researchHQ’s Key Takeaways:
- As the dissemination of personal data harvested by companies continues to grow, the risk of identity fraud has reached new heights.
- While the responsibility for identity theft recovery generally falls on individuals, it is often companies that are responsible for the mishandling of data that caused the incident.
- Stakeholders within corporations and government institutions have an obligation to prevent victims from bearing the brunt of identity theft.
- Despite resistance, many companies are increasingly acknowledging this responsibility and taking steps to implement stronger protection measures.
Still misunderstood by many as a “victimless” crime, identity theft is often personally devastating, causing both economic and emotional suffering. It may take months or even years for the innocent to reclaim their lives—and the problem never fully goes away. Identity crimes have a lifelong impact, with one violation generating a domino effect throughout victims’ lives and on larger society as a whole.
I recently sat down with Eva Velasquez, CEO of the Identity Theft Resource Center, for the first episode of Ping’s podcast Hello, User to talk about the tremendous costs of identity theft. In “How Can Identity Theft Victims Be Made Whole Again?,” we discuss the perpetual nature of digital identity, the emotional and financial toll of identity theft on its victims, and the inconsistencies of cybersecurity approaches businesses use to protect their users from fraud. Here are the highlights of our conversation.
Takeaway #1: There is no such thing as a victimless crime when it comes to identity theft and fraud.
“Just because a bank makes you whole because of a fraud committed against your account, doesn’t mean that it was victimless.”
If you take just one thing away from this blog post, please let it be this: There are true identity theft victims, people hurting as a result of bad actions in the digital world, and it is happening far too often. As a society we have this notion that identity theft is a victimless crime that disturbs a credit card or bank account, with little impact on the people involved.
But it doesn’t work that way. The process for making victims whole is inherently flawed, and they are often left both financially and emotionally damaged. The mental trauma that these individuals experience is similar to what violent crime victims experience, with about 10% saying it was so devastating that they felt suicidal last year.
As for the financial costs, no one is waving a magic wand and wishing them away. In many cases, the victim isn’t fully compensated, through no fault of their own. Perhaps they didn’t detect the fraud within the window required for reporting it to their card company, or maybe their claim is disputed because of an action they took. (“Hey, you clicked that link and gave your information to the scammer. Therefore you are culpable and have some level of responsibility.”) Even if a victim is eventually made whole financially, we all pay when bad actors do bad things to individuals in the consumer and citizen space.
Takeaway #2: The more data that’s out there, the more our risk increases.
“There’s a person behind every single one of those data points and those fraud rates, and they need to have a voice.”
An immense amount of personal data is collected on human beings—exact figures are unknown, but estimates are that the “big four” online storage and service companies of Google, Amazon, Microsoft and Facebook alone store at least 1,200 petabytes of data amongst themselves—and data harvesting continues at an astounding volume. That data never goes away. It doesn’t expire, it doesn’t age. It doesn’t even get wiped off the record when you pass away. Bad actors find every piece of this information valuable in assembling a fake person.
Part of the challenge in preventing identity theft is that our personally identifiable information (PII) is seemingly everywhere. The use of our credentials in authentication and verification is pervasive, and we continue to add new methods. For example, just a handful of years ago many people saw biometrics as Big Brother-ish, but now it is being much more widely adopted. As we add new data about ourselves, the expanding notion of identity and the credentials that go into it increase the risk surface for everyone. (Addressing this risk is outside the scope of this post, but I’ve written and spoken extensively on how companies can create true security for their users’ digital identities.)
Takeaway #3: Responsibility for identity theft recovery shouldn’t fall on individuals, but it does.
“It’s only within the extreme examples that we see all the true fractures and breaks in the process.”
I’ve spent 20+ years in the corporate world running identity for huge enterprises, and I believe strongly that companies (particularly here in the United States) push the actual risks from aggregating data and the actual consequences suffered as the result of their bad management onto the individual.