ITRC's Predictions for 2016

At the conclusion of every year, the Identity Theft Resource Center takes a comprehensive look back at the issues and events that shaped the identity theft landscape from the previous year. Using trends, data breach results, and victim surveys, the ITRC makes predictions about what the coming year may hold.   

As in recent years, we’re once again making some fairly bold predictions—many of which will hopefully never come true—in an effort to make citizens and policymakers discard their current assumptions about identity theft and to better prepare for what could be or should be in 2016.

Here are some of our top areas of concern for the coming year:

Privacy concerns will supersede cybersecurity concerns: As a whole, the country will experience a strong shift in the national conversation about privacy in the coming year. It will evolve into greater demand for the right to privacy, especially in light of routine occurrences of data breaches and hacking events, but also in terms of the privacy we inadvertently give up. While the Internet of Things has made smart houses, smart cars, and even cloud-based medical devices more connected and convenient than ever before, the public will move away from a fascination with the ability to be connected, and instead place greater emphasis on the potential invasion of our right to privacy. Unintentional use of our data collected by connected devices and the real-world consequences of this data gathering will be more of a focus in the coming year. The anecdotal evidence of these kinds of invasions of privacy will become an even bigger part of the privacy conversation, and consumers will start making more informed decisions when it comes to purchasing these connected devices. Even more telling, consumer awareness will increase regarding the way companies they do business with handle data and privacy concerns. Consumers could very well place more emphasis on this factor when it comes to purchasing decisions. Trust in the organization they are doing business with has always been an influential factor in the decision making process, and in 2016, trust will encapsulate respect for individual privacy in a more meaningful way. 

Child identity theft may get worse before it gets better. With the longtime fascination with gathering copious amounts of student data in order to track standardized testing, literacy rates, global skills comparisons, and graduation rates, schools have always collected and stored highly sensitive information on children and young adults. The ongoing shift to paperless data and a desire to centralize all of the data within each school system has caused the education sector to turn to literally hundreds of different companies for software and cloud-based storage solutions. Unfortunately, as we have already seen, the rush to go digital can lead to security flaws and vulnerability. Even more unfortunate is the fact that students and their families often have no choice but to give up their information, only to have it fall into the wrong hands during a data breach. In addition to schools, children’s identities are also vulnerable through medical data collection, retailers’ and advertisers’ desire for data for marketing purposes, and through the more common avenue, relatives and friends of the family who steal their identities for financial reasons. While we have every reason to believe that the rates of child identity theft will get worse before they get better, 2016 may be the year that headway is made in protecting children’s identities through measures such as the ability for parents and guardians to place  freezes on children’s Social Security numbers. This type of step, which could only be undone through a multi-step process, would remove children as identity theft victims because of the long delay in accessing their credit. Not all states have this protection mechanism in place, but we are hopeful that in 2016, the ability to take proactive measures to protect your child’s identity will not be based upon the state of residence.

The complacency surrounding the Internet of Things (IoT) will dissipate. Before major retail data breaches such as TJMaxx in 2007 and Target in 2013, consumers were significantly less aware of the vulnerability of their personal identifiable information. Identity theft happened to people, of course, but it happened individually. Additionally, like health issues, many consumers realized that it could happen, but the thought was, “It only happens to other people.” When hackers first began accessing millions of consumers’ information at a time, privacy and the responsibility of protecting our data took on a much greater importance. The realization that victimization could occur to oneself, and not just other people, became evident. We have a tendency to forget about things like privacy whenever new technology comes out. Whether it’s a new software option for our smartphones or computers, a cloud-based thermostat that gathers information on when we’re home, or even a medical device that “talks” to our doctors for us, it’s easy to get so caught up in the excitement surrounding the technology that we forget what information that technology is gathering, storing, sharing, and potentially even selling. In the coming year, we’re going to see even more IoT innovation than we already have. Smart cars are already a reality, and major household appliances that can track our consumption are in homes across the country. The ease of operation and the availability of internet connections will bring even more purpose to joining our everyday items to the cloud.  Meaningful conversation about the privacy concerns with IoT will remain driven primarily by privacy advocates and watchdog groups but consumer engagement in the discussion will increase.   

