This page considers identity theft insurance.
It covers -
The insurance business is about marketing, number crunching
and contract construction, with insurance providers assessing
whether premiums from the insured (and income from investment
funded with those premiums or through associated products)
will typically be greater than payouts to the insured.
Skilful drafting of terms & conditions (or a glacial
attitude in their interpretation) and the sheer opacity
of much insurance contract writing minimises payouts.
Like other parts of the financial services sector the
insurance industry is prone to
bouts of exuberance and herd behaviour, executive hubris
and efforts to buy market share, along with occasional
innovation that meets a genuine need of individual and
corporate clients. (One point of reference is the $5 billion
HIH collapse noted elsewhere in this site and examined
in the 2003 report
of the Royal Commission of inquiry).
Recent years have seen the emergence, particularly in
North America, of a market for providing 'identity theft
insurance' to consumers.
Some of that insurance is provided as standalone policies
by major insurers or smaller specialists, in particular
new market entrants hoping to populate a niche and then
compete directly with major players. Some insurance is
bundled as part of home-owner, car-owner, boat-owner or
other policies: pay a few dollars extra each year and
your existing coverage will be extended to deal with identity
Some insurers have avoided marketing direct to consumers,
instead targeting employers who are encouraged to include
identity crime coverage in employee remuneration packages.
Banks, credit card providers and other financiers have
offered insurance as part of credit/debit accounts.
Emergence of identity theft insurance reflects several
factors. The first is simply perceived market demand:
consumers have become sensitised to identity crime and
have expressed interest, during a range of surveys, in
buying some form of cover.
Another reason is that market entrants and established
insurance providers are seeking new opportunities in what
at times is a cut-throat industry. That is reflected in
developments such as US patent 20020173994 ('Method and
apparatus for insuring an insured from identity theft
peril and identity reclamation and credit restoration').
A third reason is industry pragmatism rather than opportunistic
expansion: being seen to provide solutions helps to fend
off pressure from legislators, regulators and consumer
activists critical of industry practice (eg claiming that
institutions are major contributors to identity crime
and should "do more" than simply transfer costs).
What is identity theft insurance? It is important to emphasise
that the policies do not prevent the range of identity
crimes highlighted in this profile. They do not aim to
stop identity thieves (within or outside the victim's
circle of family and associates). Typically they do not
aim to recover every financial loss experienced by a person
whose identity has been appropriated or by someone who
has dealt with an identity criminal.
Identity theft insurance instead provides a person whose
identity has been 'lifted' with some money towards the
cost of dealing with that theft, for example the cost
of phone calls and postage or legal advice after you find
that someone is running amok with your credit card.
That is consistent with comments earlier in this profile
that many people experience three injuries when their
identity is appropriated -
initial financial loss, often a loss that is ultimately
covered by a bank or credit card provider (and passed
on to consumers generally)
to a personal financial
profile, with denial of credit or higher costs for
access to credit
stress and time wasted dealing with credit reference
agencies, individual financial institutions, police
and other entities in trying to restore a good name.
critics have questioned the value of some identity theft
insurance policies (or potentially misleading statements
in marketing). More adventurous critics have asked whether
alternative mechanisms would be more effective. The UK
national consumers association for example suggested that
are capitalising on people's lack of knowledge about
fraud. Consumers would be better off spending the money
on a shredder.
2008 the London Times noted that
have been accused of profiting from fears about identity
theft to push their protection policies on hard-pressed
High street banks and credit card providers are promoting
identity theft protection plans that cost up to £83
a year. Staff at Barclaycard recently told one customer
that there was a one-in-four chance he would be a victim
of identity theft.
Experts say this is simply not true. This week Cifas,
the UK's fraud prevention service, announced that the
number of proven cases of identity fraud had fallen
for the second time in a year. Its latest figures show
28,500 victims in the first six months of this year,
compared with 33,466 during the same period in 2007.
Richard Hurley, of Cifas, says: "This seems to
have similarities with payment protection insurance,
when banks were accused of using figures and stories
as a scare tactic to encourage people to buy insurance."
Mark Bowerman, of Apacs, the UK trade association for
payments services, believes that many of the statistics
surrounding identity theft are confused with general
have asked whether legislation such as the US federal
Fair & Accurate Credit Transactions Act 2003
(FACT Act) - which provides a right to a free annual credit
report on request - should be extended to cover free automatic
'financial health warnings' if anomalies appear in data
being aggregated and mined by credit reference services.
Discussion elsewhere on this site regarding data
losses indicates that businesses and other organisations
are contributing to identity crime through failures as
custodians of customer data (eg losing tapes and laptops,
inadequate firewall protection against hackers, sale of
data to criminal gangs).
Definitively linking that negligence to the identity theft
experienced by a specific customer is difficult and courts
have tended to take a conservative approah in assigning
blame. However, regulators in the US and elsewhere have
imposed substantial penalties - in some instances amounting
to several million dollars - for breaches by financial
institutions. Organisations of course face much larger
costs in marketing to rebuild a damaged reputation and
reengineer IT systems.
Are insurers selling policies to organisations about such
contingencies? Have there been substantial payouts? There
is very little public information about practice.
That lack of information is consistent with confidentiality
- organisations tend to be more open about coverage against
hurricanes and other 'acts of God' rather than action
by the Vladivostok mafiya or inaction by an imprudent
CIO. It also reflects the shape of the market for corporate
insurance, with insurers apparently not rushing to offer
discrete ID theft coverage but instead bundling protection
as part of general liability or broad IT
A spokesperson for Swiss Re commented in 2006 that "identity
theft seems to be mainly a topic for primary insurers,
especially in the US ... but it is not really a topic
Literature on custodian liability is highlighted here.
As with identity theft alert services provided on a commercial
basis by credit reference bureaus, some consumers have
questioned whether identity crime insurance is good value.
Typical criticisms are that -
for giving consumers a false sense of security ("after
all, they don't prevent the theft from occurring in
the first place")
often do not cover a victim's out-of-pocket expenses,
eg travel, phone and stationery costs
may have trouble claiming
policies do not cover legal fees
policies do not cover lost wages due to time away from
work dealing with identity crime
policies make any payment regarding time spent outside
work hours dealing with identity crime
Rights Clearinghouse commented
consumers, you're not buying a guarantee that identity
theft won't happen, and it's tough to say that these
policies will ease your frustration if you are a victim.
What you know for sure is that this is a kind of coverage
where insurance companies have weighed the risk and
decided that they can make money off of it.
with all insurance, much depends on the circumstances
of the damage, how much the consumer paid for protection
and the specifics of what protection is offered.
In the interim pointers to literature on the economics
of information technology security and insurance
are found elsewhere on this site.
next page (Australian