Study Finds Data Breach Laws Have Only Marginal Effect on Identity Theft

Sasha Romanosky, Rahul Telang, and Alessandro Acquisti, all of Carnegie Mellon, have co-authored Do Data Breach Disclosure Laws Reduce Identity Theft?  Here's the abstract:

Identity theft resulted in corporate and consumer losses of $56 billion dollars in 2005, with about 30% of known identity thefts caused by corporate data breaches. Many US states have responded by adopting data breach disclosure laws that require firms to notify consumers if their personal information has been lost or stolen. While the laws are expected to reduce identity theft, their full effects have yet to be empirically measured. We use panel from the US Federal Trade Commission with state and time fixed effects regression to estimate the impact of data breach disclosure laws on identity theft from 2002 to 2007. We find that adoption of data breach disclosure laws have a marginal effect on the incidences of identity thefts and reduce the rate by just under 2%, on average. While this effect is marginal, reducing identity theft is only one means by which these laws can be evaluated: we appreciate that they may have other benefits such as reducing the average victim's losses or improving a firm's security and operational practices.

Phony Consumer Protection Watch: Is § 1681s-2(a) of the Fair Credit Reporting Act an Example of Phony Consumer Protection?

by Jeff Sovern

We blogged here about phony consumer protection statutes, statutes that are designed to create the illusion of consumer protection, perhaps so legislators can claim to consumer-constituents that they are attending to a problem, but without the reality, maybe so legislators can satisfy business interests and obtain political contributions.  At least one section of the Fair Credit Reporting Act seems like a plausible example of such phony consumer protection for several reasons:  § 1681s-2(a), dealing with the obligation of furnishers of information to credit bureaus (typically, lenders) to furnish accurate information. 

First, it's a difficult statute to decipher.  If consumers can easily understand a statute. it's a poor candidate for phony consumer protection, because it won't deceive anyone.  But complex statutes can more readily conceal defects.  Just how hard is the FCRA in general, and § 1681s-2(a) in particular?  On Wednesday we covered § 1681s-2(a) in class,  Our casebook walks students through it in text.  It also poses a problem on the provision, both to highlight the section and in the hope that students will come into class having worked it out for themselves.  Nevertheless, my students. many of whom appear to be quite smart and who have been able to understand other consumer protection statutes without much difficulty, really struggled with this one.  We had to go over it several times.  If second and third year law students find it hard to understand with the statute in front of them, the issue flagged for them by a problem, an explanation in a text, and my oral explanations, how likely is it that consumers will figure it out?  (I prefer not to think that I was the cause of my students' confusion).

Second, many FCRA provisions, including § 1681s-2(a), cannot be enforced by private claims. In fact, just in case someone didn't figure that out the first time Congress said it, they said twice that there's no private claim to enforce § 1681s-2(a), in both § 1681s-2(c) and (d).  So if a lender violates § 1681s-2(a), the lender need fear only enforcement by governmental agencies.  Given funding for governmental consumer protection agencies, that doesn't seem likely to happen as often as violations of the provision.

The third reason has to do with the content of § 1681s-2(a).  Subsection (a)(1)(a) provides "A person shall not furnish any information relating to a consumer to any consumer reporting agency [i.e., a credit bureau] if the person knows or has reasonable cause to believe that the information is inaccurate."  That seems clear enough.  Subsection (a)(1)(D) even offers a definition: "The term 'reasonable cause to believe that the information is inaccurate' means having specific knowledge, other than solely allegations by the consumer, that would cause a reasonable person to have substantial doubts about the accuracy of the information."  So if an identity thief fills out an application for credit and puts down the wrong address, say, the creditor should not report that as the consumer's transaction unless the creditor does some checking.  I happen to think the standard for accuracy imposed on creditors should be higher than that, but if you disagree with me, well, at least we have a standard that imposes some obligations on creditors. 

But now we get to the part that threw my students. Subsection (a)(1)(C) says the standard I just described doesn't apply to furnishers of information who clearly and conspicuously specify to consumers an address for inaccurate information.  Then the standard becomes that once the creditor is told of an inaccuracy, it can't supply inaccurate information.  In other words,as long as lenders give consumers an address to report inaccurate information, they don't violate the statute even if they give a credit bureau information that a reasonable person would have substantial doubts about, unless someone has told them outright that the information is inaccurate.  And of course, even if they violate this provision by supplying inaccurate information once they've been notified of the inaccuracy, there's still no private claim.

