I first covered the improper disclosures by Wachovia, Bank of America, Commerce Bancorp, and PNC Bank NA employees last week. It’s now up to 676,000 accounts, all New Jersey residents. The Census Bureau estimates that in 2003, New Jersey had 8,638,396 residents. Thus, around 8% of the people of New Jersey are affected by Orazio Lembo, Jr and his associates. (So far; I see no reason to expect that more won’t come out. In fact, if this grows like Lexis-Nexis did, it would seem reasonable to assume that sufficient personal information to commit
identity theft fraud-by-impersonation against most of the population of New Jersey is in the hands of a crime ring.
If it grows like that or not, the trickle of breach announcements that started with Choicepoint has grown to a stream. Soon, it will be a deluge, and it will change many things.
First, it will change the way credit is granted. Today, with a name and social security number, I may be able to get credit. If I add to that an address, phone number, or date of birth, I’m set. Some enterprising lawyer is going to look at the number of news articles around the fraud, the number of people whose personal information has leaked, and find a court that will agree that using only data that’s been leaked like that is careless, and that the costs need to be shifted from the consumer onto the bank.
What will replace it will likely be a scoring based system, based on odds that you are you. Some people will suggest that a national ID card would help here, but they’re wrong. Any single factor that is used to loan money will be attacked, because that’s where the money is.
Secondly, such a change will put the banks between the liability rock and the money-laundering hard place. Banks are required by a raft of laws to
spy on know their customers and gossip about them to the feds with a set of reports that are already burdensome:
“Under the Bank Secrecy Act, banks fill out more than 13 million cash transaction reports annually,” said Rock. “In my area, many of these reports are filed for small businesses like delis, gas stations and flower shops, which have nothing to do with potentially criminal activity. The 35-year-old rules related to cash transaction reports have lost their usefulness due to several developments, including more extensive suspicious activity reporting.”
I would expect that the banks will push to not be liable. This would be a mistake. Far better would be to stop spying on customers.
I expect that Congress will step in, but choosing a set of actions will be hard. Adjusting the availability and cost of credit is bad. Having a set of complex rules like the Financial Services Modernization act is bad. Letting identity theft run unchecked is worse than either.
The best course of action is probably imposing liability on anyone who holds government-authenticated data on their customers; shrinking the set of organizations who need to (ideally to none); and providing a safe harbor for any organization that provides “best of class” help to victims of a breach of data that they held.
Congress being who they are, we’ll get the identity theft mitigation act of 2005, holding banks and credit agencies immune for their “well intentioned” mistakes, a federal department of repairing your credit, and longer sentences for identity thefts committed within 500 yards of a school.
[Update: I was behind on Bruce Schneier’s blog. He covers this in “Massive Data Theft,” and points out the manual nature of the process. (I’ll add, how long it must have gone on.) But more interesting (to me) is a commenter’s question: “why is it that we never hear about this sort of problem in Europe?” The answer is California’s SB 1386, requiring disclosures of such breaches. After Choicepoint flubbed their announcement of a breach in February, a new standard for disclosure has emerged.]