PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

Identity Theft

Professor James Grimmelmann likes to shop at Kohl’s.  So much so that he applied for credit at Kohl’s.  And he got it.

The problem is that James Grimmelmann didn’t really apply for anything.  It was an identity thief.

Grimmelmann was a participant in Chris Hoofnagle‘s study about identity theft.  In a really eye-opening paper, Internalizing Identity Theft, 2010 UCLA J. of L. & Tech (forthcoming), Hoofnagle has concluded that one of the main reasons identity theft happens is because companies let it happen.  It is an economic decision.

Back in 1981, in the famous case involving an accident due to a defect in a Ford Pinto, it came to light that Ford knew about the design defect in the car but ignored it because it calculated that paying damages in lawsuits would be less than fixing the design flaw.

Hoofnagle illustrates that the same phenomenon is happening with identity theft.  Companies grant credit carelessly because it is cheap to do so.  Much of the losses are sloughed off on victims because the companies aren’t forced to internalize them.

To illustrate how sloppy the granting of credit is, Hoofnagle supplies a copy of the Kohl’s credit application Grimmelmann’s identity thief used.

Notice how many errors are on the application.  There’s a ton of missing information.  And Grimmelmann’s name is even spelled incorrectly — though, in all fairness, it’s got way to many m’s and n’s to keep track of.

In his paper, Hoofnagle examines several case studies in addition to Grimmelmann’s to show how many obvious red flags in credit applications are ignored.

Hoofnagle demonstrates that identity theft is a product not of carelessness on the part of the credit industry, but the product of planned carelessness — more akin to intentional decisions than to foolish blunders.

The reason so much identity theft occurs is because it is cheaper to expose people to the risk of identity theft than to exercise more care in vetting credit applications.  Courts and legislatures are also to blame, for they fail to adequately recognize the harm of identity theft (or data breaches) and will not make companies internalize the full costs.   So the companies do their cost-benefit analysis and conclude that they can expose people to the risk of identity theft because many costs are external — and if people sue, courts won’t recognize them.

The costs of identity theft to victims is substantial.  It creates a lot of anxiety.  It takes a lot of time to get to the bottom of the problem and then to fix it.  It takes time and effort to keep monitoring to make sure that the problem is fully resolved.  It leads to delayed decisions to make purchases, get credit, and take out loans — since people won’t want to do these things if their credit is a mess.  But these harms are often not recognized and appreciated to their full extent.

If courts and legislatures were to better recognize harm, and force companies to internalize it, then we’d see the end of sloppy practices that allow so much identity theft to occur.   Until that time, companies can be just like Ford with the Pinto.

See also Brad Stone’s writeup of Hoofnagle’s paper over at the New York Times’s Bits Blog.

Originally Posted at Concurring Opinions

* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.

Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum and International Privacy + Security Forum, annual events designed for seasoned professionals.

If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
*
LinkedIn Influencer blog
*
Twitter
*
Newsletter

TeachPrivacy Ad Privacy Training Security Training 01