Now there may be creditors that don't supply consumers with an address for inaccuracies.  I don't know of any, but I certainly haven't canvassed the lenders of America.  Somehow, though, I suspect all credit card statements, for example, include customer service contact information for problems. 

So notice what happened with this provision.  It gives legislators who voted for it the ability to tell their constituents that they got through a statute that bars lenders from reporting information that a reasonable person would have substantial doubts about, but it gives lenders an out against having that provision applied against them.  And if something goes wrong, there's no private claim anyway. 

Is this an example of phony consumer protection?  I don't honestly know, because I don't know what Congress's goals were in enacting it, or what was in their minds.  But I sure wonder.  If Congress just wanted lenders to supply an address for problems, all they had to do was require that.  They didn't have to impose an accuracy requirement that lenders could ignore.  So why impose it?  § 1681s-2(e) does provide for regulators to fill in the accuracy standard a bit in regulations, but again, Congress could have enacted that subsection without also enacting a subsection that could easily be gotten around.  Does anybody know a reason for passing 1681s-2(a) other than to give legislators the ability to say they've struck a blow against inaccuracies by creditors?  But here's one thing we do know: as we blogged about here, identity theft is up.  One cost of phony consumer protection is that the problem doesn't get solved.

FTC Releases Annual Consumer Complaint Tally, Debt-Collection Reports

by Deepak Gupta

The Federal Trade Commission today released its annual tally of consumer complaints. For the ninth year in a row, identity theft was the number one consumer complaint category. Of 1,223,370 complaints received in 2008, 313,982, or 26 percent, were related to identity theft. The next-largest category, clocking in at 9% of all complaints, was debt collection. The FTC receives more complaints about the debt-collection industry than any other industry. You can view a summary of the results here, and a detailed report on the data, including geographical statistics, here.

The FTC also released two important reports on debt collection practices--a report on a workshop held last year to mark the 30th anniversary of the Fair Debt Collection Practices Act and the Commission's annual report to Congress on enforcement under the Act.  The workshop report, titled Collecting Consumer Debts: The Challenges of Change, makes several specific recommendations for amendments to the FDCPA and raises questions about abusive collection litigation practices and the use of mandatory binding arbitration.

• Give FTC Rulemaking Authority: The report recommends that Congress give the Commission authority to issue rules under the FDCPA.
• Increase Statutory Damages: The report states that private actions, not FTC actions, were intended by Congress to be the primary means of promoting industry compliance with the FDCPA, and notes that the amount of statutory damages (up to $1,000) that consumers can obtain in lawsuits under the FDCPA has not changed since 1977. To increase deterrence, the report recommends increasing the damage amounts to reflect inflation since then, and, in the future, to increase them periodically.
• Information Flow:  Require that collectors have better information, making it more likely that their efforts will be for the right amount and be directed to the right consumer.

• Validation Notices & Reasonable Investigations: Require that collectors provide consumers with better information explaining their rights under the FDCPA, including (1) that the “validation notices” that collectors are required to send to consumers also disclose the name of the original creditor; break down the debt by principal, total interest, and total fees; and inform consumers of certain rights they already have under the FDCPA and (2) that collectors conduct “reasonable” investigations responsive to the specific dispute the consumer raised.

• Adjustments for New Technology: Modernize the law to reflect changes in technology, including prohibiting collectors from contacting consumers via their mobile phones, including by text messaging, without prior express consent; and requiring collectors who use new payment technologies to obtain express verifiable authorization from consumers before accessing their accounts.

Debt-Collection Litigation and Arbitration Practices: The report recognizes that "certain debt collection litigation and arbitration practices appear to raise substantial consumer protection issues."  Among other things, the report cites Public Citizen's report, The Arbitration Trap, on the use of arbitration as a debt-collection mechanism. The report makes no definitive recommendations on arbitration and litigation, but instead announces that the FTC will convene regional roundtables this year with state court judges and officials, debt collectors, collection attorneys, consumer advocates, arbitration firms, and other interested stakeholders to learn more and develop possible solutions.

