Over the last few months there have been a number of highly publicized thefts of databases containing the identity data for thousands of people, in some cases in millions. To some this might give the impression that the problem is getting worse quickly. Well I suppose that is part of the story, but a greater factor in this is that until recently these thefts were simply kept under wraps. What you don’t know can’t be raised in your defence. One might suppose that this change of heart in reporting these thefts is due to some realization that it is the right thing to do. But no, actually it has more to do with newly enacted state laws requiring that people be informed when their data has been stolen or may have been stolen, and no doubt companies in states without those laws consider reporting thefts in order to prevent new laws. My question is, do these laws go far enough?

In the wake of the Enron scandal public companies have been required to, among other things, enforce and monitor much stricter rules governing access to data and reporting of that access. That is data pertinent to the running of the business. The focus of the rules are to protect shareholders who have a financial stake in the company. But what about the members of the public who have their data compiled into these vast databases without any say so or control? What protections do they have? I dont believe it is enough to force reporting of stolen identity data, embarressing though it may be. Without responsibility the report merely equates to “You’re screwed, sucks to be you.” If you have any doubt that that is all it amounts to then consider these facts that can be accessed at Identity Theft Resource Center:

1. Victims now spend an average of 600 hours recovering from this crime, often over a period of years. Three years ago the average was 175 hours of time*, representing an increase of about 2470%.

2. Based on 600 hours times the indicated victim wages, this equals nearly $16,000 in lost potential or realized income.

3. While victims are finding out about the crime more quickly, it is taking far longer than ever before to clear their records and recover from the situation.

4. Even after the thief stops using the information, victims struggle with the impact of identity theft. That might include increased insurance or credit card fees, inability to find a job, higher interest rates and battling collection agencies and issuers who refuse to clear records despite substantiating evidence of the crime. This “tail” may continue for more than 10 years after the crime was first discovered.

5. Based on the ITRC study, today the business community loses between $40,000 - $92,000 per name in fraudulent charges, based on reported fraud losses seen by surveyed victims. While this conflicts with other findings by other groups, there was a wide range of responses by the ITRC study respondents. The answer is that we may never know the true financial impact of this crime due to mis-classification of identity theft crime definitions by the business community and by victims.

6. The emotional impact on victims is likened to that felt by victims of more violent crime, including rape, violent assault and repeated battering. Some victims feel dirty, defiled, ashamed and embarrassed, and undeserving of assistance. Others report a split with a significant other or spouse and of being unsupported by family members.

7. Today victims spend an average of $1,400 in out-of-pocket expenses, an increase of 85% from years past.

8. Approximately 85% of victims found out about the crime due to an adverse situation - denied credit or employment, notification by police or collection agencies, receipt of credit cards or bills never ordered, etc. Only 15% found out through a positive action taken by a business group that verified a submitted application or a reported change of address.

9. Victims report a lack of responsiveness from those entities to whom they turned for help similar to results reported in 2000*. These include police, collection agencies, credit issuers, utility companies and financial institutions.

Sucks to be you.

Under these rules, which have only been in force for a few years I have been notified 3 times that my data may have been stolen. In each case my recompence was a free year long subscription for monthly credit activity reports. I guess that does mean I get to know it sucks to be me potentially much sooner, but well, it would still suck to be me. There is no element of finacial responsibility attached to the database compilers lack of adequate security. The reason is really quite simple - it’s no skin off their nose if I go under at the hands of identity thieves. Well, the only way that can be changed is by law.

I’m talking about the kind of responsibility that business understands - fiscal. How about a scheme like this: next time an employee of your company thinks it is a good idea to carry your entire database of identity data around on a laptop that subsequently gets stolen, your company is obliged to foot the bill for any and all identity related fraud, including all incidental costs, for all the people with information in the database for say, the next five years. Of course, given that the details have been stolen, it would be that companies burden to prove in any one case that it was not their leak that resulted in the crime. With something like that in place you better believe those who safe guard the data will be paying a lot more attention to the guarding part than simply the compiling part. I should imagine that there would be some motivation to also stop relying on the pathetically idiotic proofs of identity in common use now, such as social security numbers and the like.

At the end of the day, if the costs incurred by the victims of stolen identity data, both fiscal and in pure inconvenience, are never accounted for then as history shows us, there is insufficient motivation to treat the data with the care that the public deserves. It’s time to make those who profit from data accumulation pay for the cost of the breaches. Make it a cost of doing business, not a cost of living.