Understanding Identity Theft Trends: Insights from the Identity Theft Resource Center

Christine Owen:
Hi, welcome to another edition of Identiholics. I think we're in season two. We haven't been counting, but let's call this season two episode one. And we're really excited because we have James Lee from the Identity Theft Resource Center here today to talk about their annual report. Hi James. How are you today?

James Lee:
I'm doing great. How are you?

Christine Owen:
Good. So I've been following the report I would say for years now because every time you present it, I have been there and it's been very interesting to see where the trends are. So what are the trends that you guys have seen for this report? How are we doing on identity Theft?

James Lee:
This is a couple of interesting things happening. We just released our annual data breach report, which this is the 20th year that we've been tracking data breaches. So we've got a lot of data about that and a lot of trending, and we're seeing data breaches and the impacts of various identity crimes kind of merge. So once upon a time, identity theft was pretty easy to identify. It was very common that you had a paper document stolen and that was the genesis of your identity theft. Or your checkbook was stolen, your social security card was in your wallet, something like that. It was pretty easy to find the root cause of an identity crime. Today, virtually all identity crimes, including cyber attacks begin with data breaches. Which is kind of odd because there's a little bit of a chicken in the egg element of a data breach and a cyber attack.
But what we are seeing is this almost convergence of all of these things where they do begin with a data breach or somehow the personally identifiable information of an individual being compromised. Sometimes it's self-compromised, more often than not it's because of some other kind of means. So we really are seeing some interesting things in that area. The impacts on people and businesses pretty much what you would expect them to be. There've been some good trends, there've been some bad trends. And on data breaches themselves, the last several years we had seen an exponential rise in the number of data breaches. We didn't quite get to that same level in 2024. We missed it by 42 data breaches tying the all-time high. So I guess we can call that a tree on a little bit of a wind. So what's about a 1% decrease, but the number of data breach notices went through the roof. Because we had six, well, we're terming mega breaches where there is a hundred million breach notices or more issued as a result of that.

Christine Owen:
So is there, I'm sorry. Is there a threshold that a company has to hit to be required to issue a data breach notice?

James Lee:
It depends by what state in which it occurs or what state the notice is required. So just a refresher for everybody. Data breach notices are creatures of state law, not federal law, although there are a couple of federal regulations around specific sectors like healthcare, telecom, publicly traded companies. But for the most part, data breach notices are creatures of state law. So we have 50 different definitions of what is a data breach? We have plus the District of Columbia plus all the territories. All those entities define it differently. They define a different trigger. So in the state of Maine, for example, a single individual is enough to trigger a data breach notice. But in other states it might be 25 or 50,000 individuals. So it's going to vary wildly and widely across the country.

Christine Owen:
That's really interesting. So I had this conversation with a friend of mine. She was asking me and one of our other friends what she should use for a password manager. And we started talking about this, and so I was asking her questions to give her some data points on what might work for her. And our other friend actually was widely against my recommendations, that's a whole nother story. He actually works for the FTC and this is why. But the long and the short of it is, is that, she said to us, "Well, what does it matter? My data's already fully breached." So what do you say to those folks who fully recognize that their data is out there, so what does it matter?

James Lee:
Well, let's back up a little bit. Not all of your data is out there and there's a lot of your data you can still control and keep out of the hands of identity criminals. And there are things you can do, even if it does fall into their hands, that you can make it less useful. And that begins with that password you're just mentioning, a password manager. And it may not be widely known just yet, but we've changed the recommendations for what a good password is. Now for years, we told you that you had to change that password every 45 to 60 days that it had to have an uppercase, lowercase number, symbol stand on your head, rub your belly, pat your head, all those kinds of things made up a good password. Now, because we told people to do that, people "Went, are you kidding me?"

So what they did was, they used the same password on every single account that they had. And all that means is if the bad guys get their hands on that one password, they have the keys to your kingdom. And most people also use the same passwords at work and at home. So not only can you get access to your personal information, the bad guys can gain access to your company systems in many cases. In fact, those four of those six largest data breaches in 2024, each more than a hundred million data breach notices, all because of a stolen password. If that had not occurred, there would've been no breach. We would've had 1.1 million fewer victim notices if they had just done something as simple as had multifactor authentication on those accounts. So all of your data is not out there, and there are things you can do to protect it. Now, I think what we probably a better question is, which information is valuable and which information do I need to spend more energy protecting? It is not your social security.

Yeah, that doesn't mean you should start giving it away to everybody, but that really is out there and has been out there for years. So your social security number, if you went to an identity marketplace, which by the way is not on the dark web these days as much as it is on the light web. Hell, you can go to Instagram and see ads recruiting you to become an identity [inaudible 00:07:35]. So that social security number is out there. What is valuable is your password, for all the reasons we just talked about. Your Gmail account for example, could command anywhere between 65 and $100 for every one of your passwords. Your driver's license, that might cost an identity criminal anywhere between 150 and $200 because we're using driver's licenses in ways we've never used them before since the pandemic, so it's much more valuable.
So protecting that password, that login and password and your driver's license, far more important than protecting most of your other identity information. And there are easy ways to do that. But we're seeing those two things, for example, being far more sought after by identity criminals than some of the other kinds of data that we probably think of because of either what we see in the movies, what we see on television or what was true maybe five or 10 years ago, but isn't true today.

Christine Owen:
So how are you educating the population about driver's licenses, considering the rise of identity verification services that are requiring driver's licenses in Southeast right now?

James Lee:
Yeah, and that's exactly why that driver's license information is more valuable today. Why it's more sought after by identity criminals. So there's two parts of this. One part is, the organizations that collect that data need to be more diligent because that's not a piece of information they're used to protecting the same way they've been protecting, say, a social security number. So the security is a little bit more lax on that kind of information, just like plugins and passwords. Then you have the issue with the individual, because we are sort of reflexive when it comes time to, somebody says, "Well, I need your driver's license number." Well, we just give it to them without ever asking, "Well, why do you need that?" And that's one of the things we ask people. Did you really need to turn over that driver's license number? Did you really need to turn over the physical card?

And in most cases they say, "I don't know. I never asked." So we ask people to get into that habit. Get into the habit of asking why do you need this piece of information? And if you don't need it, don't give it to them. If they do say, "Well, I have to have it and it's for this purpose," then ask them, "How are you going to keep it safe?" You can make the decision, "Is this something so important that I need to go forward with it?" I'm applying for a benefit or something. I'm applying for a job, I'm applying for a bank account. You need those things, so you may have to turn over that piece of information. But there's a lot of times when we're asked for information that it's really not necessary. It's being collected for marketing purposes, it's being collected to have a more full profile of you, but it's not really necessary. So we do so that people should get in the habit of asking and be willing to walk away from that transaction if you don't like the answer.

Christine Owen:
Yeah, I think that's definitely really important. I feel like that's not something that we do all the time in the US because we're so used to handing over a lot of information for social media and for other free services. So I think that's really good thing. So all right. So the trend is our data breaches have gone down, not a lot, but a little bit. And then what else? What are the other big trends that you saw this last year?

James Lee:
Well, we're highlighting a couple of things in our analysis. The first of which is, just a sheer number that could have been prevented with better cybersecurity and better data protection. So we already mentioned the fact about you had 1.1 million victim notices that would never have gone out if the organizations had required multifactor authentication. Because it was a stolen password that allowed someone to enter their systems and then steal hundreds of millions of individuals account information. Now, we don't know how many actual people that that actually translates to because just the way that data breaches are reported, and there's no central way of telling how many duplicates are in a data breach event.

But we know any way you cut it, there's a hundred million or more people who were impacted by four data breaches. But those four breaches never had to occur if they just had better security in place and it's best practice. We're not talking about radical kinds of security here, we're talking about what is now basic blocking and tackling of having multifactor authentication required on an account. If that had been there, those breaches never would've happened, and we, instead of talking about 1.6 billion, almost 1.7 billion data breach notices being issued last year, we would be talking about 255 million. Still way too high, way too high, but the difference between 1.6 billion and 255 million, means that would've been the lowest number of data breach notices issued since 2017.

So from a victim perspective, the trend is actually in a better direction. Now, again, still too high, but because the bad guys have gotten so much better at targeting of identifying a profile or maybe even at a specific individual that they want to try to extract information from, the number of people caught up in these massive kind of data breaches is getting smaller and smaller. Now, you still have these mass breaches, but they're failures of security. But now, because that data's out there, that gives the bad guys the opportunity to take advantage of another trend that we're seeing, and that is the use of AI for improving their attacks. We haven't been able to identify a specific technical AI driven attack, but we see lots of phishing attacks. We see lots of other kinds of attacks that reflect, they've taken that mountain of data, they've applied a layer of AI driven analytics, and as a result of that, they know exactly who and where they want to attack. So that's making it more efficient.

Christine Owen:
Yeah and their communications are becoming more targeted towards the individual. And they're in much better English that the person will recognize better.

James Lee:
Well, they're using generative AI to make the pitch more believable. It's more empathetic, it's more believable, the grammar is fine. It doesn't stand out as like it was a few years ago when you'd have Bank of America with two A's in bank or something like that. Those days are gone. And they also use these AI tools to make whatever fake website they've created to lure you too, to make you think you're actually signing up for a legitimate service for example. They use AI tools to make those letter perfect. They look like the actual organization. It takes a very sophisticated eye in many cases now to be able to tell. We're also seeing this rise in what we refer to as cheap fakes. Cheap fakes are very expensive. They're rare, they're never going to be used to go after a particular individual unless they're high net worth or high profile. And that reason is, it's too labor-intensive. You can't automate an attack and scale using a deep fake against an individual.
So we're not going to see that, but we do see cheap fakes. So lower cost, not as labor-intensive, you can use them at scale. So for example, right now with the California fires, we fully expect to see scams using the cloned voice of maybe it's a celebrity, maybe it's an official, maybe it's someone that is recognizable, encouraging you to go to fill in the blank and make a donation today to help the victims of the California fire. That's an example of how these identity criminals, and this is back to what we said earlier, that everything now begins and ends with a data breach. They take that stolen data from a data breach, they develop their target list, they develop their pitch, all of which is done with AI, and then they'll create a cheap fake, and then they'll execute against their list of targets that they want to try to scam, and then they just collect the money.

Christine Owen:
You sound like really good marketers. I feel like if they want to get away from crime, they could be amazing marketing departments.

James Lee:
Oh, look, they're great business people. It's just they're running an illegitimate business. I mean, it literally is the more sophisticated kinds of crime groups, they have the same structure as a business. They have HR, they have marketing, they have their technology group, they have recruiters. Right now we're seeing massive recruiting efforts with the Russian affiliated crime groups where they're actually trying to recruit engineers who can look for flaws in software. That's their only job, as you know in our world, it's called pen testing. They're trying to find 10 pen testers. And in many cases, the people that they hire have no idea that it's not a legitimate business. They're told, "You're going to be a pen tester. All you need to do is see if you can break into this company and then report back." Because they think, "Oh, well, I'm doing something real. I'm doing something helpful." And only later do they find out what they're really doing was finding the vulnerabilities that would then be turned over to a different group to go and actually exploit that vulnerability, steal data, hold it for ransom, and then generate cash from what they found.

Christine Owen:
Yeah, amazing. All right, so we've got all these breaches. We've got the types of things that they're really looking for. What has happened with identity theft this year? Has it gone up or down or sideways or?

James Lee:
Well, it's sort of morphed. We're still seeing lots of identity misuse. Identity theft means you're stealing the actual information as we know now, most of that comes from a data breach. So an individual, unless they self-compromise these days in a scam, we don't see much of that highly targeted individual kind of what we think of traditionally as identity theft. The number of system errors, the number of human errors, the number of physical attacks, that being things like skimmers, like stolen devices, things like that. Those are continuing to go down year after year after year. In some cases, we are in the single digits, and in many cases though, we're only in the double digits, and that's continuing to go down. The big growth is in cyber attack.

And those are generally not targeted against an individual unless it's a phishing, but these are massive phishing attacks, so they're not what we think of as an individual attack. So identity theft as a whole in a traditional sense is going down. What it's becoming is identity fraud. And it's where that stolen data from a data breach is then used or in this case misused against an individual. So that then becomes, in most cases today, a scam of some sort. Maybe it's a social media scam, maybe it's again, a phishing attack of some type, but it is converted into another form of fraud. And then ultimately it's used to generate cash for the identity criminals. Now maybe it's your cash, maybe along the way they're trying to steal your resources, but more often than not, they're ultimately trying to get into a larger organization. They're trying to get into a business, they're trying to get to a point where they can get a big payoff either by selling your data or by exploiting an individual or an organization that's high net worth or an organization that's got a lot.

Christine Owen:
So what I'm hearing you say, and you can tell me I'm wrong. But what I'm hearing you say is, individual victims, there's not as many individual victims as there were in the past because they're going more for larger targets. Like for example, during the pandemic, there was a lot of fraud when it came to IRS. A lot of criminal organizations went and filed taxes on behalf of Americans and got some payday. Do we see that individual going down or is it about the same?

James Lee:
Those are kind of, well, they've gone down, yes, you're right, during the pandemic, they were extraordinarily high. We saw levels of identity fraud that we've never seen. We'd seen some highs in taxes, but tax fraud from an individual perspective has gone down substantially over, say 10 years ago when we started doing things like introducing the identity pen that the IRS uses. So the IRS has done a lot of things to drive identity fraud down. Still happens, still too high, but it's not like it was 10 years ago. Same thing, what we saw during the pandemic was again, the use of driver's licenses in ways we've never seen before, which drove an extraordinary amount of unemployment fraud. And the only way people found out about it was, when they went to apply for unemployment when they needed it and found out, well, somebody had already been there. Or they didn't need the unemployment benefit, and they got a notice saying, "Somebody, you didn't know about it, but you've been receiving unemployment benefits this whole time and you didn't even know it," and you got a tax notice.

So individuals are still being attacked, but it's not for the purpose of stealing their data necessarily. It's in furtherance of a different kind of scam or fraud. And most times when that happens, it winds up with somebody self-compromising. So they think they're dealing with a legitimate individual or a legitimate business, and they wind up giving away either more information or they wind up giving away resources, they give them money. And then only later do they find out that it's fraud. So those things are what we see more often than not impacting an individual today, rather than just the pure, "I'm going to steal your social security number, I'm going to steal your driver's license." That's not what we're seeing. It's in furtherance of a more sophisticated, longer-term kind of crime.

Christine Owen:
Have you seen the movie The Beekeeper?

James Lee:
Yes.

Christine Owen:
Yes. That's the premise of the Beekeeper, why he ends up, I don't know, killing everyone. I couldn't watch the whole thing. I started watching on a plane. The beginning was great. It was definitely about identity theft, and then it turned into a Jason Statham shoot him up movie that was like, I don't know.

James Lee:
Yes, I'm often compared to Jason Statham, so. That was actually, in many respects, it was a fairly accurate depiction. Not the whole conspiracy theory part of it, but the fact that there are boiler rooms around the world who there are people who are calling every day trying to get in touch with somebody to get them to self-compromise by telling them, "Oh, we've detected a problem with your laptop. There's a virus on there. We can fix this for you," but you never contacted anybody about it. Or you may not even have a virus in the beginning. That's a whole other conversation about the tools you need or don't need anymore.
But we now see this kind of effort, it's very sophisticated. This is not what we see in Hollywood where most times it's somebody with a hoodie in a basement, a dark room and a couple of lights on, they're drinking Red Bull and eating Twinkies. Or I guess now it's probably the red Cheetos. But that's not the reality. The reality is, they're very sophisticated, very well organized. They're generally in parts of the world where there are fewer regulations. They are part of well-organized criminal elements, there are entire compounds being built and operated in Southeast Asia where people think they're applying for legitimate jobs and they're essentially getting that. And they're forced to do nothing every day, but try to scam people usually in the United States or Europe because of the resources that those individuals have.

So this is not college kids sitting in their basement just trying to crack in or... When I was a kid, war games when for fun or you're trying to break into the Pentagon, that's not what we're talking about anymore. We're talking about highly sophisticated criminal organizations who have much more resources and much more time than the average organization who's trying to defend against those attacks, and certainly more than an individual has to try to defend themselves.

Christine Owen:
So were there any improvements this year? I feel like this is all doom and gloom. Did we see any improvements this year?

James Lee:
Yeah, let me get one more doom and gloom out and then we'll get to the improvement.

Christine Owen:
You can do a more doom and gloom, that's fine.

James Lee:
Because there is one more doom and gloom.

Christine Owen:
Oh no.

James Lee:
And it may not actually be that much of a doom and gloom, but we don't know. And that's because, today, data breach notices have less and less information. So every year, for the last few years, going back to 2021, we've seen less information. There's a long complicated reason that involves federal courts, but data breach notices today, only 30% of them actually tell you what happened. 30% of the ones filed last year. 30% had information about what actually caused the data breach, when you're talking about cyber attacks in particular. Well that means that 70% of the time we don't know and so other organizations and individuals don't know how to prepare to avoid becoming a victim of a similar event or a similar data breach. And that's very troubling because the only way we're going to be able to make headway against the bad guys is know what they're doing and use the collective wisdom of the group to determine how we can defeat those kinds of attacks.

But if you don't know what happened, you can't do that. So that's a big problem. And that goes back to this fact that data breach notices, which were designed to shame organizations into improving their cybersecurity so they never had a breach and didn't have the reputation and the unbudgeted expense of a data breach, that was the whole purpose behind data breach services. Was to make sure companies did what they could to avoid them at all costs. Well, now, that's not working, hasn't worked for 20 years, but is sure not working today. And we're going to make headway against that, we've got to improve the information sharing about what's happening. Now, there are some good news elements out there. One of the things we found in talking to both victims and consumers, general consumers, is a lot of people are already adopting something known as pass keys may or may not have run across that. But pass keys are the replacement for passwords.

And in our research, in the first year, 30% of consumers said that they had created at least one pass key. That's a phenomenal uptake in one year. Because we didn't even have pass keys generally fully available until early 2024. So by the end of 2024 to have 30% of people saying, "Yeah, I've created one, that's a great news." And if we had had pass keys in place, we believe that there were about 200 data breaches. Those are the ones we know about because again, there's not enough information to tell that everything happened in those more than 3000 data breach total. But we know of at least 200 that could have been prevented if we'd had pass keys or multifactor authentication. That's 6% of the data breaches we know about that could have been prevented and that would've prevented more than a billion data breach notices.

That would be a great news story if we could say that we had prevented that just by doing something as simple as adopting this new technology. So pass keys, do a couple of things. One, you cannot self compromise. So all those phishing attacks trying to talk you out of your password or your login, won't matter, you won't know because it's based on your device. So when you log into your smartphone, your laptop, your tablet, and you're using a biometric, you're using your face, you're using your finger, you're using a PIN code, that uniquely identifies you as the owner of that device. So that device then talks to whatever organization you're trying to log into your account on the other side. On their side, because this is an exercise in encryption, well call it tokenization. The token in your device talks to the other side that's a public and a private encryption key. They never store the information on the company side.
So if there's a data breach, they can't take the encryption code to open your account. So the two things that lead to data breaches using credentials today will be eliminated entirely. So as passkey usage goes up, credential attacks will go down. We'll never get to a world where there's never any passwords. So there will always be a one or two or three credential attacks a year, but it won't be the number we're having today, and they won't have the impact of 100 million, 200 million, or in the case of Ticketmaster, 560 million accounts being compromised just because it didn't have that basic piece of security in place.

Christine Owen:
Yeah, I don't think that they've added passkeys either yet. I don't know, I used them recently, but I feel like I did not use a passkey to get in. So are you working with organizations to teach them how implementing passkeys on their side will actually help them reduce the amount of breaches?

James Lee:
This is like a religious exercise where two or three are gathered together, we will tell them about passkeys. That is one of our main talking points for this year, because it really does for the first time, this is an exponential way of improving security and reducing the number of identity crime victims. Which is of course, what we're concerned about more than anything else, is we want to reduce the number of identity crime victims. And this is one surefire way to do it. It's easy for the user and depending on the organization, it can be more complex. And it's like any other technology, it's going to improve over time. So I know there are organizations, particularly some large organizations, they're sitting on the sideline waiting for the improvements to occur, but you don't need to wait forever.

They need to be ubiquitous as quickly as we can make them that way. And some organizations have already done that. Microsoft, 100% of their products internally and externally, passkey, Amazon, every Amazon user can make a Passkey. There are Uber, there are a lot of other brand recognizable organizations, and there's more every day who are adding this. Even, I'm trying to think of, I can't remember the name of-

Christine Owen:
Target has it, Target.

James Lee:
Yeah. And you'll see organizations that have a history, are probably a little bit faster to the mark than organizations that don't. And I do know a lot of the financial services organizations are very concerned. They have so many systems and organizations that have grown by acquisition, same issue. Organizations that have grown by acquisition, they are companies that a lot of times the backend looks like a bowl of spaghetti. It's bubblegum and baling wire holding things together because you've got so many different systems. But the reality is, the payoff on the end is going to be so much greater because if you can prevent just one, just one medium-sized, average size data breach, that's going to save you $10 million in cost.

So which would you rather do? Would you rather suffer through a data breach and have all those unbudgeted expenses have to explain to your customers, have to explain to your shareholders or whoever you're responsible to for the government, all the litigation costs going to incur, would you want to do that? Or would you want to invest in a technology that's going to prevent an entire class of identity attacks from occurring? I'm going to argue spend the money on passkey.

Christine Owen:
Yeah, I mean, I agree. I think passkeys, I understand that they are new and it's scary and they don't have all the things that some organizations want. But I think over time we're going to end up layering a lot of additional measures on top of passkeys. Passkeys are really just authentication, and then, we'll go back and figure out other ways to deal with high-risk transactions. But right now, using a password for a high-risk transaction makes no sense at all.

James Lee:
Yeah, I mean, if we're not careful and look, passkeys have been around, they've been in development for nearly a decade. But for most of that time, this was a discussion about letting perfect be the enemy of good. And we finally got over that and we've solved the technical issues. And now all of the primary players that needed to have the underlying infrastructure, Apple, Microsoft, Google, that's all been taken care of. So there's not any real excuse anymore other than institutional hesitancy to be looking at that seriously and adopting it where it makes sense. Because it is a technology that fundamentally changes the dynamics. In favor of the organization in a way we haven't seen in a long time. The last time we had that kind of, we can cut out the bad actors, you have to go back to the 80s. You have to go back and you have to look at how we dealt with the basic architecture of window to see the kind of exponential improvement that we can see with passkeys.

Christine Owen:
That's pretty amazing to say that, that's awesome. I love that. So, all right, so we are having improvement with passkeys, which is great. Any other places where we saw improvement this year?

James Lee:
Yeah, I'll go back to our report from the fall on the consumer impact and small business impact reports that we've put out. And we are seeing much more sensitivity. I think it's reflected in the uptake of capacity, but it's also reflective of people are more aware of things they should be doing. We did see more people saying, "I know I need to use a password manager." So we saw an uptick there. We saw businesses investing in training of their people in a big way, I mean, it was a significant double-digit increase year over year and investment in those things. Now there are tradeoffs in both sides, still not enough people are freezing their credit. Everybody should freeze their credit. You should certainly freeze your children's credit, especially after what's happened in the last couple of weeks with power school where you had an attack against organization that is the back end for a lot of schools where they paid the organization to delete the data even when it wasn't a ransomware attack. Still trying to figure that one out.

But I mean, your children's data is more valuable than yours. So freezing your child's credit when they're still a child before somebody can misuse it. So when they apply for college or financial aid or their first job and then you find out, oh, they've got 10 years of work history, they've got 10 years of credit history and it's all bad. The way to avoid all that freeze the credit now. So we are seeing a little bit of improvements, but not enough in those areas. The one thing I think that is driving particularly on the business side, what is clear, it's having an impact. I see what the long-term impact is, but at short term, that is the state privacy laws. So we now have these 20 states who have adopted a state privacy law because we don't have a national privacy law.

And in those states, 19 of the 20, there is a cyber security and data protection element of that law. So, small businesses in particular, they have all said they're aware they are making changes to their processes and to their systems to prepare for the day when they've got to show some state official that, "I have a cyber security plan, it addresses these issues that I know that I have and I know that I have to make certain kinds of system and process changes." I think that's great. That's a great, frankly, I'm a little surprised that the numbers were as high as they were.

Christine Owen:
Yeah. So New Jersey just came online with its new privacy law. But I've read somewhere, and it might've been from you guys that Texas is leading the way in cyber security suits. Is that true? Do you know about, am I making this up? I know I read it.

James Lee:
Yeah. It didn't come from us. Texas. Texas has adopted a cyber security law. There are a handful of states that are doing some interesting things. One of the things that I'm not sure, this is one of the things we've got to wait and see how it works. Where they're giving an incentive for organizations to improve their cyber security by basically saying, "If you meet the standard, whatever the standard is, that's all those things, it's to be determined." But if you meet the standard, then you are shielded from liability if you have a data breach. So you can't be sued in state court if there's a data breach, but you've met whatever the state says, "You have to be." On the one hand, that makes a lot of sense. It gives people, because that is one of the things we know that impedes organizations from reporting data breach. Don't know that it impedes them from investing in cyber security, but it does impede their desire to file a data breach note.

So we'll have to see if that actually plays out. The most comprehensive law today, of course, is California. But there are some other states that have some equally strict, and there were a couple of laws that did not quite make it across the finish line that would've been even stricter than California, particularly Vermont. But we'll see if Vermont comes back in this legislative season, which just started this month. If they come back with modifications for that law. Maryland passed a very comprehensive, very aggressive privacy law that will go into effect this year. We're seeing the state step in where Congress has not, and there again, it's created problems on the data breach side. None of these state privacy and data protection laws actually address data breaches. They leave those as separate laws, but each state is having... They have similar provisions in these privacy laws, but not the same.

And that creates an opportunity for businesses who are not as diligent, it gives them an out, and it creates complexity for the businesses that are diligent, who are going to do everything they can to comply with the law. They just don't know which law to comply with or they have to comply with every one of the laws in all the states in which they do business. So it's going to be interesting to see over time how this plays out and does this in any way lead congress to say, "Okay, we're going to step in and we're going to solve this mess, which is developing because of these disparate kinds of requirements."

Christine Owen:
So, I want to go back real quick to the freezing your credit. I agree. I think also if you are in the sandwich generation, and so you have elderly parents, I think making sure you get them to freeze their credit is also really important because I feel like they are more susceptible to the scams than not. I know a lot of friends whose parents have answered the telephone and complied with what was asked. My question though is, how easy or hard is it to freeze your credit?

James Lee:
It's actually very easy to freeze your credit. When we first, and gosh, I guess it's been 20 years now, when we first started talking about credit freezes. And it was complex at the time and you actually had to pay for it. And it took days to weeks for it to actually take into effect. Today, it can take less than a minute. You do it all online. It can be automated. You can set it up, and if you don't need your credit for any reason, you just leave it frozen. If you do need to use it, because you're going to apply for a car loan or a mortgage or something, you're going to buy a big screen TV before the Super Bowl at a retail store, you can thaw. And it's the same process, you go on, takes less than a minute. You set what, literally to the minute, what time you want it to thaw and then what time you want it to be refrozen.

So it's a very automated process. It's very easy to do. I want to address something you said there about older people being more susceptible. The reality is everybody susceptible. Our data and the data even of the FTC and other organizations who track these kinds of scams, if we were talking even probably seven or eight years ago, you would've seen sort of an inverse bell curve with very young people and older people being the most targeted and in the middle, people going, eh, whatever. Not the case anymore. It's almost a straight line across. Every demographic, age, gender, ethnicity, geography, by every account, it's a straight line. Everybody is susceptible, everybody is being targeted and everybody is losing money.

The only reason we focus so much on older people is, they tend to have more resources. They've had a lifetime to accumulate them. So they are a target of a specific kind of scam. But that doesn't mean that the other people who are younger than them are not susceptible or are not targeted, they are. Younger people fall for it at a higher rate than even older people do. But it's a different form of a scam that now is being targeted by the bad guys to that demographic, to that profile of that individual. So rather than throwing every scam against everybody, which that resulted in that U-shape pattern that we used to see. To now, because everything is so highly targeted, then highly specialized, now you see that straight line across.

Christine Owen:
That actually makes a lot of sense because when I said highly susceptible, I was thinking I wouldn't answer the phone. Whereas older people answer the phone. I don't like it that [inaudible 00:46:22], I don't know who that is, it's okay [inaudible 00:46:31].

James Lee:
And I am going to engage in an overgeneralization. I would also guess that a lot of times those phones have a cord attached to them as well. And we know that older people, they are, for a variety of reasons, they are much more engaging on the phone than the rest of us. I mean, I apologize to anybody and everybody, including my friends and family who call me, look, if it didn't come up with your name, I'm not answering the phone. And if you don't leave a message, you're not getting a call back. That's just the way the world works. The greatest thing that telecoms have done over the last few years is add that little thing that pops up that says, "Spam." Or likely spam. It goes, good. I can just say, "Oh, well I saw that you called, but it said spam, so I didn't answer."

Christine Owen:
Yeah. This is a little off-topic, not really. But my stepmother and her sister, they both have cell phones. They refuse to take them with them when they leave the house. And my stepmother, most of the time when it is in her house, it's off or lost. So you can only talk to her on a corded phone if you want to call her.

James Lee:
Yep.

Christine Owen:
It is what it is. So what do you expect? We heard what the trends have been. It sounds like cyber criminology are getting way more sophisticated, good for them. They're becoming more targeted. They're using AI in their tool set just like all of us are, which is really, in my opinion, more reasons why the good guys should be embracing and using AI. But what do you expect to see this year based on the trends that you've seen? If you had a crystal ball, what is it that you'd expect to see this year?

James Lee:
Yeah, I have to replace the batteries in my crystal ball. I think probably not so much we're going to see anything new, but we're probably going to see the acceleration of some trends. And I do think we're going to continue to see AI and the effects of that evolve. Every time the bad guys make a technical innovation, we see an exponential jump in data breaches. So we had one a couple of years ago, so we went from 17, 1800 data breaches a year to 3,200 in one year. Well, that corresponded to the introduction of some low-cost cyber attack kits. Anybody with a smartphone and 35 or $40 can become an identity [inaudible 00:49:26], all right? So you saw an exponential jump in data breaches. That then, so that was 2023 when we saw that jump. 2024, we saw the dramatic increase in scams and the financial losses associated with scams and the mega breaches occurring with very large numbers of data breach notices issued.

We also saw back to that year where we saw those new kits come out, we saw a lot of zero day where it was an unknown flaw that led to the breach. Now, what we're anticipating now in 2025, because we know the bad guys are out recruiting or people who are going to do nothing but look for flaws in software. We believe we're going to see another exponential increase in data breaches and potentially the impact of those because of whatever those pin testers find, whatever flaws the bad guys find and begin to exploit, we're going to see another explosion. So when in '25 that happens, to be determined. Good rollover into 2026. But we do think that that is a likely outcome of the effects of the bad guys being able to target better and have this all out effort to find software flaws that can be exploited. So that's one thing we think is going to happen.

Christine Owen:
So about, I know we don't know the full amount. About how much money was stolen due to identity theft and data breaches last year? Do we guess? I know we don't know the real number because of reporting, et cetera.

James Lee:
Yeah, it's almost impossible to pin down, because this is the most committed but most under-reported crime in the United States. There is no single agency in government that collects data about identity theft. It's not tracked by the Office of Justice Statistics. The FBI only tracks it if it's reported to them through IC3, so their computer crime scene. The FTC, includes identity theft as a subset of broader fraud. And that's, again, it's only those that are reported to them. So if it's not reported, and many identity crimes are not because local law enforcement will not take identity crime reports in many cases. Or they fall below the threshold for taking any action because the dollar amount is not enough to rise to the point of actually requiring any kind of law enforcement investigation or prosecution. So we can only guess. So if you look at the FBI's numbers, for example, that's going to tell you we're talking about billions per year.

That's going to be some individuals, primarily businesses. You look at the FTC numbers, you're talking about hundreds of millions of dollars. So the reality is, it's more than it needs to be. And we're not going to make any significant headway until we can't quantify that. You can't fix something you can't measure. So we have to have better measurements around what is actually occurring and what is the projected dollar loss. And not just the direct loss, but things like loss productivity, the emotional impact, the identity crimes take on people, which by the way is one of those good news stories of sorts.

In 2023, the number of people who contemplated taking their own life as a result of being an identity crime victim was 16%. Now, think about that for a second. 16% of everybody who contacted the ITRC said they contemplated suicide. In 2024, that number was 12%. Still way too high, it used to be 2%, but it's coming in the right direction. But there's far more impact of these crimes than what we measure today, and we can't begin to make real headway until we can actually measure the financial, the physical, and the emotional tolls of these crimes today take.

Christine Owen:
Well, that is good that people, I guess are feeling that it's more normal than it has been in the past. That's good and bad. I guess it's good for their mental health bad because it is becoming more normal.

James Lee:
Yeah. There's some research out just last week that showed that, now they're extrapolating, so we don't know if it's real or not, and they acknowledge that. But their conclusion is, people are beginning to normalize data breach notices, and they're just ignoring. And it's like your friend who said, "Well, why do I should worry about, it's already out there." That's dangerous. That plays right into the hands of the bad guys. And that means that, we're not taking care of victims. We don't have outside of commercial endorsement for the ITRC, we're the only national nonprofit that offers direct assistance to identity crime victims for free, everything else is a paid service. So if people begin to normalize, "I'm going to be attacked, I'm going to have my identity misused, I'm going to lose resources multiple times in my lifetime," how can we hope to help them? We have no infrastructure built to deal with that.

This is the only crime type that does not have a built-in victim support system by design in the criminal justice system, but this one does not. And yet, we acknowledge it's the most committed, and increasingly, it's the one that people, they're just sucking it up, and that's just fundamentally wrong.

Christine Owen:
So how can people help with the center? Is there anything that normal people can do to help or?

James Lee:
The good news is, we are funded by, in part by the Department of Justice. We are funded by major gifts, and we are funded by corporate support. So from an individual standpoint, what we want individuals to do is take care of themselves. We want to help them do that. We want them to call us so we can help them. We can help educate them, and we can help them when something bad happens. So the main thing for an individual to do is to learn how to protect themselves and we're more than happy to do that through our website. You want to call and talk to somebody about it, we can do that, we can do a live chat through the website. We have any number of ways to help that happen, and we'd love to do that. But we don't need your financial resources directly, especially if you're a victim. You need to use those resources to protect yourself, not providing them to us. We're going to take them if you offer them, but that's not where our need is. Our need is to help people get educated, to protect themselves.

Christine Owen:
That's amazing. Well, thank you so much for chatting with me today. It has been a real pleasure and I can't wait for everyone who watches this to hopefully read the report. We'll make sure that it's linked with the video. Thank you.

James Lee:
Well, thank you and always a pleasure to talk and always willing to go anywhere and talk about it.

Christine Owen:
Thanks.