The law of data breaches is new, dynamic, and evolving. The number and complexity of breaches increases each year and legal scholars, courts, and policymakers scramble to respond. In 2019, 14.4 million consumers became victims of identity theft, the most problematic consequence of data breaches for consumers. Indeed, one-third of all Americans have experienced identity theft at some point in their lives. Yet despite low-income groups comprising at least thirty percent of all identity theft victims, existing discourse and debate on the regulatory regime governing data breaches and identity theft primarily reflects the experiences and concerns of middle- and high-income groups. Debates remain uninformed by detailed analysis of how the use of illegally obtained data may uniquely harm low-income individuals and how these harms may be exacerbated for low-income victims who are Black. We lack careful theoretical assessment of the complex relationship between identity theft victimization and wider structures of inequality. This Article uses original data to fill these significant descriptive, theoretical, and normative gaps in the literature. It then turns toward exploring the common and understudied problem of aligning regulatory regimes with the needs of prototypical higher-income people, leaving those who are low-income to operate within a system that was not designed to help them—what I call plutocentric regulation. Finally, the Article proposes a new federal agency, the Data Privacy and Identity Recovery Agency (DPIRA), to streamline the process for identity theft victims and make the recovery process equitable for all victims, regardless of their income.
This article addresses the flip side of the problem of Credit Invisibility among those with financial instability or distress.
In looking at why Department of Justice data shows that one-third of identity theft victims live in lower-income households, the paper asks why would thieves steal low-income identities with low credit scores when identities with higher scores are available? Thieves with access to identities with bad credit can take out high interest loans, with the interest rates and terms being immaterial, since their is no intention of repaying. And lower-income victims have fewer resources to both protect against identity theft and to seek remedies after being victimized.
Often bankruptcy (which might have otherwise been avoided) is the only tool (and a very blunt instrument at that) for clearing away these fraudulent debts, since the victim need not engage in the tiresome and recurring disputes over these debts (which are often treated with skepticism by the Credit Reporting Agencies) but can instead simply erase the obligation, legitimate or not. The article takes a rather dim view of bankruptcy as a solution for identity theft, but given that it is at least as dismissive of the other option, for people that also have problems with legitimate debts of their own, bankruptcy can be the best of poor choices. Bankruptcy does not, however, prevent the same stolen data from being used again and again.
The proposed creation of a Data Privacy and Identity Recovery Agency (DPIRA), with the expansive mandate of addressing not just data security and privacy but also identity theft victimization, is interesting, albeit legislatively difficult. It is disappointing that DPIRA would be proposed to interface with similar state agencies and community organizations, such as social workers, churches and other religious organizations, and schools, but not also attorneys, whether bankruptcy, consumer rights or others, to assist victims, since often those people need legal and not merely bureaucratic advocates.
Also unmentioned in the paper is the vulnerability that debtors in bankruptcy face to identity theft. There is a strong tension between the right to public disclosure of documents in any legal proceeding, including bankruptcies, and identity theft and privacy concerns of the parties in those cases. And while access to PACER has some milquetoast restrictions and documents there are subject to some redaction requirements, many bankruptcy courts do not protect all debtor information behind even these feeble walls, with, for example, court dockets disclosing debtor's names (and more) easily and permanently accessible from the court's web page. Government entities, whether a newly created DPIRA or existing ones like bankruptcy courts, the U.S. Trustee and the CFPB, should pay greater attention to the vast source of identity information available without even hacking.
For a copy of the article, please click here: