Identity Theft1 and the Information Security Breaches of 2005:

What Have We Learned?

Maeve Dion, Legal Research Associate. Email.
February 2006.

[NOTE: this article was published in the CIP Report (PDF) Feb. 2006].

In this Information Age, liabilities and regulations regarding the flow of information affect both critical and non-critical industries.  Businesses and governments should be establishing strategies and gathering the data necessary to assess risk, demonstrate reasonable security, or justify additional legislation / regulatory controls.

Identity theft was one of the hottest topics of 2005.  Although the level of attention was high, there was little consensus on (1) how to define the "identity theft / security breach" problem (if there even is one); (2) how to quantify the problem; (3) how to measure its costs; (4) who should correct the problem (industry self-regulation or legislation by states or Congress or both); and (5) what oversight mechanisms should be established to monitor the problem.

Congress opened 2006 with a Supreme Court confirmation process, hearings on warrantless government eavesdropping, discussions of lobbying and Congressional ethics, and further PATRIOT Act debates.  These issues might legitimately divert attention from what some have called an "identity theft crisis," but one more large-scale security breach could bring this debate back into the spotlight.  Without the immediate pressure of reactive legislation, now is a good time for business and policy analysts to reassess identity theft concerns in order to provide better guidance to both the private sector and state and federal governments.

I.  Impediments to Risk Analysis

A.  Definitions / Language

The phrase "identity theft" is often used without the speaker first defining its meaning.  Definitions are important because the speaker may be alluding to only one aspect of identity theft (e.g., credit card fraud).  Most people think of identity theft in terms of financial loss from identity fraud, yet identity theft may lead to numerous consequences, not all of which appear on a credit card statement or consumer report.

In very general terms, when someone takes another person's identity information with the intent to commit a crime or transfer the information to another wrongdoer, the initial taking itself is a crime.  Thus identity theft can occur without the victim2 having experienced monetary or reputational loss.  The victim may additionally suffer harm from

(1) financial fraud, (2) impersonation by the wrongdoer during criminal acts (the wrongdoer proffers the stolen identity to a law enforcement officer when detained for committing a crime), and (3) impersonation during other acts (leasing an apartment, getting a job, etc.).

Specific language is also important when discussing security breaches and identity theft statistics.  Media may report that "2005 saw the most computer security breaches ever,"3 but this phrase may -- or may not -- be true.  In fact, 2005 saw the most disclosures of security breaches, due to a California disclosure law.  Also, claiming that more than 55 million Americans faced the possibility of identity fraud from "130 major intrusions"4 is not conducive to good consumer education when (1) security breach disclosures reference the number of accounts potentially affected, not the number of individuals (one person may suffer account compromises in multiple security breaches); (2) forty of the 55 million (more than 70% of the reported statistic) occurred from one incident -- CardSystems; (3) more than nine million account compromises occurred from loss of storage media or theft of hardware -- neither of which are traditionally categorized as an "intrusion" into a computer system, and both of which require different solutions for remediation and prevention; and (4) a "major intrusion" is not defined -- a compromise of 1,000 university student identification numbers is not the same as 10,000 credit card accounts or 100,000 social security numbers.

Part of the language problem the media suffers is the same problem facing business, regulatory bodies, and legislators -- we cannot reliably talk about identity theft and its consequences when we do not have the proper metrics for identifying the costs, diagnosing the causes, or suggesting solutions.

B.  Metrics

While the lack of consensus regarding the identity theft "crisis" may be merely a result of the traditional give-and-take of business and consumer interests, a stronger rationale may be the absence of the necessary data to properly analyze the risks5 of identity theft.  Data regarding an identity theft may be collected from three sources -- the entity who suffers the compromise, the victim whose identity was stolen, and law enforcement.  However, this data may be ascertained out of sequence, or may never be discovered at all.

For example, law enforcement officers may unearth a stash of stolen identities while investigating a methamphetamine operation.  There may be little evidence as to how the wrongdoer obtained the identities -- they could have been purchased on the black market, acquired by hacking into a computer system, or obtained via non-technological methods like stealing mail.  If the wrongdoer pleads to the methamphetamine charge, law enforcement may drop the lesser identity theft charge, and therefore investigation of the

identity theft is not a priority.  It thus remains a question as to (1) whether the individuals whose identities were stolen will ever be informed of law enforcement's discovery, and (2) whether the entity whose security was compromised will ever learn that someone accessed its property and stole the information.

On the other hand, a victim may find fraudulently-opened accounts listed in the victim's consumer report.  The victim will then work with credit reporting agencies, and maybe law enforcement and financial services providers, to report the fraud.  However, skillfully concealed behind false addresses and identities, the wrongdoer may never be identified.  Once again, the victim may not be able to determine how the wrongdoer acquired the victim's identity.  Further, if the identity information was not stolen from the victim directly, but was taken from another entity, that entity may never learn about the information security breach (unless the breach was independently detected).

Finally, an entity may discover a compromise in its security -- the computer system detects unauthorized access, or a shipping vendor reports data tapes were lost in transit, or an audit reveals insider wrongdoing.  Depending on the quality of the entity's information systems, the entity may or may not be able to provide details regarding how the information was accessed, what pieces of information were compromised, or whether the information was compromised in a usable format.

These scenarios show that although evidence of a security breach, theft, or fraud may be separately discovered, none of this evidence may ever be linked.  An entity suffering a breach cannot measure the actual loss to the victims.  Without the connections necessary to show causation, it is impossible to determine the relative responsibility of each piece of stolen identity information to the accomplished (or attempted) crime and resulting harms.  Thus, the reported "statistics" of identity theft and security breaches suffer various flaws:

• Reliance on self-reporting by victims and credit reporting agencies.  According to almost all evidence, most identity thefts are not reported.  For example, at all the Congressional hearings on identity theft, at least one witness mentioned the FTC survey result that almost 10 million people in the U.S. became victims of identity theft in 2004; however, the number of identity thefts reported to the FTC Clearinghouse in 2004 was fewer than 250,000 (less than 2.5% of the survey results).  Further, the reports which are compiled may lack a causal connection to disclosed security breaches because many victims do not know how their information was stolen.
• Reliance on law enforcement / conviction rates.  Since identity thieves are often apprehended after committing more grievous crimes and may not be charged with the lesser identity theft, identity theft convictions may not reliably indicate the frequency of identity thefts or any connections to security breaches.
• Focus on ultimate crimes rather than methods of identity theft.  Most statistics focus on how the stolen information was used to commit crimes, not how the information was originally stolen.

Therefore, while (1) the aggregate number of individual accounts potentially compromised by security breaches, and (2) the number of identity thefts determined by survey, are both daunting, we still lack reliable statistics correlating security breaches to identity theft.  Remedying the absence of correlative data may be merely a matter of reorganization (defining who should be collecting this information, and how it should be managed), but it may also be that this kind of data (a) is not susceptible of identification and collection, or (b) is too costly to identify and collect.  However, this absence of data is not fatal to providing "solutions" to the identity theft and security breach problems because, although a court would not allow recovery without a causal connection, policy-makers operate under different imperatives.

Given the current knowledge of identity theft and security breaches, some might argue that governments and the private sector would not be offering their panoply of solutions if the "identity theft crisis" did not relate directly to the increasing commercial market in personal information.  Thus, both private sector and public sector decision-makers must look to the harms threatened by identity theft and security breaches, as well as the incentives provided by market and regulatory solutions.

II.  Harms

Both identity theft and information systems security breaches can result in a wide spectrum of harms.  The "victims" of identity information theft may include (a) the entity suffering the breach; (b) the individual whose information was stolen; (c) the retailer bearing the cost of the fraudulent purchase; (d) individuals victimized by crimes accomplished with the stolen identity; and, from a broader point of view, (e) taxpayers, consumers, and the general society, who ultimately shoulder the costs of fraud, as well as the harms from terrorist acts perpetrated under stolen identities.  A brief review of the various kinds of harms includes:

A.  Harms to Entities Suffering a Security Breach

• Financial costs of (1) investigating the security breach, (2) communicating disclosures of the breach, (3) offering fraud prevention measures to affected consumers (credit monitoring, identity theft insurance, etc.), (4) paying contractual liabilities to vendors or partners, (5) losing competitiveness in the market, and (6) withstanding a drop in stock prices.
• Regulatory actions.  Businesses may (a) face monetary sanctions, and (b) be forced to implement additional security measures mandated by regulators under various authorities, including the FTC Act, the safeguards and privacy provisions of the Gramm-Leach-Bliley Act and section 404 of the Sarbanes-Oxley Act.
• Liability to victims who suffer actual losses.  Courts have traditionally limited recovery only to plaintiffs who (a) have either a contract or other special relationship that establishes a duty to reasonably secure the information, and (b) can prove actual losses caused by the breach.

B.  Harms to the Individual whose Identity was Stolen

• Harms from compromised social security numbers.  These costs may not be easily quantified because a social security number is a key identifier that allows a wrongdoer to access more information about the victim (e.g., pretexting to get a consumer report) and to create more identification documents and accounts under the victim's name.  Getting a new social security number is not really a viable option because (a) the old and new numbers will be linked together in many systems, (b) many agencies and organizations maintain records under the old number, and (c) the lack of credit history under the new number may cause future insurance and credit problems for the consumer.  If a social security number was disseminated, these harms could be perpetrated repeatedly, even if the initial identity thief was caught.  Since a fraud or impersonation could be committed at any time by any person, the victim suffers the financial and emotional costs of monitoring and remedying financial and criminal records that wrongdoers could be establishing.
• Financial costs from compromised (1) brokerage accounts (which may not have the fraud protections of credit accounts); (2) credit card accounts; and (3) checking or savings accounts.  Since credit card issuers generally will relieve consumers of fraudulent charges, consumer victims will likely suffer only the additional costs related to the time needed to challenge fraudulent charges, as well as the inconvenience of a new credit card number.  Financial services providers often require additional information (e.g., PIN numbers) to access checking and savings accounts, so the chance of loss is less, and again, the victim will likely suffer only the additional costs related to changing account numbers.

