A Feeble Swipe at Identity Theft

| Mon May 24, 2010 1:02 PM EDT

The FTC has decided to lay down the law on identity theft:

The government says that businesses have the responsibility of making sure thieves don't use stolen information to buy goods or open phony accounts. And to that end, the Federal Trade Commission wants businesses that might be targets of identity thieves to develop written plans to spot "red flags" that fraud could be involved and prevent it.

...."Once the information is in the hands of identity thieves, there's not much more the consumer can do," said Naomi Lefkovitz, senior attorney for the FTC, which will oversee enforcement of the rule as it applies to many — though not all — businesses. "Now it's in the hands of the businesses."....A department store that issues its own credit cards, for example, would qualify as a creditor under the new rule, and would have to develop a plan, according to the FTC.

Ha ha. Just kidding. The FTC isn't laying down the law. What they're actually doing is requiring businesses to "develop a written plan for identifying signs of identity theft." That's almost as toughminded as, say, putting together a blue ribbon commission to write a report on the problem.

Here's a data point to ponder. In 1968 Congress passed the Truth in Lending Act. Among other things, it capped consumer liability for lost credit cards at $50. Guess what happened? Since credit card companies were responsible for all the losses above that amount, they got very aggressive and very creative at figuring out ways to minimize fraud. They made it as convenient as possible to report a lost card. They provided merchants with loads of tools to identify lost cards. They developed computer algorithms to detect usage patterns so they could proactively shut down fraudulent use. They worked really, really hard on this stuff.

In a nutshell, we made banks responsible for the losses, and banks figured out ways to prevent losses. It was the wonder of free market capitalism at work.

Now then, suppose credit issuers were responsible for the costs of identity theft? That is, if you're responsible for issuing a card or extending credit of any kind under false pretenses, you're responsible for the losses and you're responsible for cleaning up the mess. Period. No excuses, no safe harbors, no nothing. If you extend credit to someone named Kevin Drum with my Social Security number, and it turns out that it wasn't actually me you extended credit to, then it's your problem. You pay the charges, you cancel the cards, you clean up my credit report, you contact my bank, you do everything. The basic premise should be: it's your responsibility to make sure you're extending credit to the person you think you are. If you don't, it's your responsibility to fix the mess. And if you don't fix the mess, you'll be liable in court for substantial damages.

What do you think would happen if that was the rule? Easy: banks and credit issuers would miraculously discover that there are lots of ways to tighten things up. Instant credit might become less popular, replaced by having to apply for a card and wait a few days for approval. Credit reporting bureaus would offer their credit protection services for free. (In fact, they'd beg you to sign up.) Credit locking — in which you have to actively allow access to your credit report on a case-by-case basis — would become the default, instead of a hassle that few people take advantage of. And those nifty computer algorithms that have helped with credit card fraud would turn their gimlet eyes on identity theft as well.

Right now, the reason identity theft is such a pain isn't usually the money involved. Quite often, in fact, the amount of lost money is fairly modest. What makes it a pain is that, basically, nobody except you cares about it. You're responsible for contacting your bank, your credit card company, the credit reporting bureaus, and a dozen other firms, none of whom really care about your problem and wants only to pass you along to someone else as quickly as possible.

There's no reason we should put up with this. Responsibility should lie with those who are at fault. If you extend credit carelessly, you should clean up the mess. And it wouldn't even be that hard. Hell, if we merely mandated credit locking instead of making it optional, it would probably eliminate about 95% of all identity theft. Applying for credit might take a day or two longer than it does now, but is that really such a bad thing? Or, perhaps we could mandate credit locking by default, and allow you to unlock your account only if you agree to accept full personal responsibility for any identity theft that might ensue.

Instead we're getting "written plans." Blecch. Perhaps our shiny new Consumer Finance Protection bureau will be able to do a bit better once financial reform is passed and it gets up and running.