Tuesday, December 06, 2005

Shifting the risk and imposing statutory damages in identity theft cases

Kevin Drum, in Washington Monthly, has an interesting proposal for shifting the risk of identity theft from consumers (and the victims) to the credit granting establishment. Just as congress pushed the risk of credit card fraud onto the industry through the Truth in Lending Act, forcing the industry to be creative in fighting fraud, the same should be done with loss of customer information and fraudulently-obtained credit:

"You Own You " by Kevin Drum:

...The same method should be used for identity theft. There's no need to create mountains of regulations, which are uniformly despised by the credit industry. Instead, simply make the industry itself—and any institution that handles personal data—liable for the losses in both time and money currently borne by consumers. The responsible parties will do the rest themselves.

How would this work? Congress could assign specific minimum values—statutory damages—for each of the acts associated with identity theft. Extending credit without conducting adequate background checks, or issuing a faulty credit report thanks to undiscovered theft of identity, might be worth $10,000 per incident. Losing someone's personal information in the first place might be worth less—perhaps around $1,000—since only a small percentage of cases of information loss ultimately lead to a full-fledged theft of identity.

The establishment of statutory damages would allow consumers to bring personal or class-action lawsuits for any of these transgressions. (Currently, such suits are difficult to win because breaches of privacy are extremely hard to value—some courts even flirt with the notion that privacy has no value at all.) And consumers would not need to show that those responsible for the theft acted negligently. When your money is stolen from a bank, the bank is liable no matter how diligently it tried to protect it. That's why banks take care of your deposits. If the credit industry and other data-handlers knew that the legal system would hold them responsible for extending credit to impostors, issuing inaccurate credit reports, or losing data, you can bet they'd figure out better ways to stop those things from happening.

The beauty of this solution is that by giving the credit industry a financial stake in solving the problem, it uses market-based self-interest rather than top-down federal mandates. Instead of relying on a regulatory agency to levy fines—or not levy them, depending on the administration—it gives companies an incentive to change their behavior. Under this plan, credit agencies would no longer charge consumers for “credit protection” services. Rather, they would beg consumers to make use of them, free of charge and with maximum ease of access. Credit issuers and other businesses that offer credit would quickly stop opening up new accounts without adequate background checks. And companies that handle personal data would finally get serious about implementing effective safeguards....

Thanks to Overlawyered for the link.

No comments: