Another day, another big number about identity theft. On Wednesday, the public policy think tank Privacy and American Business released a study saying 1 in 5 Americans identify themselves as a victim of identity theft. Researchers there estimated the crime has hit a staggering 44 million people.
The new study joins a host of other statistics — some private, some government-sponsored — attempting to quantify the size of the ID theft problem. But there is no universal agreement on the size of the problem, on the way to count the victims, or even on how to define identity theft.
The question is more than semantic: The credit and retail industries are afraid negative publicity might lead to overzealous federal regulation or legislation. Consumer groups say accurate statistics that reflect the epidemic nature of the problem are needed to win important new rights for potential victims.
There are many numbers to consider: There's the actual number of ID theft complaints filed with the Federal Trade Commission last year (about 246,000). There's the estimated number of ID theft victims in the past year — several studies peg this at about 10 million. There's the number of victims in the past five years, or ever — between 25 and 44 million, depending on the study. And there's the number of people whose data has been lost, stolen or placed at risk by corporations this year. That's about 50 million, according according to the Privacy Rights Clearinghouse.
But which number represents ID theft?
Fraud by any other name ...
Identity theft can be as simple as a single disputed credit card charge, or as complex as an imposter committing crimes in the victim's name, or obtaining government benefits and big loans using the victim's Social Security number.
Industry groups argue that simple credit card fraud, when a fraudulent charge is spotted and disputed on a credit account, isn't ID theft. Exclude those victims, and the total number of victims is quite a bit smaller, they argue. And simply "compromised" credit cards or other private information which hasn't been used for fraud yet, isn't ID theft either, this thinking goes.
"There is a genuine disagreement in principle as to how to define this crime," said Alan Westin, the president of Privacy and American Business and the author of the recent study. "ID theft is a term that has been placed over this issue like a blanket."
While there may be dispute about the numbers, there is no argument that they keep getting larger. In 2002, the only estimate available from the FBI suggested there were 750,000 identity theft victims in the United States. Then in 2003, Gartner Group estimated there were 7 million victims the previous year. A few months later, the Federal Trade Commission pegged the number at 9.9 million victims in the prior 12 months, and 27 million overall. In early 2005, the Javelin Group estimated that there were 9.4 million victims of identity theft in the prior 12 months.
And now comes the Privacy and American Business survey with the most staggering estimate yet: that 20 percent of Americans are victims.
The new study comes just days after the retail industry took a step to reel in some of the bad news surrounding identity theft. In an editorial published Monday in USA Today, Mallory Duncan of the National Retail Foundation wrote that "despite the hype, true identity theft cases are few and far between."
He reiterated that sentiment in an interview with MSNBC.com.
"There's actually not nearly as much identity theft as the headlines would lead you to believe," Duncan said. "The numbers that you're looking at are unfortunately misleading."
His argument: identity theft and credit card fraud are two different things. A fraudulent charge on a credit card is one thing, easily solved by a call to the issuing bank. Full-blown ID theft, where someone else takes out loans or buys cars in the victim's name, is another.
"If someone gets your credit card number, the worst they can do to you is try to charge something to that account," said Duncan. "That's not identity theft. That's something consumers can easily fix by calling the card company."
Simple credit-card fraud, together with thefts from checking and savings accounts, represent two-thirds of the 10 million victims estimated by the FTC, he said. "The true number of identity theft victims is nowhere near 10 million," he said. Duncan said one study indicated there were as few as 160,000 ID theft victims per year, but that even if there are 3 million victims each year, "that's only about 1 percent of the population. That's few and far between."
How the government defines ID theft
Other kinds of frauds muddy the counting problem even further. There is existing account takeover -- such as someone draining a consumer's checking account. Then there's new account creation, such as a criminal opening a new credit card in someone else's name. Then there's identity creation, when a criminal uses a victim's Social Security number, but an entirely different name and other information. Victim consumers may never find out about the last one, making the real size of the identity problem hard to quantify.
Joanna Crane, who manages the Federal Trade Commission's identity theft group, said credit card-only fraud represented only about half of the 10 million annual victims estimated by group's study. The study estimated that 1.5 million had existing accounts like checking or savings accounts raided by criminals; 3.3 million had new credit cards and other new accounts opened in their names.
Duncan says that only the new account fraud cases represent true identity theft — because consumers who suffer credit card fraud or checking account theft can usually quickly recover with a call to their bank, and don't face the prospect of additional fraud by that same criminal later on.
But the FTC calls all of it identity theft because Congress said to, Crane said. The Identity Theft and Assumption Deterrence Act of 1998 included credit card fraud in its definition of the problem, Crane said. And what's more, the 5 million credit card-only fraud victims represented in the study indicated they lost an average of $140 because of the incident. Some of that was from lost wages due to time spent fixing the problem, and some because they didn't dispute the fraudulent charges on time.
"The majority of people pay nothing ... but there are a number of credit-card only victims who spend time and money resolving the issue," Crane said. "The cost is not zero in all cases."
Consumer protections vary
Avivah Litan, who conducted Gartner's study, said it was important to draw distinctions between simpler and more involved kinds of identity-based fraud.
"Maybe these surveys are doing a disservice to the public by lumping everything together," Litan said. "But on the other hand, that's how consumers think about it. I think it is fair to call everything ID theft if you look at it from the consumer perspective."
Even simple credit card fraud isn't so simple, Litan said. A thief who hacks a database of stolen credit cards may have victim's home addresses, too — and have stolen items shipped to their house. Consumers who must cancel cards have to endure the hassle of re-establishing automatic payments, and may find their cards suddenly don't work while on a business trip or vacation.
And when a debit card number is stolen, consumers have additional problems. Rights to recover lost funds are weaker. And unlike credit card fraud, the money is drained immediately from a victim's bank account, and it's up to the victim to get the bank to replace it. With credit card fraud, victims simply don't pay for the disputed charges on a bill.
Meanwhile, more severe cases of ID theft are far more common that the retail and credit industries would like people to believe, said Rob Douglas, who operates PrivacyToday.org.
"To say the numbers are hyped is ridiculous," Douglas said. "Statements like that demonstrate that they don't get it. [Duncan] seems quite cavalier about this and maybe that's why we have the problem."
Slow to recognize the problem
American financial institutions were slow to recognize or acknowledge the severity of the problem in the early part of this decade, even as the FTC repeatedly said ID theft was its top-reported fraud, and the Justice Department called it America's fastest-growing white-collar crime.
One reason why may be simply a matter of human error. Consumers often don't spot ID theft for months. Meanwhile, criminals who open new credit cards simply don't pay the bills. The fraudulent accounts go unpaid for months, and eventually are written off as bad debts by banks — long before the trail leads to identity theft. A 2003 study by ID Analytics reported that in 7 out of 8 cases, credit card firms, cell phone companies, and other lenders misidentified ID theft as unpaid bills.
To Westin, the numbers are only part of the story. What's most important is the trendline, he said. In a study he conducted two years ago, there were 35 million victims — 9 million fewer than this year's study. That increase occurred despite the Fair and Accurate Credit Transaction Act, passed by Congress and signed by President Bush at the end of 2003. The law was full of provisions designed to stem ID theft, like a free annual credit report and additional consumer rights.
The continued increase is a trend worth getting worried about, he said.
"Despite all of the things that have been done by government and business, all the efforts to tell people what they can do to protect themselves," Westin said. "Despite those things, it's still rising."
Bob Sullivan is author of Your Evil Twin: Behind the Identity Theft Epidemic