C.  Harms to Consumers / Society

• Passed-through costs of fraud and identity theft.  Under credit card agreements, retailers must refund to victims the costs of fraudulently-purchased items.  Businesses calculate the costs of fraud as a price of doing business; these costs thus affect prices for goods and services.  Compromised credit card numbers may cause the card issuer to incur costs for cancelling the stolen numbers and reissuing new cards -- costs for which the entity suffering the breach may be contractually liable, and which will ultimately be passed-through to consumers.  Similarly, compromised student identification numbers may cause the school to incur costs to institute new numbers and audit and improve security -- costs which will be passed-through to students and taxpayers.  Further, healthcare fraud directly impacts the costs of healthcare to consumers in general.

III.  Solutions

As already discussed, various forces offer incentives to businesses to provide information security (market forces, contractual and tort liability, regulatory sanctions, etc.).  As governments offer additional legislative solutions to the problems of identity theft and information security breaches, these solutions should (1) recognize the panoply of threatened harms to all victims, (2) take into account the various different ways that information security may be breached, and (3) be targeted toward providing incentives to mitigate the identified harm.

In addition to the spectrum of harms from information security breaches, there is also a wide range of methods by which information may be compromised (hacking, storage tapes lost in transit, dishonest insider with permission to access the information, pretexting, other frauds, etc.).  Remedial measures to prevent one kind of threat will not necessarily work against other threats.  Also, information managed in digital form faces dynamic predators -- the wrongdoers are constantly learning how to circumvent new technologies.  Therefore, currently-existing security mandates emphasize the reasonableness of the security plan rather than specific technological requirements.

Following in California's footsteps, more and more states are requiring businesses to disclose security breaches.  Some businesses favor a preemptive federal security breach disclosure law that provides a common regulatory approach so that businesses do not have to comply with numerous different state laws.  Some consumer advocates argue that states have the right to mandate stricter security for their citizens' information.

Wherever you stand on this issue, the proper policy analysis should begin with identifying the threat: (1) identity theft or (2) the problem of lax security in critical or interdependent information systems or (3) something else.  The analysis should proceed by determining: (a) whether disclosure lessens the threat; and (b) whether the proposed law encourages efficient disclosure (the varied costs of disclosure, including potential consumer apathy, do not outweigh the degree to which the threat was lessened).

Yet again, the importance of definitions arises.  Disclosure laws may not be an optimal solution if the threat is defined as either credit card fraud or the proliferation of social security numbers as the sole unique commercial and governmental identifier.  Lawmakers should prioritize the identified threats and address each threat individually, understanding (1) that solutions may not apply to all harms arising from identity theft and information security breaches, and (2) that the costs of compliance are ultimately borne by consumers (who should therefore be receiving a security benefit worth more than this cost).

IV.  Conclusion

Today there is no comprehensive mechanism to directly correlate information security breaches to resulting damages from identity theft crimes.  The lack of reliable correlative data renders traditional risk management analyses impossible.  If legislators attempt to frame solutions to a generic "identity theft" threat based upon equally generic, non-correlative "statistics," the proposed new law may be more a guessing game than a viable and cost-effective solution.  As governments address these issues, they should not only tailor the solution to the specifically-identified threat, they should also investigate our ability to gather the data needed to perform better risk analyses.  Similarly, as businesses begin to comply with rule-making promulgated under existing laws like Gramm-Leach-Bliley and state disclosure laws, the private sector should incorporate standards and data-gathering techniques necessary to assess risk -- to both demonstrate the required "reasonable" security and to defend against the charge that information security breaches have caused our "identity theft crisis."

NOTES:

1 This research does not address consumer defenses and self-help related to attempts to steal one person's information (via phishing, keystroke loggers, other Trojans, etc).  Rather, this paper relates to the theft of identity data from institutions in which the identified individuals have (arguably) no control over the data.

2 There may be many "victims" of the wrongdoer's actions (see infra), but for the purposes of this article, the phrase "victim" refers to the person whose identity was stolen.

3 Record Bad Year For Tech Security, CNNMoney.com, at http://money.cnn.com/2005/12/29/technology/computer_security/ (Dec. 29, 2005).

4 Id.

5 Knowledge of the extent of exposure to identity theft through security breaches (i.e., how much personal information is in the marketplace and who owns and controls the information) is factor valuable to assessing risk.  A discussion of consumer awareness and access to such knowledge is beyond the scope of this whitepaper.