You own you: when identity thieves open an account in your name, it should be the bank's problem, not yours

Washington Monthly, Dec, 2005 by Kevin Drum

In 1995, a freelance editor in Washington, D.C., named Anne Meadows began a five-year nightmare when she got a call from an alert employee of BellSouth, who warned her that she had become a victim of identity theft. A year earlier, she learned, thieves had stolen her name, address, and Social-Security number from a government office, and that was all they needed to go on a binge. They had created fake IDs, cashed a government check made out to her, and applied for credit at several establishments in Atlanta.

That's bad enough. But the story gets even scarier because at this point, Meadows did everything she should have done. She called every business the ID thieves had tried to scam and told them not to extend credit to the impostors. She called First Union National Bank and told them not to let the thieves open a checking account. Then she contacted all three of the national credit reporting agencies and had a fraud alert put on her record to prevent the thieves from obtaining credit elsewhere.

None of it did any good. First Union opened a checking account for the thieves anyway, and they then went on a check-writing spree through Atlanta. An oil company gave them a credit card. TeleCheck, a check verification agency, tagged Meadows as a deadbeat when checks in her name started bouncing--they refused to clear her name unless First Union called them, but First Union refused to help. This lack of cooperation from the credit industry meant the problem took years to resolve: In January 2000, almost five years after Meadows had first found out about the ID theft, a bank employee loudly turned down her application to open an account "because of all those bad debts you left behind in Georgia."

Today, Meadows's problems are mostly over, but she still shudders when she remembers the experience. "I've had my house broken into and my car broken into," she says, "but nothing compared to this. Nobody did anything about it but me, so I kept on being repeatedly victimized. I was guilty until proven innocent."

It's common knowledge that the problem of identity theft is growing out of control. Two years ago, the Federal Trade Commission estimated that one in every 25 Americans is a victim of identity theft each year, netting a cool $50 billion for the thieves.

The dynamics of the process are all too simple. First, the thieves steal enough personal information--usually just a name and Social-Security number will do--to apply for a credit card in someone else's name. They can get this information from any of the countless institutions, large and small, that have access to personal data: banks, credit reporting agencies, credit card issuers, government agencies, universities, even doctors' offices. They might use an insider who works there--sometimes they pose as temps--or hack into the office database. Alternatively, the thieves set up scams that ask people to sign a phony petition or provide their information to a telephone pollster "for our records" Sometimes they just steal information from people's wallets or trash cans. Then, the thieves wield this information to apply for credit cards or other forms of commercial credit, which they use for buying sprees on someone else's tab. Since the subsequent bills are sent to a phony address, the victims are unlikely to discover what's happened until the day they're denied a loan because of all those unpaid credit card bills. By then, their credit report looks like Anne Meadows's, or worse.

Identity theft would be much harder--and the costs to victims much lower--were it not for the carelessness of the credit industry and of other institutions that handle personal data. Many institutions that handle sensitive personal data don't do enough to keep it safe. This year alone, there have been widely-reported security breaches at Time Warner, Bank of America, and data-brokers ChoicePoint and LexisNexis, involving the loss of personal information about millions of people. There's probably little that can be done to prevent thieves from getting information from doctors' offices, or from people's wallets, but it's currently far too easy for them to get it from large corporations or from institutions such as government agencies and universities.

In addition, credit-card companies and other credit lenders--banks, oil companies, and department stores, among others--rarely exercise significant oversight before signing up new customers. So, when thieves apply for a new credit card using pilfered information, they are rarely turned down.

Finally, and most devastatingly, credit-reporting agencies routinely add negative information to credit scores without checking whether all those unpaid bills might have been the result of identity theft. And they're slow and uncooperative when it comes to correcting their mistakes.

The credit industry and other data-handlers behave as they do bemuse in many cases, no one but the victim cares about identity theft. Despite the passage of ID theft legislation last year, institutions that handle personal data pay a very small price when that data is stolen. And when credit card companies and others offering credit fail to look adequately into applicants and end up extending credit to thieves, they also go largely unpunished.