The saying goes that imitation is the sincerest form of flattery, but when it comes to identity theft — this could not be further from the truth. I dealt with a mild smattering of identity theft in the spring of 2018 and then, more recently, with a veritable deluge of it. Bank accounts I didn’t open, credit cards I didn’t apply for, fraudulent information on my credit report (former employer Goldman Sachs – are they trying to be cute?!), etc.. What I used to assume was junk mail and destined straight for the recycle bin I now must open and steel myself for news of another account or card fraudulently opened in my name.
SSN vs DNA
The past few weeks of dealing with this got me thinking about the similarities and differences with protection of a different type of personal data: genomic information. Both financial and genomic data are sensitive, obviously personal, and subject to varying levels of security and protection. However, one could easily argue that a leaked social security number, only nine digits, can be far more damaging than a breach that releases all three billion letters of your personal genetic code. Maybe the latter will have more predictive, and therefore potentially punitive, power in the future — but for now, it’s the former that’s likely to get you in real trouble.
Nevertheless, it’s been useful to consider some concepts from the world of genomics and health data when trying to understand why I find dealing with my identity theft so infuriating. In particular, I’ve been thinking of ideas from the world of biobank governance. Genomic and biomedical samples are often collected and stored in “biobanks” (borrowing language from the financial world, incidentally!). Biobank collections can support multiple research projects over time, even simultaneously. Because biobank samples might be used for assorted purposes, the sample donors have to be consented broadly — i.e., agree up front that it’s ok to use their donated samples for any general research purpose (or perhaps, only slightly more narrowly, for health-related research). This type of informed consent is inherently limited (some have argued close to meaningless) and calls for other approaches to research oversight and governance to protect the participants’ interests.
Social scientist Kieran O’Doherty and colleagues have articulated a series of principles they term “adaptive governance” to enhance oversight of biobanks. Next, I’ll take each of their principles of adaptive governance in turn and apply them to my experience of identity theft in our financial system. This allows me to examine a useful framework from academic research…and also vent out personal frustration. Win win. Granted there is not one unified database of financial information – rather there is a diffuse network of financial institutions (banks, credit card companies, etc.) and credit reporting agencies (the big three: Experian, Trans Union, Equifax). Similarly, biobanks may not always be singular systems but instead interconnected pieces. Principles of data stewardship apply nevertheless.
Adaptive governance principles
The principle of representativeness holds that people whose data are in biobanks or databases have collective rights and interests and should somehow be involved, or at least represented in, decision making about those resources. The only thing that comes close to that for our financial system, to my mind, is that voters help bring into power government representatives who oversee the financial system (obviously, to varying levels of success). The Federal Trade Commission provides oversight and consumer protection; indeed, it was to the FTC’s guide for victims of identity theft that I went straightaway when I started uncovering what was happening. But I think it’s hard to argue there’s much representative governance going on in our financial systems.
Things always go wrong and any bank (bio or otherwise) or holder of personal data who ensures complete protection is lying. What’s equally if not more important than security is accountability when the inevitable mistakes are made. I think immediately of the Equifax data breach that exposed millions of people’s personal profiles and left them vulnerable to identity theft (incidentally, mine does not appear to be one of them, so no smoking gun there). Was Equifax really held accountable? Did they, or the other major credit reporting agencies, make any real changes to their practices? Not clear from my vantage point. Victims were initially going to get payment, but too many people applied so they changed the token of consolation to free credit report monitoring. If there is accountability in the system, it seems weakly imposed by government regulators and lawsuits.
As maddening as this experience has been for me, I’m glad I wasn’t born before 1971 and the Fair Credit Reporting Act. Now, it still hasn’t been easy to figure out what’s going as I’m following the prescribed steps: requesting seven-year fraud alerts from each agency, placing credit freezes, initiating credit report disputes to remove fraudulent information that had made its way onto my reports. On some of the agency websites, I could easily tell that a credit freeze request had gone through and/or the fraud alert successfully placed. But for others I had to wade through maddening phone trees and darned if you really can’t get a person to respond from Experian unless you throw shade at them on Twitter. It seems simple, but just a nice user web interface where you can easily tell the status of different requests would go a long way. Instead, some of the agencies seem to bury the information, including behind ads for products to help protect you against identity theft. Really? What would help protect me is if you made it easier to navigate through the darn system. (I’m still looking at you, Experian.)
Hmm, this one seems like a stretch. But I hope, with all sincerity, that financial institutions are pausing to examine how their practices and procedures could shift to better protect consumers. I could offer to Wells Fargo to put all your tellers through some basic identity theft training. If they did this, presumably the main customer support line I called when a suspicious secondary email address was added to my account would have recognized it as a sign of a fraudulent credit card application. Instead the representative assumed it was a “teller error” and just deleted the email. (Now that I know the signs I would have picked up on the real cause sooner as well.)
In the biobank context, sustainability is planning for long term management and financial support of the resource. This may not transfer nicely to the financial system context, but I’ll make a stab. Banks and credit reporting agencies obviously have multiple databases with all our personal information. Do they have a good plan for when they go out of business or change corporate leadership?
The greatest irony of it all
It’s probably not surprising that the US financial system is not successfully evidencing adaptive — or even good governance principles. What’s gotten to me most in my personal experience with identity theft is the lack of transparency from these institutions and the flouting of accountability. The irony is not lost on me that I have to work with, painfully in most instances, the very same institutions that likely put me in this mess. It very much feels like I’m alone in the face of these behemoths. In addition, I’m a fairly organized and administratively capable person and yet what I’ve had to do to stay on top of, and ideally get out of front of this, is taxing those capabilities. I can’t imagine how hard it would be for someone less resourced. There’d really be no hope of fighting it.
From my experiences, I can draw one lesson for the research context: that an overemphasis on input to the system is likely to disenfranchise those who may be harmed by it. By this I mean that banks and credit card companies want to make it really easy to open accounts. It’s so easy you can do it as someone else. The emphasis is getting feet through that door. Trying to close down accounts, especially those that you didn’t open? Much, much harder. Governance in the research context should include proactively thinking about what you’re going to do when someone wants out.