Times Reports on Identity Theft Risks, Foreclosure Crisis, Privacy Policies, and More

by Jeff Sovern

Lots in the Times this week on consumer law issues, so here goes.  Tomorrow's Times will include Bob Tedeschi's Mortgages column, Your Financial Data: How Safe is it? about a Wolters Kluwer Financial Services of Minneapolis survey that found that many smaller lenders transmit consumer financial data in unsecure email, thus exposing borrowers to the risk of identity theft. Meanwhile, today's Times had a story, Some Banks Will Put Off Foreclosures Until March, while they wait for the Obama administration plan, about which Alan blogged earlier today. The Times had a brief story about the Obama administration's attempts to develop such a plan yesterday.

Yesterday the Times also published Agency Skeptical of Internet Privacy Policies.  Here's an excerpt:

The Federal Trade Commission had some sharp words for Internet companies Thursday, saying that they are not explaining to their users clearly enough what information they collect about them and how they use it for advertising.

For now, the commission is sticking to its view that the Internet industry can voluntarily regulate its own privacy practices.

But the tone of the report, and comments by several commission members and staff officials, indicated that if the industry does not move faster, the agency would increase regulation or call for Congress to legislate stricter online privacy rules.

* * *

Ms. Harrington challenged Internet companies to explain what they are doing in a section other than its privacy policy.

The commission did not specify what sort of notice companies should give, but it noted that some have proposed methods that are more visible to the average user, like a link right on each advertisement that leads to an explanation of what data the advertiser collects and uses.

“This is about advertising, so these people ought to be creative,” she said.

“We know advertisers can get their messages across when they want to. They darn better want to get this message across: ‘This is what we are collecting and this is how we are using it.’ ”

Thursday's issue included a story about a crime that may become a sad sign of the times: Philadelphia Grand Jury Says Crime Ring Fraudulently Sold 82 Houses.  The ring sold unoccupied houses, thereby injuring both the current and putative owners.   

Wednesday brought A Pill That Promised Too Much about the settlement reached between the FDA and attorneys general with Bayer over allegedly deceptive advertising of the birth control pill, Yaz.  Those using our casebook this semester will be pleased to see that the settlement includes corrective advertising, something discussed in chapter one. 

New Javelin Report Finds 22% Increase in Identity Theft Victims

by Jeff Sovern

Javelin's latest identity fraud survey, released yesterday, contains, at best, mixed news on the progress made in preventing and detecting identity fraud.  Here's the first paragraph of the press release:

The 2009 Identity Fraud Survey Report – released today by Javelin Strategy & Research (www.javelinstrategy.com) – confirms that the number of identity fraud victims has increased 22 percent to 9.9 million adults in the United States, while the total annual fraud amount only increased slightly by seven percent to $48 billion over the past year. The report found detection and resolution efforts are working well—consumers and businesses are detecting and resolving fraud more quickly. As a result the mean consumer costs of identity fraud plummeted by 31 percent to $496 per incident in 2008. The study also found that women were 26 percent more likely to be victims of identity fraud than men this past year.

So what does this say about the effectiveness of the 2003 FACTA Act, which was aimed in large part at identity theft?  It's too soon to be certain, but so far FACTA does not seem like an adequate solution to the problem of identity theft.  There are at least three reasons it's hard to be certain. First, many of the regulations FACTA directed regulators to draft took years to produce and become effective, so it's probably too soon to evaluate them.  Second, the state of the economy is likely to have driven more people to take up identity theft, and that alone may be responsible for some of the increase.  And third, because some of the FACTA provisions increase the likelihood that identity theft victims will learn about the crime more quickly, it may be that some of the increase in consumers reporting their victimization is in part a function of earlier or increased awareness that identity theft has occurred (the Javelin study is based on telephone interviews).  So it's too soon to give up on FACTA, but so far FACTA is not looking promising as an identity theft preventative.  

Where FACTA seems likely to have succeeded is in reducing the mean losses caused by identity theft.  For example, the fraud alert provisions and rules requiring credit bureaus to provide consumers free annual credit reports--which may have helped consumers detect identity fraud more quickly--might have contributed to the reduction in mean losses.  But then again, perhaps some of the reduction in losses is attributable to greater public awareness of identiy theft.  Reducing the average loss caused by identity fraud is a worthy accomplishment, but less worthy than preventing the losses in the first place.  My own view remains that the best way to prevent identity theft from occurring is to impose liability on credit bureaus and furnishers of information for reporting errors, to give them an incentive to improve accuracy, as stated in The Jewel of Their Souls: Preventing Identity Theft Through Loss Allocation Rules, 64 University of Pittsburgh Law Review 343 (2003) (as I mentioned in a post on Sunday).

Debt Collector Uses Consumer's Debit Card Information for Spending Spree

The Buffalo News reports here about a debt collector who persuaded a consumer to provide him with her debit card information and then ran up nearly $2,000 of charges on her account.  He later asked the debt collection agency for his pay check!  With issues involving identity theft, debt collection, fraud, payments, and possibly credit reporting, the story would make a good exam question (hat tip to Gina Calabrese).

Times Reports on Housing Bill, Identity Theft, and Student Loans

Here is the Time's report in today's edition on the Senate passage of the housing bill; it now goes to the President for signature.  On Friday the Times ran "A Housing Bill That Has Something for Nearly Everyone" which summarized the features of the bill.  An excerpt from the part of the article about the foreclosure issues:

Part of the bill is devoted to the creation of a program that may allow some people to cancel their old mortgage loans and replace them with new fixed-rate loans lasting at least 30 years. The amount of the new loans would be no more than 90 percent of what their property is actually worth now.

So who is eligible? You need to have originated your troubled loan or loans on or before Jan. 1, 2008. The loans in question must be on your primary residence. Vacation homes and investment properties are ineligible. You will also need to verify your income, which many borrowers did not have to do in recent years.

Also, as of March 1, 2008, your monthly housing payment (including the principal on all your various mortgage payments, interest, taxes and insurance) has to have been at least 31 percent of your monthly household income. So if you were earning $5,000 a month and had housing payments of $3,000, you are eligible. But if you had payments of just $1,400, you would not be, presumably because that loan is affordable given the size of your income.

Lenders, however, are not required to give you a better deal under the new law, even if you do meet the qualifications. They may not be willing to negotiate unless they think you are truly on the cusp of foreclosure.

The bill contains other restrictions.  Some critics think that few borrowers will end up taking advantage of it.  Other aspects of the bill change the rules for reverse mortgages, redefine jumbo loans for purchases by Fannie Mae and Freddie Mac, and change tax rules.

Bob Tedeschi's Mortgages column in today's Times reports that "Thieves Tap Into Home Equity" about a report from the Identity Theft Assistance Center that identity thieves are targeting consumers with good credit records "because such people often have substantial untapped home equity."  The article also notes the effect of the subprime crisis on identity theft:

Now that lenders have vastly tightened their lending criteria, criminals who specialize in mortgage fraud have little choice but to move upstream and seek out victims with good credit.

A particularly troubling article yesterday titled "How Shopping Around Can Cost You" reports on how students shopping around for student loans can end up paying higher interest rates. That's because when student apply to different student loan companies, the companies obtain the students' credit reports, and the repeated inquiries can lower credit scores.  Fair Isaac does not drop credit scores when consumers shop around, and therefore trigger multiple inquiries, for mortgages and car loans, but Fair Isaac does not have the same arrangement for student loan applicants.   Fair Isaac doubts that the repeated inquiries actually damage credit scores.  Personally, I'm constantly amazed at how little regulation we have of credit scores.

Should Victims of Data Breaches Be Able to Recover Absent a Showing of Identity Theft?

by Jeff Sovern

Most courts have rebuffed suits by consumers against companies that suffered data breaches when the consumers could not show that they had been victimized by identity thieves. For example, in Bell v. Acziom Corp., 2006 WL 2850042 (E.D.Ark. 2006), the court found that the plaintiff lacked standing when she alleged that defendant’s failure to prevent the breach of security had “jeopardized her privacy and left her at a risk of receiving junk mail and of becoming a victim of identify theft.” The court observed that “Plaintiff does not know whether her name and information were contained within the databases stolen by Levine. More than three years after the theft, Plaintiff has not alleged that she has suffered anything greater than an increased risk of identity theft.”

