest financial products to consumers.

For all those interested in identity theft, Chris’s paper is definitely worth reading. In the New York Times article, I have a brief quote which sums up my positive reaction to the proposal yet a practical concern:

Daniel J. Solove, an associate professor at George Washington University Law School, says that blame for identity theft is generally directed at criminals and victims who are lax with their personal data — not companies that fail to protect customer accounts. Direct reporting “brings attention to the fact that financial institutions contribute significantly to the problem, and it will make them more accountable,” he said.

Mr. Solove supports the direct reporting proposal, although he fears that banks will be motivated to challenge customer reports of identity theft, because mounting fraud will make them look bad.

Toward the end of the the New York Times article is a quote from a policy advisor at an industry trade group that strikes me as a bit silly:

The financial services industry opposes the plan. Doug Johnson, a senior policy adviser at the American Bankers Association, an industry trade group, said that revealing internal bank data on identity theft would not do much to help fight the problem. He said that it might actually distract financial institutions, which now privately share information among themselves and collaborate to fashion antifraud techniques.

Complying with the direct reporting proposal would “take our eye off the ball,” he said. “We should be watching what’s happening today, not what happened in the past.”

Originally Posted at Concurring Opinions

* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.

Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum and International Privacy + Security Forum, annual events designed for seasoned professionals.

If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
*
LinkedIn Influencer blog
*
Twitter
*
Newsletter

TeachPrivacy Ad Privacy Training Security Training 01