8 Of 10 Americans Worried About Identity Theft

According to a recent poll by Bankrate, 8 of 10 Americans are worried about identity theft, spcifically having their identities stolen. This concern is based upon:

"... personal knowledge of a victim. One-third of Americans (34 percent) know someone who has been a victim of identity theft. In the Northeast, it's closer to one in four (28 percent) while in the West almost one in two people (44 percent) know an ID theft victim."

The survey results were part of a broader study of Financial Literacy about identity theft. Bankrate had engaged Gfk Roper America to conduct a random survey of American households to understand consumers understanding of identity theft. Interviewers questioned 1,006 adults -- 524 women and 482 men. The report found that consumers' worry increased with their personal knowledge of identity theft victims. Basically, people who knew ID-theft victims were more worried than people who didn't.

The numbers could be much higher (or lower), due to consumers' varying definition of identity theft. According to Avivah Litan, vice president and analyst at Gartner:

"Everyone has their own definition of 'identity theft... For some it means wholesale identity hijacking. For others it could mean credit card theft. So it's hard to know what the respondents were thinking; thus the results could be skewed either way."

What are consumers doing to address their ID-theft concerns? Survey respondents reported the following activities:

Participants' Response to ID-Theft (Bankrate - GfK Roper survey - North America - April 2008)	Concerned About ID-Theft	Not Concerned About ID-Theft
More likely to shred documents with sensitive personal data	82%	52%
Use a secure snail-mail mail box (at post office or a locked box at home)	63%	51%
Avoid online banking	54%	55%
Check credit reports regularly	53%	30%
Refuse to shop online	42%	47%
Requested a Security Freeze on their credit reports	23%	6%
Only pay bills online	16%	13%
Haven't made any changes to avoid identity theft	35%	19%

I find the 35% statistic in the last row astounding. These people practice the "head in the sand" approach. These are people who personally know ID-theft victims, but still refuse to do anything to avoid identity theft. Maybe they have given up, or maybe the problem seems overwhelming.

My impression: some companies probably rely upon this "head in the sand" attitude after a data breach. After a data breach, these companies rely on many ID-theft victims (e.g., employees, former employees, retirees, contractors, etc.) to "keep their heads in the sand" and not take advantage of the company's credit monitoring service offer... which is often free for a year or two. It lowers the company's post-breach costs. Companies know this, and are less likely to enact stronger data security measure when they know consumers don't do all they can to protect their sensitive personal data.

The survey results by gender:

• Women were more likely than men to shred documents
• Women were more likely than men to use a secure mailbox
• Men were more likely than women to avoid online banking
• Women were more likely than men to check their credit reports regularly
• Men were more likely than women to request a Security Freeze on their credit reports
• Men are more likely than women to practice the "head in the sand" approach

Now that you know what other consumers are (and are NOT) doing, I hope that more people will take action to avoid identity theft, and after a data breach will accept the company's credit monitoring service offer.

Screenshot Of The Day

From the Quantcast ratings web site:

2008 Consumer Fraud and Identity Theft Complaint Data (FTC)

Last week, I took the time to read the latest 90-page identity theft report from the U.S. Federal Trade Commission. The FTC issued the "Consumer Fraud and Identity Theft Complaint Data" report in February 2008. The report covers consumer complaints submitted to the Consumer Sentinel database during January through December 2007. Highlights:

• During 2007, the FTC received 813,899 consumer fraud and identity theft complaints; up 21% over 2006
• During 2007, consumers reported losses of $1.2 billion, slightly more than in 2006
• 3% of consumers lost more than $5,000. About 10% lost between $1,001 and $5,000
• The 5 leading complaint categories were Identity Theft (32%), Shop-at-home/Catalog Sales (8%), Internet Services (5%), Foreign Money Orders (4%), and Prizes/Sweepstakes/Lotteries (4%)
• The payment methods in these complaints included credit cards (33%), wire transfers (28%), bank account debit (17%), personal checks (10%), money orders (7%), and cash advances (3%)
• Total complaints by the age of the consumer: 40 - 49 (23%), 30 - 39 (21%), 50 - 59 (20%), and 20 - 29 (16%)
• Identity theft complaints by age of the consumer: 18-29 (28%), 30 - 39 (23%), 40 - 49 (19%), and 50 - 59 (13%)

It's important to emphasize that the above is based on actual complaints submitted by consumers, and not a survey. In my experience, most consumers do not file complaints with the FTC, so the above numbers are probably far higher.

Regardless, identity theft seems to be a growing problem since both the number of complaints and the amount of losses have increased.

Two really sad aspects to this report are a) the lack of involvement by consumers, and b) the lack of consistent response by law enforcement. 65% of victims did not file a police report. That is both sad and unacceptably high. 27% of victims did file a police report which was accepted by local law enforcement. 8% of victims tried to file a police report and it was not accepted.

Identity criminals probably feel encouraged by those results. Almost two-thirds of victims don't both filing a police report, which could aid inthe capture and prosecution of identity thieves. And, 8% of victims tried to get help from local loaw enforcement and couldn't get that help.

The report also provides statistics for identity theft victims by state:

1. Arizona - 137.1 (identity theft complaints per 100,000 population)
2. California - 120.1
3. Nevada - 114.2
4. Texas - 107.9
5. Florida - 105.6
6. New York - 100.1
7. Georgia - 91.6
8. Colorado - 89.0
9. New Mexico - 87.5
10. Maryland - 85.8

My state, Massachusetts, ranked #23  with 66.5 identity theft complaints per 100,000 population. North Dakota was #50 with 28.5 identity theft complaints per 100,000 population.

I'm not sure how relevant these numbers are since Internet-based identity thievery is largely geography independent

Online Privacy Concerns Increase

The Associated Press news services reported the results of a new survey by the University of Southern California's Center for the Digital Future:

"Privacy concerns stemming from online shopping rose in 2007, a new study finds, as the loss or theft of credit card information and other personal data soared to unprecedented levels. Sixty-one percent of adult Americans said they were very or extremely concerned about the privacy of personal information when buying online, an increase from 47 percent in 2006. Before last year, that figure had largely been dropping since 2001.  People who do not shop online tend to be more worried, as are newer Internet users, regardless of whether they buy things on the Internet..."

In 2007, about 57% of survey respondents were very or extremely concerned about credit card security. In 2006, the same number was 53 percent. In 2007, about two-thirds of adult Internet users shop online, compared with just 50 percent in 2006. Most spend $100 or less a month, and two-thirds of online shoppers have reduced buying at brick-and-mortar stores. The survey included a random selection of 2,021 Americans contacted from Feb. 28 to Aug. 6, 2007.

More survey results about online usage:

"... online parents are more likely than ever to withhold Internet use as punishment — 62 percent in 2007, compared with 47 percent a year earlier and 32 percent in 2000... Nearly two-thirds of parents, meanwhile, worry about kids participating in online communities and about half believe online predators to be a threat..."

4 Of 10 Small/Medium Businesses in the US Are Not Secure

Darknet recently reported the results of a recent survey of 455 small and medium-sized businesses in the United States:

• "42% do not consider their networks to be secure
• 32% have suffered a breach over the past 12 months
• 96% and 93% have anti-virus software and firewalls; 80% have anti-spam products
• 71% say downtime and security issues are their main daily IT concerns
• 51% identify user support as a major daily concern
• 39% say email viruses are the greatest security risk
• 55% spend 10% or less of their IT budget on security measures
• 77% say this budget is enough to cover their security requirements
• 48% believe that better awareness on security among employees would improve the level of security while 25% want senior management to be more aware of security issues"

Of the 32% that reported a breach, the breach was caused:

"mainly due to a virus attack (69%), followed by infected internet downloads (30%) and loss of hardware, e.g. laptops (24%). Only 2% reported a breach involving some form of fraud or identity threat."

The survey was conducted in October 2007 by eMediaUSA for GFI Software. The survey respondents were senior executives or senior IT administrators. Download full survey results and methodology (Adobe PDF).

Identity Theft Predictions For 2007 Come True

At the end of 2006, the Identity Theft Resource Center (ITRC) made five predictions about identity theft for 2007. Sadly, the ITRC was correct on all five predictions:

• "There will be an increase in check fraud, check synthesizing, and check counterfeiting.
• Phishing will continue to grow as a problem.
• Child, family, and domestic identity theft victims will be acknowledged by law enforcement and companies.
• There will still be a lack of sensitivity and responsiveness toward victims by some law enforcement agencies, companies, and government agencies.
• We will see more communication between various law enforcement entities in multi-jurisdictional cases including the creation of regional taskforces."

The ITRC also made predictions for 2008:

• "... [identity] thieves are getting younger and younger. Recently two people in their early 20’s were arrested, in possession of sophisticated forgery equipment. This is a strong indicator that identity theft is becoming a lucrative career path.
• Identity theft will continue to grow more international in scope. Scams will become more sophisticated and will be harder to detect, as thieves become more industrious and skilled at designing viruses,..
• There will be an increase in the number of breaches due to poor information handling policies and practices.
• There will be a continuation of contradictory studies with less agreement on victim census, cause and effect, facts and overall cost of identity theft. This will lead to confusion, misguided legislation and governmental actions.
• On the positive side, ITRC believes that businesses will develop and implement better ways to authenticate the identity of applicants including Internet and telephone applications.
• There will be a higher recognition of identity theft as a crime by law enforcement. This will lead to more reports written to assist victims in taking advantage of state and federal victim recovery rights.
• There will more legislative action on the issue of identity theft, including limiting the use of Social Security Numbers.
• States and non-profits will be in a better position to provide more victim assistance at no charge."

All of this tells me that we consumers have to be more engaged with issues associated with identity theft. We have to be smarter about where we shop and how we pay for purchases. We have to be more diligent about monitoring our financial files and credit reports. We have to be responsible in using anti-virus software and creating strong passwords. And, we consumer have to hold accountable the companies and agencies that lose our personal data; and the politicians that fail to support identity theft legislation.

Is Obama The Privacy Presidential Candidate?

Over at the MSNBC Red Tape Chronicles blog, Bob Sullivan reports the results of a recent Ponemon Institute poll:

"Americans think Barack Obama is the Democrat most likely to advance their privacy rights and that Rudy Giuliani is the least privacy-sensitive... The telephone poll of 600 adults, conducted by private research firm The Ponemon Institute, also found that 40 percent of Americans say protection of privacy rights is either important or very important in determining preference for the next presidential election."

About the apparent inverse relationship between privacy and security issues:

"Ponemon said he was not surprised that Giuliani scored lowest among major candidates, since the former New York mayor is often associated with national security issues. "People see him as pro-security, pro-surveillance, pro-wiretapping, and they figure if he's doing that he's not making privacy a top priority," Ponemon said."

I found this to be a surprise:

"... young voters are more privacy-sensitive than previously believed. Among 18- to 28-year-olds, the MySpace-Facebook generation, 54 percent said privacy issues would be a factor in determining their choice for president, significantly higher than the 40 percent rating among the general population."

Privacy seems to be one of several key issues voters will evaluate the candidates against.

How Secure Is Your Bank?

Last week, Javelin Strategy & Research announced the results of their 2007 Banking Identity Safety Scorecard. The report studied identity fraud prevention, detection and resolution for the top 25 banks in the USA. According to the report:

"This year, financial institutions showed strength in resolution practices, but vulnerability in prevention and detection. Javelin analysts recommend that banks provide more account monitoring tools to its customers and empower them to “watch and catch” identity fraud earlier."

Selected ratings for some banks (100 points total possible score):

• Bank of America -- 78 points
• (Tie) JP Morgan Chase, Washington Mutual and Wells Fargo -- 70 points
• Citibank -- 69 points

According to the report:

"... the average financial institution met 77% of the recommended resolution criteria, but showed slower progress in detection and prevention measures. In the 2007 Scorecard, the average bank achieved only 44% of Javelin’s recommended prevention standards and 51% of the detection criteria."

The report included 5 recommendations for consumers:

1. "Enroll in mobile and email account alerts."
2. "Turn off paper statements."
3. "Stay alert for phishing scams."
4. "Frequently monitor accounts."
5. "Don'€™t use your full social security number."

That's definitely good advice.

Top 50 Cities For Identity Theft

This is a list your city doesn't want to make. The Uni-ball company, a manufacturer of writing pens, has published at its web site the list of Top 50 ID-Theft Cities, as part of its Secure Your Signature program. The top 10 worst cities:

1. Phoenix, AZ
2. Riverside, CA
3. Las Vegas, NV
4. Miami, FL
5. Dallas, TX
6. Sacramento, CA
7. San Francisco, CA
8. Los Angeles, CA
9. Houston, TX
10. San Antonio, TX

The ranking is based on complaints in the 2006 FTC annual report. What's Uni-Ball's angle in this? The company's web site pitches a pen featuring an ink that imbeds itself in the paper, so identity thieves can't wash the ink from real checks and then make out your check to a different payee with a greater dollar amount... and in effect, steal money from your checking account.

By the way, Boston ranked #40 on the list.

Finally, A Profile Emerges Of the Typical Identity Thief

The Center for Identity Management and Information Protection at Utica College recently completed a study, funded by the U.S. Department of Justice, of the U.S. Secret Service's case files related to identity theft. The researchers analyzed 517 cases closed by the Secret Service between 2000 and 2006.

This study, which focused on a profile of identity thieves, is long overdue since most studies focus on the ID-theft victims. I think that it's also important to note that these 517 cases are a tiny portion of the total number of identity theft cases every year, many of which go unreported. According to the Federal Trade Commission, about 9 million Americans have their identities stolen each year.

Anyway, the key findings of the study:

• "42.5% of offenders were between the ages of 25 and 34. Another 18% were between the ages of 18 and 24."
• "Two-thirds of the identity thieves were male."
• "Nearly a quarter of the offenders were born outside the United States."
• "80% of the cases involved an offender working solo or with a single partner"
  
• "Fewer than 20% of the crimes involved the Internet. The most frequently used non-technological method was the rerouting of mail through change of address cards. Other prevalent non-technological methods were mail theft and dumpster diving."
• "Of the 933 offenders, 609 said they initiated their crime by stealing fragments of personal identifying information, as opposed to stealing entire documents, such as bank cards or driver's licenses."
• "Most of the offenses were committed by non-employees who victimized strangers."
• "Employee insiders were the offenders in just one-third of the 517 cases. When an employee did commit identity theft, the offenders were employed in a retail business in two out of every five instances... Stores, gas stations, car dealerships, casinos, restaurants, hotels, doctors and hospitals were all considered retail operations"
  
• In about a fifth of the cases, the employee worked in the financial services industry.

While this is valuable research, one must be careful about making conclusions since the study included only Secret Services cases, and of those only closed cases. Want to learn more? Read the Associated Press news release, download the CIMIP study, or read the Red Tape Chronicles post.

Rising Cost of Data Breaches For Companies

From the Washington Post newspaper:

"Financially motivated data breaches are set to cost businesses 20 percent more each year until 2009, according to Gartner. John Pescatore, VP at Gartner, said the biggest risk to organizations came from targeted attacks. He said that "phishing and identity theft attacks have caused the rise of 'credentialed' attacks, in which the attacker uses the credentials of a legitimate user."

The good news in this is that the increased threat may push companies to better protect the personal data they archive of customers, employees, contractors, and former employees. This implication consumers: it's critical to protect home computers with both anti-virus software and anti-spyware software.

Consumers Think Their Computers Are Protected When They Really Aren't

There's a must-read article at CNNMoney which you should also forward to everyone on your e-mail list. The National Cyber Security Alliance (NCSA) and the McAfee, Inc. software company recently completed an online survey of consumers' computer usage and data security. Basically, consumers think that they are practicing safe computing when in fact they aren't.

First, the good news. Consumers seem to be aware of online viruses and threats:

• 98% of survey respondents agreed that keeping their online security up-to-date is important
• 87% use anti-virus software
• 73% use a firewall
• 70% use anti-spyware software
• 27% use anti-phishing software

However, many consumers don't adequately protect their home computer:

• 48% had not updated their computer's anti-virus software within the past month
• 54% had been hit with a virus
• 44% thought their computer was infected with spyware

Then, the bad news really piles up:

"When researchers were able to conduct a remote scan of consumers' computers, their findings revealed a significant gap between perception versus reality, where consumers thought they were protected, when in fact, they were not. In particular, the following results illustrate:"

• "While 81 percent have a firewall installed on their computer, only 64 percent actually activated this anti-hacker protection"
• "While 70 percent of respondents say they have anti-spyware software, 55 percent actually did"
• "While 27 percent say they have anti-phishing protection, 12 percent actually do"

The McAfee study also included an interesting age-related finding:

"Americans ages 45 and older show more savvy than their younger counterparts when it comes to cyber security... 25% of them are fully protected versus just 18% of Americans ages 44 and younger."

Face it. Your family, friends, and classmates use some pretty buggy computers. Which means that the files they share are buggy, too. This is one reason why I rarely open the e-mail file attachments I receive at home from family, friends, and classmates.

The security products on my laptop automatically update about once daily, but often several times daily. My security software automatically runs a full system scan at least once weekly.

The bottom line: we consumers make it unnecessarily more difficult to lobby legislatures about stronger identity theft laws covering data breaches by employers, former employers, and retailers when we still leave our home computers vulnerable. Companies realize this.

Cyber Crime Exceeds Drug Crime

This is a statistic none of us should be happy about. From an InformationWeek article:

"McAfee CEO David DeWalt says cybercrime has become a $105 billion business that now surpasses the value of the illegal drug trade worldwide."

In his speech at the InformatonWeek 500 conference, DeWalt mentioned 5 trends he sees emerging in data security:

1. Industry consolidation
2. Rapid growth in Federal compliance requirements

See the article for the rest of the trends.

Data Security is Key to UK Consumers' Trust

Consumers' concerns about data security are growing in Europe just like in the USA. A recent ZDNet's UK Security Management Toolkit article reported:

"Safeguarding customer data should be a priority for UK companies — because consumers here place great store on how businesses treat their information, according to research."

The supporting statistics:

"Out of eight European nations, UK nationals stand out as the most concerned their data is kept safe. Eighty-one per cent of Britons polled by Unisys said an organisation's ability to keep their data safe is a key trust-building attribute. This compares to 42 percent of French respondents, 40 percent of Belgians and 35 percent of German consumers."

More importantly, consumers' trust is affected by how well companies protect consumers' personal data:

"The UK also leads the way in believing inadequate data privacy protection leads to an erosion of customer trust. Seventy-six percent of Brits feel this is the case, followed by 62 percent of consumers in Spain and 58 percent in France."

We Americans are not alone with our data security concerns. Safeguarding customer, employee, and former employee data should be a priority not only for UK companies, but also for multinational corporations and their partners/contractors. We live in a global economy. Money moves globally. Personal data moves globally, too.

Consumers' Identity Theft Concerns Grow

From today's Boston Business Journal:

"A national survey conducted by Staples Inc. finds that 72 percent of Americans are more concerned about identity theft today than two years ago."

Also, 52% are unsure they are doing enough to protect their identities, and 43% percent wish they had more information about how to protect their identities. The company's news release announced a new "Security by Staples" initiative to educate customers about identity theft, data loss, and Internet threats, plus how to keep identities and personal and business data safe.

If you've been reading the I've Been Mugged blog, you already know about several ways to protect your personal data. To learn more, start by reading the Advice / Tips / Solutions and Fraud Alert sections of this blog.

Identity Theft Looms For Millions

Asa Aarons wrote recently in the Oct. 2 New York Daily News:

"In the past nine months, sloppy data security at businesses, schools, hospitals, government agencies and other organizations have put more than 84 million consumers worldwide at increased risk of identity theft, according to attrition.org, a data breach tracking site."

Mr. Aarons quotes one identity-theft victim, who asked some very relevant questions about the company that lost her personal data:

Aren't these organizations culpable for safeguarding the personal information they hold? This is not only annoying and aggravating, it is time-consuming on my part - and I did nothing to get into this situation..."

Excellent question. Valid concerns. I know how this person feels. Mr. Aarons' article is good for beginners. If you have any experience with identity theft, you know that there's a lot more to consider. I hope that Mr. Aaron writes some follow-up articles for his readers. Some possible topics:

• How to tell if the free credit monitoring offer (from the company that just lost your personal data) is worthy or not
• The difference between a Security Breach and a Security Freeze
• How to protect your credit information at the 3 national credit bureaus
• Why consumers should check their C.L.U.E. insurance reports
• The difference between a Fraud Alert and a Security Freeze
• What are companies doing (or not) to protect the personal data they archive about their former employees
• The personal data sent off-shore about employees, former employees, and customers

With identity theft, there's a lot to consider.

Consumer Attitudes About Data Breaches

Lately, I've begun to wonder about the impacts on a company after it suffers a data breach. Do revenues and profits fall? Do customers switch to competitors? Are prospective customers inclined to do business with a competitor instead?

To answer the last question, I looked at some of the available market research about consumers attitudes after a data breach. In April 2007, Javelin Strategy and Research released the results of a study:

"Although previous Javelin studies have proven that only a fraction of fraud in the U.S. is due to data breaches, 77% of consumers intend to stop shopping at merchants that suffer from data breaches. Retailers and merchants are viewed by 63% of consumers as the least secure when protecting consumer’s data, compared with processors (16%), card networks like Visa or MasterCard (5%) and issuers (5%). When little is known about a data breach, half of all consumers automatically consider the merchants where they shop to be at fault. However, 85% will reward merchants who are perceived as security leaders with increased purchases."

An article in DM News reported similar statistics from two recent surveys. Highlights from the first survey, a 2007 Consumer Survey on Data Security:

• 36% would not use their credit or debit cards to make a purchase with a Web merchant they do not know
• 62% have been notified that their confidential data have been lost
• 84% reported increased concern or anxiety because of data-loss events
• 45% would not provide their Social Security number on a Web site
• Survey respondents age 18-25 appear to be less concerned about the protection of certain data types compared to respondents age 65 or older

Highlights from the second survey:

• 54% said identity theft and fraud were their biggest personal financial concerns

So there is some negative impact in consumers' attitudes towards a company with a data breach. The retail company seems to take the hit.

What if the affected customers are also former employees? I haven't any research yet that focuses only on data breaches affecting former employees. I imagine that like any other customers, former employees hold the same attitudes... and clout, to switch purchases to a competitor.

All of this is relevant for B-to-C (retail or business to consumer) companies. What about B-to-B (business to business) companies? In this instance, former employees aren't customers. The impact may be less clear. Former employees don't have any direct marketplace clout since they can't switch their purchases to a competitor. Former employees may have clout if they are investors (e.g., retirement plan) or shareholders.

I believe that most corporate executives are smart and probably know this... the lack of direct clout by most former employees.

What to make of this? As I see it, consumer awareness of credit card/payment fraud identity theft is high and reaching critical mass. Why? Most consumers have credit (and debit) cards. So, the impact on consumers by ID theft is direct and immediate. Hence, consumers expect more and stronger protections from credit card companies, banks, and retailers.

Consumer awareness of data breaches by former employers is low. Most people I've talked with don't realize how long companies archive the personal data of former employees. I learned that IBM archives it forever. Most people I've talked with don't realize that as companies merge and acquire each other, the new company "inherits" the personal data of former employees. Consumers probably don't monitor all merger/acquisition activity unless that consumer is a stockholder. And historically, most states haven't required companies to notify people (employees and former employees) of a data breach when personal data is exposed, lost, or stolen.

For these reasons, consumer awareness of data breaches by former employees is low... today. The impact on consumers is indirect and not immediate... until the former employer has a data breach and notifies affected former employees. Thankfully, most states (about 37) have mandatory data breach notification laws.

As consumer awareness grows about data breaches by former employers, I believe that consumers' attitudes and expectations will change in several ways. First, job seekers will consider an employer's data security history. Only the foolhardy or desperate will start a new job at a company with a chronic history of data breaches. Second, an information industry will rise around this need. Research firms, like Javelin Strategy, will do well to research the attitude of consumers (including retirees) about their former employer's data security and records retention policies.

Third, as consumer awareness grows, consumers will become increasingly intolerant of former employers who have repeated data breaches, are slow to notify them of data breaches, avoid notifying them, offshore personal data to countries or contractors with a chronic history of data breaches, and/or provide weak or no post-breach services (e.g., credit monitoring, credit restoration, etc.). Costs to these companies might appear in several forms: litigation, boycotts, and/or increased legislation.

What do you think? Do former employees have clout? If yes, is it sufficient?

Next entry: new ID theft law in Massachusetts (Part 2)

How consumers respond to identity theft crime

My last entry discussed identity theft frequency, amounts lost, and time/money spent fixing the problem from the results of the 2003 Identity Theft survey by the U.S. Federal Trade Commission. How we consumers respond (or don't) to identity theft is just as important. Basically, vigilance matters.

The consumers who monitor their credit and discover problems sooner, lose less money and spend less time and money fixing the problem. Survey results summaries:

"When the misuse was discovered within 5 months of its onset, the value obtained by the thief was less than $5,000 in 82% of cases (including all forms of ID Theft). When victims took 6 months or more to discover that their information was being misused, the thief obtained $5,000 or more in 44% of cases."

"No out-of-pocket expenses were incurred by 67% of those who discovered the misuse of their personal information within 5 months of the time the misuse began. Where it took 6 months or more to discover the misuse, only 40% of victims incurred no out-of-pocket expenses."

"New accounts were opened in less than 10% of cases when it took victims less than a month to discover that their information was being misused. New accounts were opened in 45% of cases when 6 months or more elapsed before the misuse was discovered."

"76% of victims who discovered the misuse of their information within one month spent fewer than 10 hours resolving their problems, while in only 20% of cases where it took more than 6 months to discover the misuse were victims able to resolve all of their problems in less than 10 hours."

And, consumers seem to be lax about both monitoring their credit and reporting crimes to the police:

"Only about 25% of victims who participated in the survey said that they had reported the crime to local police. Even with the more serious “New Accounts and Other Frauds” form of ID Theft, only 43% of victims said that they had reported their experiences to local police."

"Only 22% of ID Theft victims said that they had notified one or more credit bureaus about their experiences. Even among those who suffered from the “New Accounts & Other Frauds” type of ID Theft, only 37% contacted a credit bureau. Of those victims who contacted credit bureaus, 62% asked to have a “fraud alert” placed on their credit reports."

Where consumers are somewhat lax, thieves aren't. They are persistent, determined, and will misuse your personal information for a long period of time. From the same survey:

"13% of victims reported that their information was misused for 6 months or more. (For “New Accounts & Other Frauds” ID Theft, 27% of cases involved the misuse of the victim’s information for at least 6 months.) On the other hand, in 26% of all cases of ID Theft the misuse was limited to a single day. (Misuse was limited to a single day in 36 % of cases that only involved the misuse of existing credit cards or card numbers.)"

Next entry: what is the personal information you should protect?