Bank of America, HSBC Most Prone to I.D. Theft, Report Says - Updated - Via Threat Level:

In a first ever study of which companies have the most identity theft incidents, Bank of America, HSBC, and Washington Mutual were named as the companies with the most incidents per billions of dollars of deposits, according to a study released Wednesday by Berkeley Law School fellow Chris Hoofnagle.

Among the nations' largest banks, ING Bank looks to be the safest, with only 0.085 identity theft complaints per billion dollars of insured deposits.

In terms of sheer numbers of complaints, Bank of America, AT&T and Sprint were named most often in the complaints, followed closely by Chase, Capital One and Citibank.

The study, entitled Measuring Identity Theft at Top Banks (Version 1.0), looks to be the first-ever attempt to name-and-shame companies based on their identity theft protections, or lack thereof.

Hoofnagle, who started as a privacy and consumer rights advocate at the Electronic Privacy Information Center, says he did  the study because he wants people to be able to choose institutions based on identity theft statistics.

He used a open-government request to get more than 88,000 complaints filed by individuals to the Federal Trade Commission in January, March and September 2006.  The FTC publishes statistical data about the complaints yearly, but does not publish the companies' names.

"In order for the market to effectively address the ongoing identity theft epidemic, consumers need reliable information about incidence of the crime among institutions," Hoofnagle wrote in the study.  "If data were available on this crime, consumers could choose safer institutions, regulators could focus attention on problem actors, and businesses themselves could compete to protect consumers from this crime."

To get a rough tally of the number of incidents per customer, Hoofnagle compared the number of incidents against publicly available FDIC data on the institutions insured deposits. No similar data existed for telecoms companies, making even rough ranking per customer impossible.

Hoofnagle admits the data is rough, but hopes the study will force better data to come to light in the future. He also hopes the data could force lawmakers and regulators to mandate public disclosure of identity theft statistics from banks (.pdf).

While the FTC data is currently the best source of data on identity theft, it relies on individuals to complain to them. It does not count police reports filed or incidents reported to banks, cell phone companies or credit bureaus.

For instance, the FTC data does not distinguish between fraud cases where an impostor establishes new accounts in a persons' name from more common cases where a person uses a stolen credit card to make purchases. The data also does not distinguish between identity theft committed online such as through phishing emails and identity theft done without the help of the internet.

UPDATE: Bank of America spokeswoman Betty Riess says the company hasn't seen the study yet, but says BoA takes security seriously. "Keep in mind that if we have a customer who reports they are a victim of identity theft that doesn't correlate to security at BoA," Riess said, referring to the fact that a BoA customer experiencing identity theft could have had their mail stolen or fallen prey to a phishing attack. "Protecting customer information is a top priority at BoA and we have multiple layers of security." Riess added that BoA uses online security offerings from RSA and lets customers use one-time credit card numbers for purchases from unfamiliar online retailers.

See Also:

• White House Task Force to Release ID Theft Plan
• LifeLock Founder Resigns Amid Controversy
• Identity Theft Not Down, It's Different, Expert Says

Full study.

(Read Original Article - Via Threat Level.)