Superconductor

The biggest reason that data breaches are a problem is that the sensitive data that they expose can be used for identity theft. According to the analysis by legal scholar Lynn LoPucki in “Human Identification Theory and the Identity Theft Problem,” the reason that identity theft causes so much trouble can be traced back to the Fair Credit Reporting Act. Here’s why he claims this:

The impersonated victims in these scenarios are not liable for the obligations incurred in their names. Thus, the resulting credit reports are false. Nevertheless, those victims have no legal remedy for the false reporting if the credit-reporting agency followed “reasonable procedures.” Federal law exempts both creditors and credit-reporting agencies from liability for their false statements about the victims of identity theft.

He then says

The credit-reporting agency’s only duty is to “reinvestigate” – if and when the person reported on demands it. In practice, the credit-reporting agency “reinvestigates” by sending the victim’s complaint and the disputed information to the creditor who initially furnished the information. The creditor who reconfirms false information is theoretically liable for its error. To activate this duty, however, the consumer must furnish the same information twice – once top the credit-reporting agency to force reinvestigation and a second time to the creditor “at the address specified” to alert the creditor to its error. And even a victim who has furnished the information to both still has no direct remedy against the creditor for repeating the falsehood. Only certain federal or state agencies can seek a remedy, and, for various reasons, none is likely to do so on the complaint of a particular victim.

Thus, shielded from liability, creditors and credit-reporting agencies who have misreported on an impersonated victim remain in a position of power with respect to that victim. The victim desperately needs to correct the records of the creditors and credit-reporting agencies involved so that he or she can obtain or preserve credit. The creditors and credit-reporting agencies, by contrast, need only maintain procedures sufficiently reasonable to avoid the wrath of public enforcement agencies.

In other words, the FCRA makes it unnecessarily difficult for consumers to deal with the problems that identity theft causes because the very creditors and credit-reporting agencies that they need to deal with to do this have no incentive to help them resolve these problems.

There’s lots of talk these days about what the government should or should not do about data breaches and the identity theft that it causes. Perhaps fixing the system that they caused by the FCRA would be a good first step.