Tax identity theft will become a bigger hardship, but at the state level. The IRS, which dispersed almost $6 billion dollars in fraudulent tax refunds last year, has been tasked by Congress to address where the failings occurred that lead to this tax drain, and what they’re doing to stop it. The result was a Security Summit with key government figures, security experts, and the software developers who create tax preparation software. At this event, new protocols were written that will go a long way towards stemming some of the flow of tax fraud. These new measures include things like stronger user passwords and multi-step authentication, consumer alerts if their information is changed, IRS alerts if the same computer or IP address submits multiple tax returns, and more. Unfortunately, these changes will help the federal government… but what about each state government? We’re a country of fifty different states with fifty different governments with many different state tax systems.  Without a system of controls that addresses a unified state filing system, identity thieves will continue to file state tax returns in multiple states for each stolen Social Security number they use. In fact, with the stricter controls on federal filing, tax refund thieves will ramp up their state-level efforts in order to recover the funds they’ll no longer collect federally. The $6 billion a year won’t go away, that burden will just be transferred to the already cash-strapped state governments.  For individuals who believe that they cannot become a victim because they reside in a state where state tax is not levied (currently Alaska, Florida, Nevada, South Dakota, Texas, Washington and Wyoming), this is an inaccurate notion.   Just because you reside in Alaska does not mean that a thief cannot file a fraudulent return in California. Hopefully, with the tax season almost here, 2016 will be the only year that state tax return fraud increases. There is a valid concern that consumers could become complacent about following through on their state tax fraud prevention since the federal return takes up so much of their focus, but perhaps 2016 will be the year that a national reporting and alert system is established (to deter fraud during filing in 2017) that will prevent the use of a single Social Security number in multiple states.

The definition of identity will continue to evolve. It hasn’t been that long since the US Supreme Court essentially changed the definition of what your house “is.” Now, your smartphone, tablet, or other mobile device has the same protection against illegal search and seizure that your residence has, a ruling that was made due to the sheer amount of personal content—and let’s be honest, potentially incriminating evidence—that your device contains. This ruling extended the concept of privacy for all citizens, and it came about when the law finally caught up to the technology. The same will be true of the definition of identity in 2016. No longer relegated to just a government-issued card with your photo, your identity and  proof of your identity will evolve just a technology has. Credit cards are already undergoing a major shift, the first of its kind since the magnetic stripe was introduced. Driver’s licenses in many states have also gotten a technological facelift, including bar codes to prove authenticity. But as those once easily counterfeited items have caught up in order to be more secure, new forms of identification have caught on as well.  In fact, one state is discussing the availability of a digitized version of driver’s licenses that will be housed on one’s mobile device.  With this convenience, privacy and security concerns will need robust discussion.  If the program in the state of Iowa, where this has been proposed, works well, other states may follow. Biometrics, one of our predictions for 2015 that hasn’t yet caught on in the way we originally thought, will still be a major factor not just in your identity, but also as something identity thieves want to steal. It’s more than nabbing a copy of your fingerprint in order to unlock your smartphone or mobile wallet, or stealing a replica of your retinal scan for verification.  As biometric authentication becomes more widely adopted, the incentive to steal this information for nefarious purposes will grow.

Old scams aren’t going away. Perhaps one of the most alarming predictions we have for the coming year is that the old scams—the same ones experts have been warning the public about for decades—aren’t going away. Why not? Because they still work. We’ve already seen some of the shifts, though. The famous Nigerian prince emails or foreign lottery winnings emails that once promised money to gullible victims have been replaced with far more ominous versions. Threats that they’ve been hired to kill you, emails that claim your grandson is being held for ransom, warnings that you’ve violated some user agreement and you’re now facing a high-dollar criminal penalty or lawsuit are all increasing in popularity. It’s easy to dismiss the promise that some stranger is sharing his inheritance with you; it’s a lot harder to ignore a threat on your loved one’s life. Of course, a lot of the old scams were successful because the victim didn’t know how the process really worked, such as the fact that the IRS will never call you on the phone and expect payment. As technology changes and new platforms open up, this same misunderstanding of the legitimate process leads to victims who don’t know how it works and therefore don’t realize they’re being scammed. We’ve also reached a wonderful era of more and more technology being put in the hands of users who’ve never had experience with it before. While this can be a great benefit to a vast number of people, it also opens people up to the potential for being victimized.




ITRC Sponsors and Supporters





Go to top