Internalizing Identity Theft

13 UCLA Journal of Law and Technology 1 (Fall 2009)

38 Pages Posted: 6 Apr 2010 Last revised: 29 Oct 2014

See all articles by Chris Jay Hoofnagle

Chris Jay Hoofnagle

University of California, Berkeley - School of Law; University of California, Berkeley - School of Information

Date Written: Oct 1, 2009


Why has identity theft remained so prevalent, in light of the development of ever more sophisticated fraud detection tools? Identity theft remains at 2003 levels – 9.9 million Americans fell victim to the crime in 2009.

One faction explains the identity theft as a problem of a lack of control over personal information. Another argues conversely that identity theft may be caused by a lack of access to personal information by credit grantors. This article presents data from a small sample of identity theft victims to explore a different dimension of the crime, one that suggests alternative interventions.

Drawing upon victim and impostor data now accessible because of updates to the Fair Credit Reporting Act, the data show that identity theft impostors supply obviously erroneous information on applications that is accepted as valid by credit grantors. Thus, the problem does not necessarily lie in control nor in more availability of personal information, but rather in the risk tolerances of credit grantors. An analysis of incentives in credit granting elucidates the problem: identity theft remains so prevalent because it is less costly to tolerate fraud. Adopting more aggressive and expensive anti-fraud measures is extremely costly and jeopardizes customer acquisition efforts.

These business decisions leave individuals and merchants with some of the externalities of identity theft. Victims sometimes spend their own money, and more often, valuable personal time dealing with identity theft externalities. This article concludes by reviewing several approaches to internalizing these costs. Popular approaches specify prescriptive rules to address particularly problematic practices in credit granting, such as using the Social Security number as a password for authentication. These approaches may lead to compliance-oriented approaches and reification. Several commentators have suggested negligence actions as a cure to identity theft, but uncertainty surrounding the duty of care would probably leave many consumers unremunerated. A strict liability regime is suggested because credit grantors are the least cost avoiders in the identity theft context, and because consumers cannot control the credit granting process nor insure against identity theft losses efficiently.

Keywords: Identity Theft, fraud, credit

JEL Classification: K20, G21, D18, D81, D82

Suggested Citation

Hoofnagle, Chris Jay, Internalizing Identity Theft (Oct 1, 2009). 13 UCLA Journal of Law and Technology 1 (Fall 2009), Available at SSRN:

Chris Jay Hoofnagle (Contact Author)

University of California, Berkeley - School of Law ( email )

341 Berkeley Law Building
Berkeley, CA 94720-7200
United States
‭(510) 666-3783‬ (Phone)


University of California, Berkeley - School of Information ( email )

212 South Hall
Berkeley, CA 94720-4600
United States
510-643-0213 (Phone)


Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics