A Challenge for the President

What the Obama Administration needs to do about identity theft

January 2009

Not since Franklin Delano Roosevelt inherited the Great Depression in 1933 has a new U.S. president faced such trying economic circumstances. The challenges are severe: among them, two wars eating up the federal budget, unprecedented corporate bailouts and staggering job losses. If past trends provide any indication, this could bode poorly for U.S. crime rates, which some sociologists believe will increase in response to the nation’s economic ailments. But while the relationship between the economy and criminal trends is subject to debate, few researchers expect a drop in rates of identity theft any time soon. For years, the crime has been on the rise. The new FTC-imposed security requirements for businesses, the “Red Flag Rules,” designed to help detect, prevent and mitigate occurrences of identity theft, become effective in May, but their impact remains to be seen.  So as non-profit groups, private businesses and law enforcement agencies providing identity theft assistance enter this new year, they’re looking to the new administration for leadership. The federal government can play a prominent role in the fight against identity theft, with sweeping strokes of policy that can affect entire industries and the law.

We spoke to three thought leaders who’ve studied the identity theft issue about what they believe the Obama administration could do in 2009 to fight identity theft.

Here are their ideas...


Jay Foley has been studying the identity theft issue for more than a decade through the Identity Theft Resource Center, the non-profit organization he runs with his wife, Linda. Over the course of these years, he’s witnessed the victimization of two groups that really, if you think about it, would appear to be unlikely targets. 

The first group is children. The second: the deceased. 

Yet these demographic groups, neither of which would have any ostensible use for credit, are routinely hit: kids barely old enough for arithmetic signed up for credit card accounts; deed transfers in a deceased person’s hand. The stories are absurd. Funny the government hasn’t figured out an effective way to curb the problem. Can it? 

Let’s start with kids. One of the reasons it’s comparatively easy to open new accounts in a child’s name is that a child typically has no credit report to begin with, so there’s no record to which an identity thief must conform or even consider; the thief gets to start from scratch, using a child’s Social Security number, birth date and contact information pulled from his imagination. Foley’s proposal: Preemptively create a record for all children under the age of 17 years, 10 months of age and house it in a digital repository. Foley even already has a name: the “1710 database.”  The database would contain the name, Social Security number and month/year of birth of every child. Potential creditors would check it when applications are received. 

Foley says, “The screening process would eliminate a large percentage of the fraud that goes on in the United States today. Utility providers are hit by identity theft and fraud on a regular basis because mom and dad...didn’t pay their bill. Now they’re ducking out and are going to set up utility services in junior’s name. [The 1710 database] would eliminate an awful lot of that nonsense.” 

To alleviate potential concerns from privacy advocates, Foley points out that as the database wouldn’t include addresses, it would have no marketing value. “It’s provided only to and for a specific purpose. It’s going to eliminate an awful lot of garbage,” he says. 

As for the deceased, Foley has an idea that may help put an end to their identity resurrections. Both the problem and the solution lie in the Social Security Administration’s Death Index, a database made public under the Freedom of Information Act through the Department of Commerce (one organization, the Provo, Utah-based Rootsweb, offers free access to the index online).

The index is intended to provide businesses with evidence that a person is, well, deceased. And businesses shouldn’t extend credit to deceased people. The problem is that not all deceased people, whose deaths are typically filed with state health departments, are actually listed in the index, Foley says. “There’s nothing that mandates the state to turn it over to the feds.” The administration is notified of deaths, and the registry thus updated, when deaths are reported in regard to Social Security benefits (those that need to be stopped due to the death, or those claimed by a spouse), or when military burial benefits are requested, but this leaves too many loopholes nonetheless. Foley wants to see an automated system that ensures all deaths wind up recorded in the registry, in real time. 

Finally, Foley would like to see a national registry of identity theft victims, accessible by police, which would prevent innocent people from being hauled off to jail for the crimes committed by scammers using their identity. Such a protocol could be integrated into the National Crime Information Center, a computerized index of criminal data currently used by law enforcement.  That way, victims of identity theft don’t have to “spend several days, several weeks...waiting for somebody to figure out you’ve got the wrong guy,” Foley says.


