The State of Identity Theft in 2013

A National Consumers League White Paper Examining Fifteen Years of

Federal Anti-Identity Theft Consumer Protection Policies

Prepared by John D. Breyault

Vice President of Public Policy, Telecommunications and Fraud

National Consumers League 1

Thesis: Identity theft remains a pernicious threat to consumers. While the federal

government and private sector have done much to to address this issue, it is important

that legislators and regulators remain vigilant to protect consumers from this ever-

evolving fraud.

Executive Summary

May 3, 2006 was a typically beautiful spring day in Washington, DC, with temperatures in the

mid 70’s, a slight breeze and clear skies. As the work-day wound down, a data analyst from the

Department of Veterans Affairs took home a laptop and an external hard drive, as he had done

regularly for the previous four years. That night, however, the laptop and hard drive were stolen

during a burglary of the analyst’s Maryland home.2 The two devices contained unencrypted

information -- including names, dates of birth, Social Security Numbers and medical information

on more than 26.5 million active duty members of the military, National Guardsmen, Reservists,

veterans and their spouses. This theft followed a highly publicized data breach at data broker

ChoicePoint in February 2005.3 That same month, Bank of America announced that it had lost

tapes containing the Social Security Numbers and account information of more than 1.2 million

1 This white paper was underwritten by an unrestricted educational grant from Google, Inc.2 Electronic Privacy Information Center. “Veterans Affairs Data Theft.” Online: http://epic.org/privacy/vatheft/ 3 “ChoicePoint: More ID Theft Warnings,” CNN/Money. February 17, 2005. Online: http://money.cnn.com/2005/02/17/technology/personaltech/choicepoint/

© National Consumers League 2013 1

federal employees, including some members of the Senate.4 In each case, the breaches

exposed Americans to possible identity theft.

This spate of high-profile data breaches prompted President George W. Bush to issue

Executive Order 13402 on May 10, 2006. The order created the federal Identity Theft Task

Force, charging 15 federal departments and agencies with crafting a comprehensive national

strategy to combat identity theft. In April 2007, the task force issued its strategic plan, which

included 31 recommendations ranging from small incremental steps to broad policy changes.5

More than a year later, in September 2008, the task force released a report describing the

progress of the seventeen member agencies in implementing the task force’s

recommendations. While many of the recommendations had been successfully implemented,

the report noted that the implementation of others were still in progress.6 Many of the reforms

prompted by the task force have had an impact, but it remains unclear if the federal

government’s policies are keeping up with the threat of identity theft which continues to evolve.

The scope of identity theft is massive. Every year for more than a decade this form of fraud has

been the single largest source of complaints to the Federal Trade Commission.7 While the

number of consumers affected has decreased significantly from 2009-2010, more recent data

shows that this scam is once again trending in the wrong direction. In 2012, identity fraud

affected 5.26% of American consumers or 12.6 million people, the second straight year the

incidence of identity fraud increased. Losses from identity fraud also increased from $18 billion

in 2011 to $20.9 billion in 2012.8

Clearly, identity theft perpetrators are becoming more professional and more networked.

Sophisticated identity theft black markets exist to facilitate the buying and selling of

compromised identities. These black markets are supplied by growing numbers of data

breaches affecting organizations from small retailers to large banks and government agencies

4 Nowell, Paul. “Bank of America Loses Tapes With Federal Workers’ Data,” The Washington Post. February 26, 2005. Online: http://www.washingtonpost.com/wp-dyn/articles/A54823-2005Feb25.html 5 The President’s Identity Theft Task Force. Combating Identity Theft: A Strategic Plan. April 2007. Online: http://www.identitytheft.gov/reports/StrategicPlan.pdf 6 The President's Identity Theft Task Force. Task Force Report. September 2008. Online: http://www.idtheft.gov/reports/IDTReport2008.pdf 7 Federal Trade Commission, Consumer Sentinel Network Data Book for January–December 2012, February, 2013. Online: http://www.ftc.gov/sentinel/reports/sentinel-annual-reports/sentinel-cy2012.pdf 8 Javelin Strategy & Research. 2013 Identity Fraud Report: Data Breaches Become Treasure Trove for Fraudsters. February 2013.

© National Consumers League 2013 2

at every level. These breaches have caused millions personal records to be compromised,

allowing identity thieves to conduct their crimes with greater ease than ever before.

Progress, to be sure, has made in a number of areas. Identity thefts affecting existing consumer

accounts (e.g. credit cards, bank accounts) appear to have decreased in frequency, and the

time and expense necessary to recover from identity theft has decreased. Despite these

advances, however, the changing face of identity theft presents consumers with new worries.

However, the increasing prevalence of new account fraud, tax-related and medical identity theft

suggest that identity thieves are increasingly seeking fraud that can remain undiscovered for

longer time periods. For instance, it appears that identity thieves are becoming adept at

aggravated identity theft, particularly involving the creation of new accounts.9 A significant

concern is the increasing use of stolen identities to commit tax-related identity theft.

Government documents or benefits fraud is by far the largest and fastest-growing category of

identity theft complaints, increasing from 19.2% of identity theft complaints in 2010 to 46.4% in

2012.10 Tax or wage-related fraud complaints make up 93.5% of this category, up from 81.3% in

2010.11

This much is clear: the threat of identity theft is not going away anytime soon. It is therefore

critical that the successes achieved by the President’s Identity Theft Task Force, new consumer

protection laws and private sector data security efforts not be taken for granted. Instead,

policymakers in Congress and the Executive Branch should consider a range of reforms to

address the evolving identity theft threat. These include:

1. The President’s Identity Theft Task Force Report should be updated to reflect

reforms undertaken since 2008.

2. Congress should pass comprehensive data breach notification legislation.

9 Congressional Research Service. Identity Theft: Trends and Issues. February 15 2012. p. 16. Online: http://www.fas.org/sgp/crs/misc/R40599.pdf 10 Federal Trade Commission, Consumer Sentinel Network Data Book for January–December 2012, February, 2013. Online: http://www.ftc.gov/sentinel/reports/sentinel-annual-reports/sentinel-cy2012.pdf 11 Ibid.

© National Consumers League 2013 3

3. The Federal Trade Commission should collect and publish data on the

effectiveness of the Red Flags Rule in preventing identity theft.

4. Those who shape U.S. foreign policy should set as a key goal achieving additional

Memoranda of Understanding on identity theft with foreign governments.

5. The Federal Trade Commission and Internal Revenue Service should launch a

comprehensive effort to improve consumer protections for tax-related identity

theft.

6. The Obama Administration should explore stronger incentives and penalties to

encourage private sector businesses to better protect the personally identifiable

data they collect.

I. Identity Theft Continues to Affect Millions of

Consumers and Cost the U.S. Economy Billions

Identity theft is a serious, pernicious threat to millions of consumers annually. According to

Javelin Strategy, which publishes one of the few longitudinal studies tracking identity fraud, 12.6

million consumers were affected by identity fraud in 2012. Losses stemming from identity fraud

are estimated to total $20.9 billion annually.12 To put this total in context, $20 billion in identity

fraud losses annually is equivalent to the insured cost of a Hurricane Sandy hitting the economy

every year.13

Consumers reported in an April 2013 Zogby poll that identity theft was their biggest concern

about the Internet (39%), higher than viruses and malware (33%), government surveillance of

data (12%) or cyber-bullying and stalking (5%).14 This consumer concern about identity theft is

12 Javelin Strategy & Research. 2013 Identity Fraud Report: Data Breaches Become Treasure Trove for Fraudsters. February 2013.13 Holm, Erik and Scism, Leslie. “Sandy’s Insured Loss Tab: Up to $20 billion,” The Wall Street Journal. November 2, 2012. Online: http://online.wsj.com/news/articles/SB10001424052970204712904578092663774022062 14 Digital Advertising Alliance. “Poll: Americans Want Free Internet Content, Value Interest-Based Advertising,” Press release. April 18, 2013. Online: http://www.aboutads.info/DAA-Zogby-Poll

© National Consumers League 2013 4

reflected consistently in polling. When asked to name the most significant privacy-related threat,

