Major embarrassment has once again hit the U.S. banking industry, caused this time by a recently released report from the University of California’s Berkeley Center for Law and Technology, titled Measuring Identity Theft at Top Banks. The report illuminates the lousy job that financial institutions, telecommunications providers and other American companies have done in preventing identity theft. I downloaded and read the entire report, and was pretty disappointed to see that my credit card, telephone and Internet providers were among the top ten offenders.
In gathering information for the report, author Chris Hoofnagle was forced to resort to filing Freedom of Information Act (FOIA) requests with the Federal Trade Commission (FTC), since the companies under scrutiny do not willingly provide identity theft information. I’ve filed FOIA requests before, and I’m here to tell you, it is a major hassle. After almost eight months of cutting through red tape, Hoofnagle was finally able to obtain complaint data submitted by victims in 2006 to the FTC. He states in the report that the complaint data “identifies the institution(s) where impostors established fraudulent accounts or affected existing accounts in the name of the victim. The data show that some institutions have a far greater incidence of identity theft than others. The data further show that the major telecommunications companies had numerous identity theft events.”
Since financial and other institutions are not generally required to reveal identity theft data to federal agencies or the public, consumers have no way of knowing the security history of those with whom they wish to do business. This prevents them from making informed choices and steering clear of those companies that have poor track records; it also stifles true competition. As the report points out, some financial institutions deliberately provide misleading information. For instance, one institution that has broadcast humorous commercials about its efforts to prevent identity theft (Citibank) ranks poorly for both overall number of identity theft events and relative incidence of the crime; check out youtube.com/watch?v=KERwnA8VfFM.
The top 10 offenders, and their average annual number of identity theft complaints are:
1. Bank of America: 13,404
2. AT&T: 9,156
3. Sprint/Nextel: 8,376
4. JP Morgan/Chase/Bank One: 7,356
5. Capitol One: 5,304
6. Citibank: 4,956
7. Verizon: 3,720
8. American Express: 3,636
9. Washington Mutual/Providian: 3,540
10. Wells Fargo: 3,144
Numerous other companies that did not make the top 10, but had significant security problems nonetheless were Dell, WalMart, Sears, Target, Discover and TMobile, showing from 1,920-3,036 identity theft incidents annually.
These numbers are probably low, as the FTC has found that most victims of identity theft do not report the crime to law enforcement authorities. Sadly, most companies view fraud as merely another cost of doing business and simply write it off as a business loss. Until they are legally compelled to reveal their poor identity theft and fraud track records, there will be little incentive for them to do a better job, and consumers will continue to be left in the dark, left holding the (empty) bag. In the mean time, I think I’m going to do some shopping around.