This entry is part of a series we are writing on Identity Theft. Look for more Identity Theft posts throughout the month of June.
The exposure of personal information is just the front end of the identity theft problem; after that comes the fraud committed by using the information. How big is the problem?
Consider some recent statistics. Javelin Strategy & Research compiled a 2005 Identity Fraud Survey Report. That report updates a 2003 study by the Federal Trade Commission.
- The Javelin report said 9.3 million Americans were victims of identity fraud in the preceding 12 months (not identity theft, but actual fraud).
- The 2003 FTC survey said 27.3 million Americans had been victims of identity theft in the preceding five years.
- The annual cost of identity fraud in the U.S. was $52.6 billion ($47.6 billion to businesses and financial institutions and $5 billion in consumer victim out-of-pocket expenses), according to the Javelin report.
- About 3.25 million people a year found that someone opened an account in their name, obtained medical care or rented an apartment or home in their name. The existing accounts of another 6 million people were compromised, according to the Javelin study.
If we combine that information with the flurry of recent news reports about leaks that exposed sensitive personal and financial information, we might be led to believe that identity theft is largely driven by technological issues. But that’s only part of the story:
- The FTC and Javelin studies include traditional theft and use of private information in the survey, things like stealing a wallet and using the credit cards.
- Family members, friends and neighbors make up half of all known identity thieves; and they usually do it the old-fashioned way – such as taking wallets or snail mail or dumpster-diving.
Certainly, technology plays a significant role in the exposure of sensitive information and it’s a role that’s been getting a lot of attention recently; however, technology is only a part of the overall identity theft problem.
Obviously we aren’t concerned about exposures of identity thieves. We’re concerned about the exposure of legitimate companies that may be accused of not preventing identity theft or identity fraud.
From a third-party liability perspective, producers and buyers need to carefully review available forms because the coverage for security breaches and identity theft varies considerably even when available.Our random survey of 16 technology E&O forms found that 62 percent of them provided no coverage or only partial coverage in their base forms for what is often referred to as unauthorized access, unauthorized use and associated coverages. The coverage is more widely available in the base forms of internet E&O policies, where only 33 percent of the base forms reviewed provided no such coverage. See this previous posting for a more detailed discussion.