The privacy crisis of the moment results from the outbreak of security breaches that has been a growing plague for the past two years. To review a list of recent breaches, visit the Web site of the Privacy Rights Clearinghouse .
That list begins with the ChoicePoint breach of February 2005 and continues through the Department of Veterans Affairs breach from May of this year. The ChoicePoint breach of 145,000 names is now a mere blip compared with the VA’s 28 million-name breach.
The Clearinghouse reports that the records of 85 million people have been exposed by security breaches. That’s more than 25 percent of the U.S. population. The actual number is higher – perhaps much higher – because no numbers are associated with many of the reported breaches.
There were security breaches before ChoicePoint, and there surely have been other breaches not announced or even known to data controllers. If we could put a number on all breaches and limited the population to people older than 12, we likely would find that records on well over half of the U.S. population have been the subject of security breaches.
Security breaches are the “new” problem. A more “classic” privacy problem is that of identity theft, a crime that seems to have grown in size and importance along with the Internet. It is difficult to calculate the number of victims. Identity theft has no agreed-upon definition, and reported numbers vary considerably. However, the number of victims is easily measured in the millions, perhaps tens of millions. It is hard to find anyone who does not personally know a victim of identity theft.
The extent to which these two problems are related is another matter in dispute. It is far from clear how many security breaches lead to cases of identity theft. It may be awhile before anyone can pin down good numbers.
Whatever the relationship is, however, a common response to a security breach is for the record keeper to provide free credit monitoring for breach victims. Credit monitoring immediately reports all changes and inquiries made to a credit file. The consumer can then assess whether the activity is a matter of concern. Industry, government and some consumer advocates see credit monitoring as a useful tool to limit identity theft.
What we have then is the same response to both security breaches and identity theft. Credit monitoring is useful for addressing actual security breaches as well as the possibility of identity theft. The value of credit monitoring is not limited to known victims. It has utility to those who are not known to be victims.
Here’s the modest proposal. Because large percentages of the U.S. population have been or surely will be victims of security breaches or identity theft, everyone should receive free credit monitoring.
If everyone had free credit monitoring, then there is a reasonable prospect that identity theft cases would be identified earlier. The costs of identity theft, which fall on credit grantors, merchants and consumers, should be reduced. On the breach side, if everyone had free credit monitoring, the scramble to provide new protection for victims would disappear. The importance of breach notices would diminish, and costs would go down. News stories would lose some of their edge because the principal remedy already would be in place.
Who should pay for credit monitoring services? We have a clear precedent from the Fair and Accurate Credit Transaction Act. This law, enacted by a Republican-controlled Congress and signed by a Republican president, requires credit bureaus to provide free annual credit reports upon request to consumers. The bureaus, which profit from selling consumer data, should pay the costs for monitoring, too. Given this political support for free credit reports, asking that credit bureaus pay to help consumers can’t be a radical idea.
I propose two limits to hold down costs. First, consumers would have to request the service. Not everyone would do so. Second, free monitoring would be available only via e-mail. Asking credit bureaus to send snail mail notices would be too expensive.
Who would really bear the costs in the end? The purchasers of credit reports, mostly credit grantors and merchants, might have to pay higher prices for the data. Because we largely have a credit reporting oligopoly – a market dominated by a small number of sellers – it would be difficult for buyers to avoid the higher prices by taking their business elsewhere. The savings from reduced identity theft would offset some or perhaps most of the costs.
Don’t think that credit bureaus would be hurt badly by having to provide free credit monitoring. They have used the free credit report requirement to obtain current information from consumers and, more importantly, to sell consumers new services like credit scores. I suspect that free credit reports have been a smashing financial success for the three major credit bureaus, the extra costs notwithstanding. I have no doubt that they would find a way to exploit free credit monitoring, too. Just having current consumer e-mail addresses would be extremely valuable.
I believe that consumers, merchants, credit grantors, data controllers of all stripes and even credit bureaus would benefit if U.S. consumers had free credit monitoring. It’s the next logical step in privacy protection.
