Identity theft: making the known unknowns known.

• Author: Hoofnagle, Chris Jay

TABLE OF CONTENTS I. INTRODUCTION II. THE KNOWN KNOWNS: IDENTITY THEFT A. New Account Fraud B. Account Takeover III. THE KNOWN UNKNOWNS A. Missing Data and Other Limitations of Identity Theft Surveys B. Law Enforcement Statistics Do Not Capture the Problem IV. MAKING THE KNOWN UNKNOWNS KNOWN A. Mandated Public Reporting of Identity Theft Incidence and Severity B. Who Should Report and to Whom V. THE CHALLENGES OF THE REPORTING APPROACH A. Institutions Themselves Are Not Always Aware of Identity Theft B. Reporting Could Enable Fraud C. Reporting Will Pit Financial Institutions Against Victims D. The Market Will Solve the Identity Theft Problem VI. THE BENEFITS OF THE REPORTING APPROACH A. Reporting Will Identify the Most Vulnerable Practices B. Reporting Will Provide Metrics for Interventions C. Reporting Will Focus Public Attention on the Real Problem D. A More Competitive Market for Protecting Consumers Will Arise VII. CONCLUSION I. INTRODUCTION

REPORTS THAT SAY THAT SOMETHING HASN'T HAPPENED ARE ALWAYS INTERESTING TO ME, BECAUSE AS WE KNOW, THERE ARE KNOWN KNOWNS; THERE ARE THINGS WE KNOW WE KNOW. WE ALSO KNOW THERE ARE KNOWN UNKNOWNS; THAT IS TO SAY WE KNOW THERE ARE SOME THINGS WE DO NOT KNOW. BUT THERE ARE ALSO UNKNOWN UNKNOWNS--THE ONES WE DON'T KNOW WE DON'T KNOW. (1)

There is widespread agreement that identity theft causes financial damage to consumers, creditors, retail establishments, and the economy as a whole. (2) The Federal Trade Commission ("FTC") has identified it as the fastest growing white collar crime; (3) federal and state governments have enacted numerous laws to curb its incidence and severity. (4)

The contours of the identity theft problem, however, are known unknowns: no one knows the prevalence of identity theft, the relative rates of "new account fraud" and "account takeover," (5) or the effect this crime has on the economy. What is more, the advent of "synthetic" identity theft (6) has exacerbated these measurement difficulties. These known unknowns present serious problems. They hamper attempts to evaluate the scope of the crime and to allocate law enforcement resources more efficiently. They also prevent us from determining whether various consumer protection interventions have been effective. Because of these unknowns, we cannot tell whether consumers, regulators, and businesses are over- or under-reacting to the crime. They prevent us from evaluating how the costs of the crime are distributed in society. These unknowns even foreclose the basic determination of whether the prevalence or severity of identity theft has changed over time.

Why, despite increases in identity theft, are law enforcement, the public, industry, or policymakers unable to measure the crime accurately? This Article argues that the answer lies in the methods used to measure the problem. What we do know has been learned through telephone and Internet surveys; however, few in-depth studies have been done. (7) While well-intentioned and valuable for some purposes in the identity theft policy debate, these surveys cannot completely document the contours of the crime.

More fundamentally, however, we are asking the wrong people about the crime. The surveys seek to obtain information about identity theft from its victims--individuals who have the most limited view of the problem. Victims often do not know how their personal data were stolen or who stole the information.

Financial institutions are in a better position to report information on identity theft. If lenders and organizations that control access to accounts (including payment companies such as PayPal and Western Union) were required to provide statistics about identity theft, a more complete and detailed picture would emerge. However, these data have significant potential to cause embarrassment and attract unwanted regulatory attention, which may explain why these institutions have not made these data publicly available.

This Article proposes three disclosure requirements for financial institutions: (1) the number of identity theft incidents suffered or avoided; (2) the forms of identity theft attempted and the financial products targeted (e.g., mortgage loan or credit card); and (3) the amount of loss suffered or avoided. This proposal is relatively simple and does not require extensive regulatory mandates. While its implementation might face several practical and political challenges, improved reporting of identity theft would result in four benefits to the public. First, it would identify the business practices most vulnerable to fraud. Second, it would help to identify the consumer protections that work and those that do not, and thus assist regulators and law enforcement agencies in allocating resources to combat the crime. Third, improved reporting would help focus public attention on the root causes of the crime. In particular, it could provide a potential counterpoint to the conclusions of some victim surveys that have relied on questionable assumptions and asserted that the fault for identity theft lies with the victims. (8)

Finally, providing more accurate, institution-level statistics on identity theft would make the security of personal information a new product differentiator, similar to low interest rates and fee-free accounts. It would enable benchmarking of financial institutions using that factor so that consumers could tell which institutions have the highest and lowest rates of fraud. Assuming that the market is competitive, it is likely that lenders that provide the safest financial products would be rewarded with consumer loyalty. This rubric would also pressure institutions bearing the ignominious mark of having the most identity theft to adapt or to be driven from the marketplace.

2. THE KNOWN KNOWNS: IDENTITY THEFT

   Congress articulated the legal definition of identity theft in 18 U.S.C. § 1028, which criminalizes certain knowing uses of another's identification information. (9) FTC defines identity theft more broadly as "a fraud committed or attempted using the identifying information of another person without authority." (10) For the purposes of this Article, it is useful to think of identity theft as a type of fraud with two distinct categories: new account fraud and account takeover.

   1. New Account Fraud

      In new account fraud, an impostor opens lines of credit using the personal information of another. (11) Such lines of credit may include new credit card accounts, mortgages, or utilities. These types of credit require that the impostor have the victim's Social Security number ("SSN"). (12) Generally, new account fraud is a serious problem for consumers, because the fraudulent accounts may appear on the victim's credit history, making it more difficult to obtain new credit. The impostor's use of the accounts may also act as a barrier to employment. (13) An important subset of new account fraud is synthetic identity theft. While common new account fraud involves use of the victim's true name, in the case of synthetic identity theft, an impostor uses the victim's SSN with a fake name, thus creating a new, "synthetic" identity. (14) Alternatively, an impostor can create an identity from scratch, using entirely fabricated information. (15) A synthetic identity--sometimes supplemented with artfully created credit histories--can then be used to apply for credit. While it may sound improbable, this approach to opening new lines of credit is generally successful for two reasons. First, some lenders will give accounts to individuals with no credit history. (16) A synthetic identity simply has a "thinner" credit file--a characteristic consistent with a legitimate new customer who is just entering the credit market. (17) Second, the use of a real SSN may allow impostors to satisfy a lender's security measures; there is mounting evidence that credit issuers use the SSN for both identification and authentication, that is, to locate the applicant's credit file and to prove that the credit file belongs to the applicant. (18)

      Not enough is known about synthetic identity theft, but initial indications suggest that it is a growing problem. According to Mike Cook of ID Analytics, a company that specializes in the reduction of fraud risk to businesses, synthetic identity theft "is a larger problem than [common new account fraud] and is growing at a faster rate." (19) While there are no reliable figures documenting losses from synthetic identity theft, some experts estimate that "synthetic schemes constitute at least 20% of credit charge-offs and 80% of losses from credit-card fraud." (20)

      United States v. Rose, a recent case brought by the U.S. Attorney for the District of Arizona, illustrates the problem of synthetic identity theft. (21) The indictment charged two men with a variety of federal crimes for allegedly combining fabricated names with real SSNs from credit reports in order to apply for credit cards. (22) One of the defendants owned a small consumer reporting agency, (23) and apparently had a high level of sophistication with credit practices. The pair established credit histories for the synthetic identities by reporting favorable payment information to consumer reporting agencies. (24) These reports made the synthetic identities appear to be real people with records of paying bills. The defendants then allegedly obtained 250 credit cards from 15 banks, and charged $760,000 to these synthetic identities. (25)

      As explained in more detail in Part III. A, synthetic identity theft cannot always be detected by the individual whose SSN was used. This difficulty arises because the synthetic identity is an amalgam of false and real information; while sufficient to obtain credit, the identity, and the corresponding losses, may never be attributed to a real individual. In Rose, the defendants used real SSNs but wholly fabricated names. (26) For example, the SSN of identity theft victim Haqqani Saifullah was used to apply for a credit...