I blogged earlier on Joseph Menn’s excellent article concerning the various powerful interests that are trying to undo state laws that require businesses to give notice of security breaches. His article also has a peek into the financial support behind the various studies that have characterized the identity theft problem as overblown:
To press their case, companies and industry groups have testified and written to members of Congress and have underwritten studies that play down the threat of online identity theft.
In August, Indiana University law professor Fred H. Cate began circulating a paper arguing that some types of identity fraud were declining. Cate, a frequent congressional witness and widely quoted authority on data security, declared: “Information security breaches are among the least common ways that personal information falls into the wrong hands. In 2005, the most common source of personal information that resulted in an identity-based fraud, by a factor of two to one over any other category, was ‘lost or stolen wallet, checkbook or credit card.’ ”
A footnote attributed that statistic to its original source, a January 2005 study by Pleasanton, Calif.-based Javelin Strategy & Research. Javelin and several trade groups have trumpeted the finding for months, along with Javelin’s related conclusion that 72% of identify theft begins offline.
Cate failed to disclose that the relevant Javelin data came from the 54% of consumer fraud victims surveyed who said they knew how their personal information was taken. The remaining 46% had no idea.
Federal Trade Commission officials said this year that the latter group logically would include a much higher percentage of victims of major electronic security breaches, computer spyware and phishing, online come-ons that trick people into revealing their personal
The Federal Deposit Insurance Corp., which guarantees bank deposits, found the same fault with Javelin’s methods when the agency urged banks to do more to educate their customers on the risks of electronic transactions.
“The more technologically challenging the case, the less likely it is that the victim will understand the means of access,” the FDIC wrote in a report this summer. Javelin’s data “do not support the conclusion that ‘most thieves still obtain personal information through traditional rather than electronic means.’ ”
After a California privacy official complained to Cate that he hadn’t explained that his figures on where identity theft originates were only from victims who knew what had happened, he added that information in later drafts.
The Javelin study was funded by Visa USA, Wells Fargo & Co. both based in San Francisco and Norcross, Ga.-based online payment firm CheckFree Corp., all of which profit from Internet banking.[…]
Cate said…that his initial omission about the victim survey was an oversight. He stood by the rest of the paper.
This isn’t the first time Cate had an oversight concerning this important fact. In testimony last year in Congress, he claimed “The FTC’s September 2003, study on identity theft indicated that 76 percent of identity theft cases involved a friend, family member, coworker, neighbor or an employee of somebody who has lawful access to the SSN.”
Ed Mierzwinski of US PIRG and I quickly responded to this assertion, noting that it was:
not based on all identity theft victims. Instead, it is based on the minority of identity theft victims who knew the actual identity of the impostor…The correct figure certainly is not 76 percent, as Mr. Cate suggests. Rather, the FTC very clearly wrote that: “35% of the 26% of victims who knew the identity (or, in other words, 9% of all victims) said a family member or relative was the person responsible for misusing their personal information…23% of the 26% of all victims who knew the identity of the thief (or 6% of all victims) said the person responsible was someone who worked at a company or financial institution that had access to the victim’s personal information…Of the 26% who knew the identity of the person who took their information, 18% said the thief was a friend, neighbor, or in-home employee, while 16% said the thief was a complete stranger, but the victim later became aware of the thief’s identity. (These figures represent 5% and 4% of all victims respectively.)”
It’s funny how these neglected details accrue to the benefit of the moneyed interests. Menn suggests the reason:
Cate is a paid advisor to an organization called the Center for Information Policy Leadership, based at the law firm of Richmond, Va.-based Hunton & Williams, which published the paper. The center describes itself as “member-driven.”
Those members include Costa Mesa-based Experian Inc., one of the three major credit bureaus selling detailed financial information on consumers to other businesses, and LexisNexis Group, a unit of London-based Reed Elsevier, and Acxiom Corp., based in Little Rock, Ark. LexisNexis and Acxiom are two of the largest brokers of financial data in the country.