Meet the identity thief.
It's a mere visual representation of an amorphous concept, perhaps. But as a concept, the identity thief has spent the last 10 years terrorizing Americans over the safety of their personal data. He (or she) has hacked into our retail store servers, forged our credit cards, and pillaged our bank accounts. But how frightened should we be?
According to the nonprofit Privacy Rights Clearinghouse, from January 2005 through the close of last year, identity thieves stole more than 600 million electronic records containing sensitive information about American consumers. Since 2005, when this phenomenon really started picking up steam, identity thieves have struck more than 4,000 times, raiding everyone from data collection giant ChoicePoint (one of the very first victims) to Target (NYSE:TGT) and Home Depot (NYSE:HD) more recently, to the most recent victim, JPMorgan Chase (NYSE:JPM).
And yet, while the phenomena of privacy breaches and security hackings only seems to grow more and more common, a recent Travelers (NYSE:TRV) poll of consumers suggests Americans might these days be worrying less about the dangers of identity theft. In fact, Travelers' latest study reveals that from 2013 to 2014, the numbers of Americans who said they worry "a great deal" about getting a visit from the identity thief fell from 31% to just 23%. Less than one in four.
Why is that?
You've heard a lot about data breaches in recent years. You've seen a lot of headlines. But when was the last time you read a headline that read, "Company X Hacked! 100 Million Personal Records Lost! $100 Million Siphoned from Consumer Bank Accounts!" Or any headline even remotely like that?
I'll tell you the answer: never. You've never read a headline like that, because fraud resulting from data breaches simply doesn't proceed in such a straightforward manner.
Sure, it seems logical to assume that an identity thief, after breaking into a bank or retailer to steal information, will try to put that data to some nefarious use. This might happen through combining the information with other data, or reselling the information in part or whole, rather than using it immediately to withdraw money from a card customer's account. In other words, monetary losses might not directly follow from data losses. As a result, it's often difficult to draw a direct causal link from Point A (a breach) to Point B (a consumer losing money).
Take the recent Target breach for example, one of the largest in history. Consulting firm Javelin Strategy & Research put the total cost of "fraud losses" stemming from data breaches in the U.S. at $16 billion across all companies in 2013. According to investment banker Jefferies, the identity thief (or thieves) who hit Target alone caused "$1 billion" in damage -- a sizable percentage of that total annual loss. That's significantly more than the average cost of a breach, though, which the American Bankers Association (ABA) and data security firm Kaspersky Lab estimate at "from $66,000 to $938,000 per organization."
But even these numbers include the "all-in" cost to the affected company, which must hire "consultants and lawyers to help manage the problem, as well as the cost of lost business opportunities and investment in services and solutions to prevent additional incidents, such as extra security training." Loss of "morale and stock value," the cost of hiring customer service staff to speak with panicked customers, and the expense of reissuing cards to replace those numbers now in the hands of the identity thief, also factor into a data breach's cost.
Indeed, Jefferies put the cost of simply reissuing cards to affected consumers at nearly $400 million for Target -- as much as 40% of the total economic damage from the breach. American Banker magazine added that each customer service call to deal with a distressed consumer costs companies "$20 a shot."
... and smaller numbers
But actual monetary losses to consumers defrauded after a data breach? According to Businessweek, 70% of stolen cards will be used by an identity thief "for at least one transaction." But the dollar value of these transactions can be far less than what we've been led to believe.
In contrast to the billions of dollars in losses suffered by companies forced to deal with the fallout of a data breach, The Wall Street Journal noted that one bank, the Air Academy Federal Credit Union in Colorado Springs, Colo., uncovered only $20,000 worth of questionable charges (which may or may not have been fraudulent) suffered by its customers following the Home Depot incident. This was across 5,800 customers affected by the breach, in the first three weeks following the Home Depot data breach.
That's about $3.45 per card.
The upshot for cardholders
Granted, these losses could grow over time. But the ABA estimated that in the case of the Target breach, for example, the identity thief charged just $530 per stolen credit card, and just $331 per debit card affected.
To put that in context, federal law limits customer liability for fraudulent credit card charges to $50 -- and banks hold their customers completely harmless in case of credit card fraud. Similarly, debit card holders' liability is capped at $50 if they report a fraudulent charge within two days -- and even if it takes them 60 days to report a fraud, liability is capped at $500. So in many cases, consumers pay far less than even the few hundred dollars of fraudulent charges they're theoretically exposed to.
The upshot for cardholders: This identity thief isn't quite as scary as we've been told.
Rich Smith has no position in any stocks mentioned. The Motley Fool recommends Home Depot. The Motley Fool owns shares of JPMorgan Chase. Try any of our Foolish newsletter services free for 30 days. We Fools may not all hold the same opinions, but we all believe that considering a diverse range of insights makes us better investors. The Motley Fool has a disclosure policy.