How Identity Theft Is Like the Ford Pinto

A hapless victim of identity theft

Professor James Grimmelmann likes to shop at Kohl’s.  So much so that he applied for credit at Kohl’s.  And he got it.

The problem is that James Grimmelmann didn’t really apply for anything.  It was an identity thief.

Grimmelmann was a participant in Chris Hoofnagle‘s study about identity theft.  In a really eye-opening paper, Internalizing Identity Theft, 2010 UCLA J. of L. & Tech (forthcoming), Hoofnagle has concluded that one of the main reasons identity theft happens is because companies let it happen.  It is an economic decision.

Back in 1981, in the famous case involving an accident due to a defect in a Ford Pinto, it came to light that Ford knew about the design defect in the car but ignored it because it calculated that paying damages in lawsuits would be less than fixing the design flaw.

Hoofnagle illustrates that the same phenomenon is happening with identity theft.  Companies grant credit carelessly because it is cheap to do so.  Much of the losses are sloughed off on victims because the companies aren’t forced to internalize them.

To illustrate how sloppy the granting of credit is, Hoofnagle supplies a copy of the Kohl’s credit application Grimmelmann’s identity thief used.

Notice how many errors are on the application.  There’s a ton of missing information.  And Grimmelmann’s name is even spelled incorrectly — though, in all fairness, it’s got way to many m’s and n’s to keep track of.

In his paper, Hoofnagle examines several case studies in addition to Grimmelmann’s to show how many obvious red flags in credit applications are ignored.

Hoofnagle demonstrates that identity theft is a product not of carelessness on the part of the credit industry, but the product of planned carelessness — more akin to intentional decisions than to foolish blunders.

The reason so much identity theft occurs is because it is cheaper to expose people to the risk of identity theft than to exercise more care in vetting credit applications.  Courts and legislatures are also to blame, for they fail to adequately recognize the harm of identity theft (or data breaches) and will not make companies internalize the full costs.   So the companies do their cost-benefit analysis and conclude that they can expose people to the risk of identity theft because many costs are external — and if people sue, courts won’t recognize them.

The costs of identity theft to victims is substantial.  It creates a lot of anxiety.  It takes a lot of time to get to the bottom of the problem and then to fix it.  It takes time and effort to keep monitoring to make sure that the problem is fully resolved.  It leads to delayed decisions to make purchases, get credit, and take out loans — since people won’t want to do these things if their credit is a mess.  But these harms are often not recognized and appreciated to their full extent.

If courts and legislatures were to better recognize harm, and force companies to internalize it, then we’d see the end of sloppy practices that allow so much identity theft to occur.   Until that time, companies can be just like Ford with the Pinto.

See also Brad Stone’s writeup of Hoofnagle’s paper over at the New York Times’s Bits Blog.

You may also like...

7 Responses

  1. Joe says:

    Wow. I’m a little stunned. Of course, I knew credit has been cheap the last few years to it was being given out to any and everyone, but I’m shocked that an application with so many obvious errors made it through without anyone even calling him to ask for clarification.

  2. Ken says:

    I, too, am stunned, Joe, but after reading this short summary, I’m not shocked. It really is a purely economic decision on the part of corporations, balancing “responsibility” in the financial sense, and ignoring “responsibility” in the ethical sense. Which shouldn’t be shocking to us. Corporations are generally assumed to have primary “responsibility” to their shareholders, and are generally assumed to take actions to meet that responsibility, which is to return profits.

    It seems that the way our justice system can force corporations to act in a “socially responsibly” way is to provide positive reinforcement for “good acts” and/or negative reinforcement for “bad acts.” This, in turn, will offend those of us who generally like to minimize government intervention into day-to-day business activity, but it’s simply the price we have to pay to provide some protection to the “innocent bystanders.”

    In the example, for instance, Grimmelmann wasn’t a “careless contributor” to the activity, which might make us feel like if he had simply been more careful, the problem wouldn’t have occurred. He had no part in the fraud. He didn’t sign something without reading it carefully. He didn’t lend his name to somebody who then used it for some other purpose. And BTW, if the crook had done a better job filling out the lameass application, spelling his name properly and attempting a reasonable facsimile of Grimmelmann’s signature, then where would we be in assessing blame?

  3. I should add that Kohl’s fraud department was professional and friendly when I reached them. I filed a police report, faxed it to them, and they cancelled the card and released me from any liability all but immediately. The transparency of the forgery may have had something to do with it, of course.

  4. Bruce Boyden says:

    I think I’m with Dan on most of this post, but one figure I’d be curious about is what percentage of legitimate applications for credit contain egregious errors of this sort.

  5. Kelly says:

    I’m not at all surprised. This sort of thing has been going on for a long time.

    Take a look at this story from 2006: