About four months ago, I gassed on and on about the New York Times hyping the crime of identity theft. In a Page One May 30 feature, the newspaper accepted at face value the estimate from a 2003 Federal Trade Commission survey that identity theft cost the economy $48 billion.
Preposterous, I frothed, after inspecting the methodology of the FTC-commissioned survey. A couple of weeks later, Business Weekscoffed at the number, too, noting as a point of comparison that banks only made $103 billion in profits in 2005. How could identity-theft losses be half as large as their total profits? The magazine cited two smaller estimates as more plausible: the Department of Justice's estimate of $3.2 billion in identity-theft losses during six months in 2004, and an industry survey that reported banks lose $1.1 billion to credit card fraud annually.
Yesterday (Sept. 27), the Times finally got around to debunking the $48 billion figure in a levelheaded story by business reporter Steve Lohr. In "Surging Losses, but Few Victims in Data Breaches," Lohr writes, "But most industry analysts are skeptical that the actual losses are near the $48 billion estimate, which is widely quoted." He then cites the DOJ's $3.2 billion estimate.
Lohr's piece made no mention of the credulous May 30 Times story, nor a previous Times piece from June 21, 2005, that also swallowed whole the $48 billion estimate. Except for ignoring his paper's role in disseminating the wacky figure, the Lohr piece is an excellent example of skeptical, scrutinize-the-numbers journalism. He butchers the identity-theft hysteria, writing:
But while high-profile data breaches are common, there is no evidence of a surge in identity theft or financial fraud as a result. In fact, there is scant evidence that identity theft and financial fraud have increased at all. Even when computer networks are cracked into, and troves of personal information intentionally stolen, fraudsters can typically exploit only a tiny fraction of it.
An increase in identity theft isn't what's fueling the panic, Mark Rasch, a former Justice Department prosecutor who now consults on computer security, tells Lohr. "It's an explosion of laws requiring notification of data loss."
Fred H. Cate, the director of the Center for Applied Cybersecurity Research at Indiana University, says people confuse data loss with identity theft and go off half-cocked.
"My concern is that by overstating the current problem, we will end up paying less attention and responding less effectively when far more serious problems do surface. It's like the boy who cried wolf," Cate explains to Lohr.
I wish somebody would tell me why the Times ran its sensationalized May 30 piece on Page One but ran Lohr's sober take in its "Circuits" section. It's almost a row-back. I'm not suggesting that newspapers need to annotate themselves, but this particular attempt on the part of the Times to dispel hysteria would be more effective if the paper nodded to its own role in stirring up the madness.