But Ruiz v. Gap, Inc., 540 F.Supp.2d 1121, 1126 (N.D. Cal. 2008), is a recent case going the other way.  After Ruiz applied for a job at the Gap, a Gap contractor lost two laptops containing Ruiz’s Social Security number and other personal information. Ruiz sued in negligence, among other claims, arguing that as a result of the loss he faced an increased risk of identity theft. The court denied the Gap’s motion to dismiss the negligence claim, finding that Ruiz had standing, but noting that it “is far from clear what damages, if any, Ruiz will be able to recover if he eventually prevails on his negligence claim.”  We don't know what will happen at the summary judgment stage, but this is more encouragement than most consumer-plaintiffs whose data has been compromised have received.  Will consumers eventually be able to recover for anxiety caused by breaches?  Because the data of a great many consumers has been compromised, if courts start allowing recovery for the increased risk of identity theft when no identity theft has occurred, businesses (and universities too, for that matter) face enormous exposure.  Of course, that exposure would increase the incentive to be careful with consumer data. 

Credit Card Truncation Cases and Annihilating Damages

by Jeff Sovern

The credit card truncation cases raise an issue of what to do about potentially annihlating damages.  First, a review: in 2003, when Congress enacted FACTA, it added to the Fair Credit Reporting Act a new provision, §1681c(g), which prohibits retailers from printing on receipts more than the last five digits of a credit card or the card’s expiration date.  The statute gave most retailers three years to comply, but many did not take advantage of that window. In fact, when the statute went into effect, many retailers were surprised by class action suits seeking significant damages under the FCRA.  Last month, Congress passed the Credit and Debit Card Receipt Clarification Act, which added a provision to §1681n which prevents consumers from obtaining statutory damages for willful violations of the provision barring printing of the expiration date, but does not affect damages for printing the full card number.  So consumers who can show a willful violation can still recover statutory damages for receipts which included the full card number, and the statutory damages for a willful violation can be substantial: at least $100 and up to $1,000.  A retailer whose sales typically are much less than $100 might be put out of business by such an award in a class action.  To make matters worse, in many cases consumers won't even be damaged by the printing of a receipt with their credit card number.

So what are courts to do?  One option is to refuse to certify a class on the theory that, under Federal Civil Rule 23(b)(3), a class action is not superior to other available methods for the fair and efficient adjudication of the controversy.  That approach has a long history in consumer law.  To quote our casebook at page 785-86:

In the landmark case of Ratner v. Chemical Bank New York Trust Co., 54 F.R.D. 412 (S.D.N.Y.1972), United States District Judge Frankel denied class certification in a TILA case because the potential $13 million award (130,000 credit card holders each receiving the $100 minimum penalty) “would be a horrendous, possibly annihilating punishment, unrelated to any damage to the purported class or to any benefit to defendant, for what is at most a technical and debatable violation of the Truth in Lending Act.”  Other courts followed Judge Frankel's lead, and TILA class actions were becoming scarce.

Data Breaches Increase; FTC to Survey ID Theft Victims on Use of FACTA Rights

by Jeff Sovern

The FTC has announced that it will survey identity theft victims about "their experiences when they contacted one or more credit reporting agencies and when they sought to use their FACT Act rights."  It is seeking comments from the public on

(l) whether the proposed collections of information are necessary for the proper performance of the functions of the agency, including whether the information has practical utility; (2) the accuracy of the agency’s estimate of the burden of the proposed collections of information; (3) ways to enhance the quality, utility, and clarity of the information to be collected; and (4) ways to minimize the burden of the collections of information on those who are to respond, including through the use of appropriate automated, electronic, mechanical or other technological collection techniques or other forms of information technology, e.g., permitting electronic submission of responses.

Meanwhile, the Identity Theft Resource Center reports that  "[b]etween January 1st and June 27th, the total number of data breaches recorded by the ITRC is 342, more than 69% greater than the same time period in 2007. The actual number of breaches is likely even higher, due to underreporting and the fact that some of the breaches reported as a single event actually affected multiple businesses."

Of course, the available evidence suggests that many data breaches have not resulted in identity theft--but some have.

(HT to the Electronic Privacy Information Center).