Each year, millions of consumers are victimized by identity theft--the practice of using the identity of another to obtain credit. After the identity thief defaults, lenders and credit bureaus attribute the default to the impersonated consumer. The article draws on the traditional loss allocation rules of the common law to suggest ways to reduce the incidence of identity theft. Lenders and credit bureaus do not at present have a sufficient incentive to avoid attributing the acts of identity thieves to consumers. The piece argues that consumers should have a claim against creditors and credit bureaus for including the transactions of identity thieves in reports on impersonated consumers. That would give the credit industry--the entity that can avoid the losses at the lowest cost--an incentive to take steps to prevent identity theft. Finally, the article briefly reviews current law and suggests some implications for public policy.
Identity theft--the appropriation of someone else's identity to commit fraud or theft (Milne 2003)--is a serious consumer problem. Until December 4, 2003, when President George W. Bush signed into law the Fair and Accurate Credit Transactions Act of 2003 (FACTA), Congress had dealt with identity fraud primarily by criminalizing it (Identity Theft and Assumption Deterrence Act 1998). Not only had criminalization failed to stop identity theft, but occurrences of identity theft have appeared to increase (GAO 2002). As Professor LoPucki has written, (Identity theft is out of control" (LoPucki 2001). Though identity thieves may use the personas of their victims for a variety of purposes, this article focuses solely on one particularly widespread aspect of identity theft: the use of a person's identity to obtain credit, which may itself take many forms, including impersonating someone when applying for a mortgage or credit card.
Though some lenders have adopted measures to prevent identity fraud, many firms have been lackadaisical. Consumers complain that even after they place fraud alerts in their credit files, identity thieves are still able to borrow in their names. Identity thieves have obtained loans despite applications containing obvious errors (U.S. Senate Committee on the Judiciary 2000a). Victims report that consumer reporting agencies--known colloquially as credit bureaus--have automated telephone answering systems that make it impossible for victims to reach a human being for aid (CALPIRG and Privacy Rights Clearinghouse 2000).
The credit industry can respond to identity theft in this fashion because it does not bear the costs generated by attributing the thieves' defaults to victims. To be sure, lenders may suffer losses because they cannot recover the amounts loaned to thieves. The credit industry seems willing to absorb these losses, however, because of the benefits that flow from easily available credit. But the damages caused by misreporting of consumer information are borne largely by the injured consumers (with the exception of some incidental expenses such as the cost to businesses of hiring personnel to listen to victimized consumers). That is because existing law does not give injured consumers a cause of action against creditors for reporting erroneous information about consumers, and provides consumers a claim against consumer reporting agencies only if consumers can show that the consumer reporting agency acted negligently.
This contrasts dramatically with more traditional approaches to impersonation. Though this particular form of identity theft is a relatively recent invention, identity theft as a genre is not new. Indeed, some forms of identity theft--such as forging checks or impersonating a credit-worthy buyer --go back centuries. Unlike the limited modern approach to identity theft, the law traditionally has also taken another approach to this type of fraud: while not eschewing criminal punishment, the law has also employed civil loss allocation rules to reduce the incidence of many frauds. …