The fears and discussions of identity theft have increasingly flooded news sites and blogs in 2005, yet it is not always clear exactly what constitutes identity theft when data breaches and frauds are discussed. For example, the oft-discussed ChoicePoint data breach involved the fraudulent acquisition of over 145,000 people’s personal information, yet less than 1,000 individuals have been reported to have suffered any direct losses as a result. Back on February 18, Cox News Service reported that “the criminals collected enough financial data to begin buying everything from jewels to consumer electronics … at least 765 such crimes have come to light so far” (the article, “ChoicePoint boss keeps low profile amid crisis”, is available on Lexis/Nexis). So is it proper to say that 765 people were identity victims, or 145,000? The media has not particularly attempted to distinguish the 765 victims from the 145,000 exposed to risk. To the media, all have been victims of identity theft - is this an accurate claim?

Wikipedia defines identity theft as “the deliberate assumption of another person’s identity, usually to gain access to their finances or frame them for a crime.” The same Wikipedia entry goes on to quote Javelin Strategy & Research founder James Van Dyke as arguing for two separate terms:

• identity theft: unauthorized access to personal records;

• identity fraud: unauthorized use of personal records.

This distinction helps to explain how a data breach can lead to identity theft, which may or may not result in identity fraud for each victim. Given Van Dyke’s interpretation of identity theft and identity fraud, I think we can more accurately express the various elements of data privacy. A data breach, such as the one befalling ChoicePoint, has undoubtedly led to 145,000+ victims of identity theft, where at least 765 of those people also suffered identity fraud.

A recent AP article highlights how the term ‘identity theft’ has been “too broadly defined and often misunderstood.” The risk, according to the article, is that “lawmakers and companies might be misdirecting their anti-fraud energies” and that consumers end up overly fearing Internet activities. The biggest problem with the term ‘identity theft’ ends up with how the misuse of an existing credit card is classified. If a criminal simply getting your existing credit card number and embarking on a shopping spree is identity theft, then 40 million people were put at risk of identity theft by the CardSystems breach. If instead, we limit identity theft to the exploitation of personal information (more in line with the Wikipedia entry), then those victims become simply inconvenienced individuals. While they may face fraudulent charges on their account, U.S. citizens rarely have to pay up for those charges: there is a $50 limit on personal liability, regardless of the amount fraudulently charged. Instead, it is when criminals possess enough information to obtain a new credit card that we are victims of identity theft and threatened by identity fraud.

This entry was posted by Paul Otto (pnotto@ncsu.edu) on Tuesday, November 15th, 2005 at 10:19 am and is filed under Identity Theft. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Note: Blog posts are the opinions of their authors and do not reflect the official opinion of the National Science Foundation or North Carolina State University.