61% of consumers named identity theft.15 Similarly, a 2012 Forrester survey found that

consumers’ primary privacy, safety and security concern when it comes to the Internet is having

their identities stolen.16 The fallout from identity theft victimization is especially destructive for

confidence in small businesses. Fifteen percent of identity theft victims changed their behaviors

and avoided smaller online merchants. Larger merchants are not as affected by this behavior

change.17

Data breaches are a major source of the compromised personal information that fuel identity

theft. Such breaches occur in a myriad of ways, including phishing schemes, insider attacks,

and sophisticated hacking attacks. The total impact of these breaches is massive. One study

recorded more than 2,500 incidents since 2004, affecting 1.1 billion records.18 The scope and

size of the data breach issue is directly relevant to identity theft because consumers whose data

is compromised by a breach are significantly more likely to be victims of fraud than those who

are unaffected by a breach. In 2011, 5.3% of all consumers were victims of identity fraud, while

22.5% of consumers whose data was compromised became victims of fraud.19

Data breaches clearly increase the risk of consumers becoming victims of fraud, but it appears

that identity thieves may be using stolen identity information in new and more egregious ways.

For example, the number of identity theft cases filed and the number of defendants convicted

both decreased in 2009 and 2010 relative to 2008. However, the numbers of aggravated identity

theft cases filed and defendants convicted have continued to increase.20

15 Ponemon Institute. 2012 Most Trusted Companies for Privacy. Pg. 2. January 28, 2013. Online: http://www.ponemon.org/local/upload/file/2012%20MTC%20Report%20FINAL.pdf 16 Enright, Allison. “Consumers worry about online privacy, but shop anyway,” Internet Retailer. May 11, 2012. Online: http://www.internetretailer.com/2012/05/11/consumers-worry-about-online-privacy-shop-anyway 17 Javelin Strategy & Research. “2013 Identity Fraud Report: Data Breaches Become Treasure Trove for Fraudsters,” Press Release. February 2013. Online: https://www.javelinstrategy.com/brochure/276 18 Verizon RISK Team. 2013 Data Breach Investigations Report. Pg. 4. May 2013. Online: http://www.verizonenterprise.com/DBIR/2013/ 19 Source: Javelin Strategy & Research. 2013 Identity Fraud Report: Data Breaches Become Treasure Trove for Fraudsters. February 2013.20 Congressional Research Service. Identity Theft: Trends and Issues. February 15 2012. p. 16. Online: http://www.fas.org/sgp/crs/misc/R40599.pdf

© National Consumers League 2013 5

Identity theft has been the most common fraud complaint to the Federal Trade Commission for

the past thirteen years.21 In response, the Commission has rightfully made the fight against

identity theft a top priority. However, trends in the complaint data are suggestive of changes in

how identity thieves are monetizing stolen information. At one time, compromised identity data

was used most often to commit credit card fraud. Now the broad category of government

documents or benefits fraud has become by far the largest and fastest-growing sub-category of

identity theft complaints. In 2010, complaints about this type of scam accounted for 19.2% of

identity theft complaints to the FTC. By 2012 this number had risen to 46.4%, outpacing credit

card fraud, bank fraud, employment-related fraud, phone or utilities fraud and loan fraud,

combined.22 This should be a wake-up call for the Obama Administration, Congress and state

authorities.

Fig. 1

Source: Federal Trade Commission. Consumer Sentinel Network Data Book (CY 2008-12)

21 Federal Trade Commission, Consumer Sentinel Network Data Book for January–December 2012, February, 2013. Online: http://www.ftc.gov/sentinel/reports/sentinel-annual-reports/sentinel-cy2012.pdf 22 Federal Trade Commission, Consumer Sentinel Network Data Book for January–December 2012, February, 2013. Online: http://www.ftc.gov/sentinel/reports/sentinel-annual-reports/sentinel-cy2012.pdf

© National Consumers League 2013 6

Within the government documents/benefits fraud category, the use of stolen identity information

to file fraudulent tax returns has historically been the dominant type of scam. Over the past

seven years, this scam has grown ever more popular among identity thieves, increasing from

63% of all government documents/benefits fraud complaints in 2006 to 93.53% of such

complaints in 2012.

Tax identity theft theft occurs when thieves use personal information, such as a consumer’s

Social Security Number and full name to submit fraudulent tax returns and obtain refunds to

which they are not entitled. In 2011 alone, approximately 1.1 million suspicious tax returns were

identified, resulting in $3.6 billion in potentially fraudulent refunds paid by the IRS due to identity

theft.23

Fig. 2

Source: Federal Trade Commission. Consumer Sentinel Network Data Book (CY 2008-12)

23 Treasury Inspector General for Tax Administration. “Identity Theft: IRS Detection Has Improved, Yet Billions Still Lost in 2011 Returns,” Press Release. November 7, 2013. Online: http://www.treasury.gov/tigta/press/press_tigta-2013-39.htm

© National Consumers League 2013 7

While the nature of identity theft is changing, the scope of the problem clearly remains massive.

Consumers are still concerned about the threat of identity theft and rightfully so. While the direct

cost to consumers of being a victim in money and time have decreased, the indirect costs to the

economy, taxpayers and confidence in the Internet are no less worrisome.

II. Background On Federal Anti-Identity Theft Efforts

Since the 1970s, consumers have benefitted from legislation that safeguards their finances from

misuse, providing a basic level of identity theft protection. For example the Fair Credit Reporting

Act imposes a duty on consumer reporting agencies to ensure that the information they report is

accurate. The FCRA also gives consumers right to file suit for violation of the Act. The Fair

Credit Billing Act provides consumers with an opportunity to receive an explanation and proof of

charges that may have been made by an imposter. The FCBA also gives consumers the right to

have unauthorized charges removed from their accounts. Finally, the Electronic Funds Transfer

Act limits consumers’ liability for unauthorized electronic fund transfers as long as they notify

their financial institution in a timely manner.

The cumulative effect of these 1970’s-era laws is that much of the financial cost of fraud

stemming from identity theft is borne not by consumers themselves, but by financial institutions

instead. By the late 1990’s, the rise of Internet-fueled identity theft exposed the limitations of

these laws. Congress took an important first step in attacking the identity theft problem with the

passage of the Identity Theft Assumption and Deterrence Act of 1998, which made identity theft

a federal crime. This was followed by the Fair and Accurate Credit Transactions Act of 2003

(FACTA), which directed the FTC to work with credit card issues to improve security

procedures.24 FACTA also gave consumers the right to request a free credit report from each of

the major credit reporting bureaus every twelve months and to have a fraud alert placed on their

credit reports if they suspected identity theft. In 2004, the Identity Theft Penalty Enhancement

24 FACTA’s requirement that the FTC work with businesses to implement security safeguards led to the creation of the Red Flags Rule. This Rule requires many financial institutions and creditors to implement written Identity Theft Prevention Programs to identity the warning signs (“red flags”) of identity theft in their day-to-day operations. The Red Flags Rule went into effect on December 31, 2010. For additional information, see the Federal Trade Commission's “Fighting Identity Theft with the Red Flags Rule: A How-to Guide for Business.” Online: http://www.business.ftc.gov/privacy-and-security/red-flags-rule

© National Consumers League 2013 8

Act established additional penalties for aggravated identity theft. Most recently, the 2008 Identity

Theft Enforcement and Restitution Act authorized restitution for the time spent by victims

recovering from the harm caused by an actual or intended identity theft.

In addition to legislative action increasing consumer protections against identity theft, significant

reforms have been undertaken by Executive Branch agencies to address the threat of data

breaches and the resulting danger of identity theft. In 2006, following a spate of high-profile data

breaches, President George W. Bush issued Executive Order 13402. The Order created the

federal Identity Theft Task Force, charging 15 federal departments and agencies with crafting a

comprehensive national strategy to more effectively combat identity theft. In April 2007, the task

force issued its strategic plan, which included 31 recommendations, ranging from small,

incremental steps to broad policy changes.25

Notable recommendations from the Task Force included:

● Reducing the use of Social Security Numbers by federal agencies;

● Establishing national standards for private sector protection of personal data;

● Promoting a nation data breach notification standard;

● Implementing a broad and sustained consumer, industry and public sector awareness

campaign regarding identity theft; and

● Creating a National Identity Theft Law Enforcement Center to coordinate enforcement

resources targeted at identity theft.

A progress report released by the task force in September 2008 detailed the federal

government’s progress in implementing the strategic plan. Notable reforms undertaken as a

result of the Task Force’s recommendations included (but were not limited to):

● Task Force member agencies have significantly reduced their use of Social Security

Numbers;

● Federal agencies have increased the use of encryption technology on laptops and other

mobile data devices containing agency data;

25 The President’s Identity Theft Task Force. Combating Identity Theft: A Strategic Plan. April 2007. Online: http://www.identitytheft.gov/reports/StrategicPlan.pdf

© National Consumers League 2013 9

● Congress passed the Identity Theft Enforcement and Restitution Act, which addressed a

number of deficiencies in the federal criminal related to identity theft while giving

consumers an avenue for restitution for losses stemming from identity theft;

● Numerous identity theft databases (e.g. the FTC’s Identity Theft Data Clearinghouse)

and joint enforcement coordination efforts have been undertaken to make enforcement

efforts more efficient; and

● Identity theft coordinators have been established in each U.S. Attorney’s Office to

coordinate anti-identity theft efforts between these offices and the Department of

Justice.26

While a number of the task force’s recommendations had been successfully implemented, many

were still in progress as of the publication of the 2008 report. A notable example is the failure of

Congress to pass a comprehensive national data breach notification law. As of November 2013,

46 states as well as the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands

have passed state data breach notification laws.27 This has created significant challenges given

the national scope of many data breaches.28

The implementation of these consumer protections has correlated with a significant reduction in

the incidence of certain types of identity theft, particularly schemes involving credit card fraud,

bank fraud and loan fraud. This trend is also reflected in federal identity theft cases filed and

defendants convicted, the rates of which peaked in 2007 and declined in each of the following

three years.29

Whether these trends are a direct result of the new protections implemented by the federal

government is unclear. However, we know that identity thieves tend to seek out schemes that

offer the most profit with the least risk, so it seems plausible that these reforms are having an

effect on the broader problem.

26 See generally: The President’s Identity Theft Task Force. Task Force Report. September 2008. Pgs. 6-49. Online: http://www.idtheft.gov/reports/IDTReport2008.pdf 27 National Conference of State Legislatures. “State Security Breach Notification Laws.” Online: http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx 28 For additional discussion on this topic see: Geer, David. “Data breach notification laws, state and federal: A review with commentary for security C-levels,” CSO. November 1, 2013. Online: http://www.csoonline.com/article/742430/data-breach-notification-laws-state-and-federal?page=1 29 Congressional Research Service. Identity Theft: Trends and Issues. February 15 2012. p. 16. Online: http://www.fas.org/sgp/crs/misc/R40599.pdf

© National Consumers League 2013 10

III. Recommendations for Responding to Evolving

Identity Theft Threats

Consumers and law enforcement agencies have powerful tools at their disposal to attack the

identity theft problem. However, as with other types of cyber crimes, identity thieves are nothing

if not resilient and adaptable. For example, they appear to be shifting their activities towards tax-

related identity theft, potentially as a way to avoid stronger countermeasures at financial

institutions.

Significant structural challenges that enable identity theft also remain an issue. In particular, the

raw fuel for identity theft − compromised personal information − is more widely available than

ever thanks to the explosion of data collection by the private and public sector. More information

under the control of more organizations necessarily means that more data will be compromised.

It should not be surprising, then, that reports of data breaches are becoming an almost daily

news item. Since 2005, the non-profit Privacy Rights Clearinghouse has recorded more than

4,000 data breaches -- more than one per day for nine straight years.30 It is a near-certainty that

many more breaches have gone unreported.31 The glut of data breaches may even be driving

down the price of stolen identities in the cybercriminal underground due to oversupply.32

The professionalization of identity theft also poses new challenges. Whereas in the past identity

theft may have been about establishing bragging rights within the hacker community, today it is

30 Privacy Rights Clearinghouse. “Chronology of Data Breaches,” (Accessed November 24, 2013). Online: https://www.privacyrights.org/data-breach31 A dramatic visualization of the growing number of of data breaches was recently created by London-based author and data-journalist David McCandless who plotted the world’s biggest data breaches on a time scale to illustrate the growing threat. Online: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ 32 Higgins, Kelly Jackson. “Glut in Stolen Identities Forces Price Cut in Cyberunderground,” Dark Reading. November 19, 2013. Online: http://www.darkreading.com/attacks-breaches/glut-in-stolen-identities-forces-price-c/240164089

