Should businesses work harder to thwart identity thieves?

Identity theft hit almost 10 million Americans in 2003 at a total personal cost of $5 billion. Businesses and financial institutions were also victimized at an estimated cost of $48 billion. Up to now consumers have viewed the businesses through which they have been robbed as unwilling accomplices; however, experts say that businesses are getting off too easily. When necessary –- to get defense contracts, for example -– businesses will invest in security protection. Information systems experts at the W. P. Carey School of Business suggest that the time may have come for regulators to insist that business afford the consumer equal protection.

The devastating effect of identity theft on a consumer's personal finances has been well documented in the mass media. Getting far less attention is the effect identity theft has on the businesses from which an individual's information was filched.

According to a survey conducted by the Federal Trade Commission, almost 10 million Americans said they were victims of some form of identity theft in 2003 at a personal cost of $5 billion. Identity theft losses to businesses and financial institutions that same year totaled $48 billion. The survey also found that in cases where thieves had opened new accounts, rented an apartment or home, or obtained medical care or employment using another person's identity, the loss to businesses and financial institutions was $10,200 per victim. In cases where the thieves only used a victim's established accounts, the loss to businesses was $2,100 per victim. For all forms of identity theft, the loss to businesses was $4,800 per consumer.

Then there is the intangible cost of losing a consumer's trust. In 2004, the marketing firm Yankelovich Partners released its The State of Consumer Trust Report. Among the findings, 89 percent did not believe that retailers were doing everything they should to protect personal information. Also, 32 percent were concerned that the personal information collected by a business would be hacked and used to steal their identities.

Testifying before the U.S. House Subcommittee on Financial Institutions and Consumer Credit in 2003, Joseph Ansanelli, chairman and CEO of Vontu Inc., an information security software company, warned that losing a consumer's trust would eventually lead to even more financial losses for businesses in the future. He further testified that in a survey conducted by the company, 50 percent of consumers said they would take their business to another company if they were not confident the business could protect their personal information.

"Clearly, financial costs and loss of consumer trust, as a result of identity theft, are what is at risk for business," Ansanelli told Congress.

While there are a number of reasons consumers lose confidence in a company, identity theft tends to have a more disturbing effect, said Robert St. Louis, professor of information systems at the W . P . Carey School of Business.

St. Louis says there are three dimensions of consumer trust. The first is benevolence, the belief of consumers that a company is going to be looking out for their best interests. Next is competence, in which consumers believe that a company is able to do what it says it can do. Finally, there is integrity, in which customers trust that a company will not go ahead and do something it promised it wouldn't.

"The one thing that is really devastating about identity theft is that it undermines all the dimensions of trust," St. Louis said. "Consumers think a company is not very competent, or it wouldn't have happened. There's always an implicit promise that it isn't going to happen so it throws you on integrity. And it certainly gets you on the benevolence in that they aren't looking out for your best interest if they are not taking care of your own privacy."

Still, despite the warnings and the studies, it's becoming apparent that the financial and trust losses of identity theft aren't enough to convince many companies to tighten their controls on consumers' personal information.

"Absent of any evidence that consumer outrage leads to a decline in future sales, the cost to companies of just doing what they are doing now is the cheaper way to go than investing in technology that makes it harder to be hacked," said Paul Steinbart, also professor of information systems at the W . P . Carey School.

True, hackers are getting more sophisticated and are seemingly always two steps ahead of the latest protection programs, but Steinbart says that is a flimsy excuse for companies to hide behind when consumers' personal information is compromised. He points to companies with Department of Defense contracts which have made the significant investments needed to protect sensitive information from being hacked.

Identity theft isn't just relegated to cyberspace. In fact, studies have found that most identity theft and fraud comes from plain, old-fashioned thievery such as stolen credit cards and paper mail, dishonest employees or misrepresentation. Ameritrade and Bank of America recently reported the disappearance of data tapes, prompting the federal government to take action.

In March, the FDIC, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency and the Office of Thrift Supervision issued new guidance on such thefts. The agencies declared that when a financial institution becomes aware of any unauthorized access to a customer's personal information, the company should conduct a "reasonable" investigation to determine whether the information has or will be misused. If the company determines that the information has or will be misused, the customer should be notified "as soon as possible."  However, the notice can be delayed if law enforcement agencies say it will interfere with any of their investigations.

Again, Steinbart said it's up to companies to take care of the paper trail as well as what's in the computer. "Businesses need to implement procedures to securely dispose of all paper documents that contain personal information about customers."

Steinbart also thinks that stricter regulations concerning unsolicited credit offers may be needed. "A significant amount of identity theft comes from unwanted junk mail," he said. "Why should it be consumers' responsibility to shred such junk mail?  Make companies responsible for all of the costs associated with restoring your good name."

Despite the contention that companies should be doing more to protect consumers and bear more of the responsibility in helping them clear their names, there has not been a surge in consumer backlash against corporate America as a result of identity theft.

Benjamin Shao, assistant professor of information systems at the W. P. Carey School, says that surprisingly, consumers tend to look at corporations as unwilling accomplices of wily identity thieves. As a result, he said, consumers will direct most of their anger and frustration at the unknown thief rather than the company. Or, he wryly observes, consumers may be too preoccupied getting their good names back to take on the company.

Absent steep financial losses and a groundswell of consumer anger, both Shao and Steinbart agree that stricter government intervention may be the only way to persuade companies to guard customer information more vigilantly.

"Businesses in general are not held responsible. They don't suffer from a bad reputation at all," Shao said. "Maybe the regulations have to push some responsibility onto the business side in order to change the culture and the mindset."

Currently, three laws provide most consumer protection in this area. The Identity Theft and Assumption Deterrence Act, passed in 1998, makes identity theft a federal crime. The Fair Credit Reporting Act requires that credit reports only be provided for legitimate business needs. The Gramm-Leach-Bliley Act imposes privacy and security obligations on a generally defined group of financial institutions.

Steinbart proposes a Sarbanes-Oxley approach to the issue. Congress passed the Sarbanes-Oxley Act in 2002 in response to several high-profile corporate accounting scandals. The legislation, in part, makes executives responsible for the veracity of their financial reports, and requires an evaluation of internal controls and an audit of the evaluation.

Tougher identity theft legislation, Steinbart said, should require companies to follow certain guidelines if they insist on obtaining and storing sensitive consumer information. If that information is lost or stolen, Steinbart said companies should have to show that guidelines were followed and all reasonable precautions were taken.

"It's raising the bar so companies have security equal to what defense contractors have," he said. "If they don't, then fines should be very high and maybe have a provision to make executives liable."