As if dealing with collection agencies, creditors, credit reporting agencies and law enforcement weren’t bad enough, identity theft victims face yet more bureaucracy when dealing with the federal government. Stolen passport? Call the Department of State. Your mail’s been stolen? Call the U.S. Postal Service. You suspect someone’s been using your Social Security number for illegal purposes like employment? Call the Social Security Administration. What if someone uses your personal identifying information to obtain medical care? That’s a call for the Department of Health and Human Services. And, oh yeah—don’t forget to report the crimes to the Federal Trade Commission. 

“Identity theft is a multi-issue problem,” says Pam Dixon, Executive Director of the World Privacy Forum. “It makes sense not to split this crime up into sectors... It doesn’t make sense for the consumer.” Dixon suggests centralizing control of all identity theft-related issues with the FTC, which already maintains the federal government’s identity theft statistics. “That’s where the identity expertise is, that’s where the identity theft staff is and the long term commitment to fighting identity theft,” Dixon says. “There’s no reason, at this point in time, not to make a decision to have the FTC own this issue. They should really be given any appropriate authority they need to take care of consumers in this area.”

And should Dixon’s vision of the FTC as central identity theft authority come to pass, one of its inaugural responsibilities under an Obama administration should be the creation of a repository of information on all organizational data breaches in America, accessible to businesses, consumers and law enforcement organizations alike. Of course, mandating the disclosure of data breaches to this centralized authority would require an act of Congress—data breach disclosure laws have traditionally been left up to the states—but Dixon says such an act is needed due to the paucity of accurate data breach information currently available.

The handful of small, non-profit groups that track data breaches have done a “heroic job,” Dixon says, but they get their information not from organizations themselves but from secondary sources. “I do think the Obama administration needs to step up to the plate with strong, consumer-centric data breach legislation that doesn’t require harm, for example, for a trigger,” she says, meaning businesses should not be free to choose whether to disclose breaches based on perceived risk, as is allowed in some states. The ideal system: “If there’s a breach, it gets reported.” 

One last thing: As the government considers policies regarding the sharing of electronic health care information, it needs to empower patients—first by giving them a choice whether they want their information shared beyond their immediate doctor, Dixon says, and second, by letting patients know who has accessed their medical records. “With health care privacy, it is not the outside hackers that cause the problem—it’s insiders that are accessing the records,” Dixon says. That’s why she’s calling on the Obama administration to support the idea of a digital “audit trail” accessible by patients, a system under which patients could see everyone who has accessed their records—not just those outside the health care system, but insiders as well. “We need to have 21st Century rights to go with 21st Century health care,” Dixon says. “This fight is coming. You watch.”


“I have a pretty simple answer,” Chris Hoofnagle says when asked how the Obama administration could play a role in the battle against identity theft.  “Identity theft prevention and remediation has focused on education of victims and prosecution of offenders. What we’ve left out are the companies in the middle—the companies that make credit offers to imposters.” Cell phone companies, credit card companies—any organization that extends credit to consumers—these are, after all, the unwitting enablers of many identity theft crimes. And this, says the senior fellow for the Samuelson Law, Technology & Public Policy Clinic at the University of Berkeley, is a matter that ought to be taken on by federal regulators.

In February 2008, Hoofnagle put together a study on the rates of identity theft reported by individual financial institutions and other credit- extending entities like major wireless service providers. It was an admittedly imperfect study, its findings hindered by the inherently limited set of data with which he had to work—a three-month sampling of reports voluntarily submitted by consumers to the FTC for the year 2006. But as important as the findings themselves was the message Hoofnagle was hoping to send to the consumers, lawmakers and financial companies—that greater transparency, though sure to be contested by the companies upon which it would impose its mandates, would come to be a winning proposition for all parties.

Consumers would be empowered to make choices based on organizations’ fraud prevention records. Competitive pressures, meanwhile, would force businesses to step up and ultimately cut back on rates of fraud-related losses. At least this is as the consumer activist and scholar sees it. What he hopes for in an Obama administration is a codified mandate requiring businesses to share information on rates of identity-related fraud. “It would be in their best interest to do this,” Hoofnagle says. “It’s a bitter pill to swallow, but in the long term would reduce fraud.”