© National Consumers League 2013 11

a thoroughly organized money-making criminal enterprise.33 Numerous black markets for stolen

identity information exist online, some even featuring help desk support.34

While There are steps that consumers can take to mitigate their risk of identity theft, the onus

must not be on the individual  consumer - weak passwords are not the cause of massive ID

theft. Consumers of course should monitor credit reports, install anti-virus software,

keepcomputer operating systems up-to-date andmaintaining strong passwords to name but a

few. However,given the explosive growth of data breaches, the ability to control vulnerability to

identity theft is largely out of consumers’ control.

Given these operational and structural challenges, policymakers must adapt to ensure that the

gains made over the previous seven years of anti-identity theft work are not reversed. To begin

a dialogue on this issue, we urge policymakers to consider the following recommendations:

1. Update the President’s Identity Theft Task Force Report. This will enable

policymakers and advocates to better evaluate the impact of actions taken in response

to the Task Force’s recommendations since 2008 and discuss new reforms that may be

necessary given the changing nature of identity theft.

2. Congress should pass comprehensive data breach notification legislation. The 46

state data breach notification laws frequently conflict and may confuse consumers who

receive notifications. Given the national (and in many cases, international) scope of data

breaches, a national standard for notification is warranted. The most stringent state data

breach notification laws should serve as the basis for a federal standard.

3. The Federal Trade Commission should collect and publish data on the

effectiveness of the Red Flags Rule in preventing identity theft. A key provision of

FACTA directed the FTC to work with the private sector to create a Red Flags Rule to

enhance protections against identity theft in the business community. The full

enforcement of the Rule was delayed until the end of 2010. The FTC should evaluate

whether the Rule is affecting identity theft rates and, if necessary, consider

strengthening the Rule to improve consumer protections.

33 McAfee Security Advice Center. “The Evolution of Cybercrime,” Spring 2011. Online: http://home.mcafee.com/advicecenter/?id=rs_na_sp11article1 34 Higgins, Kelly Jackson. “Glut in Stolen Identities Forces Price Cut in Cyberunderground,” Dark Reading. November 19, 2013. Online: http://www.darkreading.com/attacks-breaches/glut-in-stolen-identities-forces-price-c/240164089

© National Consumers League 2013 12

4. Those who shape U.S. foreign policy should set as a key goal achieving additional

Memoranda of Understanding on identity theft with foreign governments. The

international nature of much identity theft demands cooperation between U.S. law

enforcement agencies and their foreign counterparts. This is greatly facilitated when

there are clear rules and procedures governing the sharing of information between

international partners.

5. Federal regulators should launch a comprehensive effort to improve consumer

protections from tax-related identity theft. Identity thieves taking advantage of the

U.S. tax collection system has become a major cause for concern. Consumer should be

empowered to take preemptive action to protect themselves from tax-related identity

theft. The IRS should expand the availability of PIN technology to consumers that

request it, not just identified victims of identity theft.

6. Explore additional incentives and penalties to encourage private sector

businesses to better protect the personally identifiable data they collect. Limiting

consumer liability for fraudulent credit and debit card purchases has been a key driver of

improved fraud protection in the financial services industry. Policymakers should explore

whether similar reforms would incentivize the private sector to increase data security

standards.

IV. Conclusion

Identity theft is a pernicious threat that affects millions of American consumers annually, costs

the U.S. economy and taxpayers billions of dollars, and reduces confidence in the Internet and

small businesses. It has been more than fifteen years since Congress passed its first law

specifically targeting the identity theft problem. It has been more than seven years since a

Presidential level task force was convened to improve the federal government and private

sector’s response to the problem of identity theft.

While these efforts have shown some success, it is clear that identity theft remains a problem of

massive proportions. It is therefore imperative that policymakers, advocates and the general

public recommit themselves to reducing the plague of of identity theft. There are a number of

reforms that would help to achieve this objective, several of which are discussed in this report.

© National Consumers League 2013 13

We urge Congress and federal regulators to consider the continuing threat of identity theft and

maintain their vigilance against this serious crime.

© National Consumers League 2013 14