In which U.S. state is the average resident most likely to have their identity stolen?
That’s the question we set out to answer in this data study.
Some people think a higher population inevitably leads to higher cases of identity theft. More residents mean more identities to steal.
As cybersecurity professionals, we had a different hypothesis: We thought ID theft would be highest in states where data breaches are most common.
In the end, neither turned out to be quite right.
The answers to this question matter. Identity theft affects more than 1 million Americans every year, with losses in the billions.
In this article, I’ll review our results for the worst states for identity theft and highlight some of the measures these states have taken (mostly not taken) to protect their citizens.
Data for ID theft reports were sourced from publicly available data provided by the FTC. We looked at data by reports per year, spanning from 2018 to 2022, averaged it, and ranked states based on the average number of identity theft reports per 100,000 residents.
I decided not to order this list by aggregate numbers of identity theft reports. We wanted to measure risk on a per-individual basis: How likely is the average resident of each state to experience ID theft?
If ID theft was simply a matter of “more people means more aggregate attacks” then there should be a linear correlation with per capita reports. The fact that there isn’t means that some other factor is at play (hint: it’s COVID related). In this article, I’ll speculate about what those factors may be.
We used the PrivacyRights.org database as our for data breaches per state. This database is not a complete account of all data breaches, but the most comprehensive reporting available, and a sufficient proxy for data breach numbers at the state level, for our purposes.
I also wanted to show the median loss for identity theft in each state compared to the median income for the state. This is intended to highlight the impact of ID theft attacks.
Unfortunately, the FTC doesn’t track losses associated just with identity theft but tracks it for all incidences of fraud. That being said, identity theft and imposter scams accounted for 2/3 to 3/4 of all fraud claims tracked by the FTC. We have not adjusted the numbers by that metric, but doing may help rationalize them and we hope to add this analysis in the future.
Finally, we made a subjective, quantitative measure that compared the states by the strength of their government’s preventative measures against I.D. theft. These included state government laws (both to do with the criminalization of identity theft and the requirement for companies to report data breaches), and government programs that assist victims of ID theft with recovery. We allocated a 1 to the states with the weakest preventative measures and 10 to the states with the best.
The most revealing insights from this study were:
- Identity Theft is High Where Data Breaches Are High: ID theft requires both the acquisition of personal data (most commonly by data breaches) and the successful fraudulent use of that data. This study found a strong correlation between data breaches per capita (against businesses and government entities), and ID theft reports per capita.
- COVID Was a Nightmare for Identity Theft: Almost every U.S. state saw a spike in Identity Theft reports during the pandemic, thanks to fraudulent applications for unemployment insurance.
- Rhode Island is the worst state in the U.S. for identity theft, seeing an average of 897 ID theft reports per year, per 100,000 residents in the past 5 years. This was largely due to a high number of per capita data breaches in the state, including a high-profile breach of the R.I Public Transit Authority in 2021.
- Residents of Florida Lost the Highest Share of Median Income to ID Theft: An average identity theft in Florida cost the victim 2.74% of their income, the highest share in the nation. This may be due to Florida’s relatively low median income compared to the population. Florida ranks #34 in the U.S. for median income.
- State Govt. Preventative Measures Matter, and They’re Lacking: Governments in five of the 10 worst states for ID theft have no legal measures in place to prevent it, nor help victims with recovery.
- Strong Govt. Preventative Measures Can Reduce ID Theft Impact: The state of Maryland had the highest number of data breaches per capita, but, due to stronger preventative measures, these did not translate to higher incidents of ID theft per capita.
Here is the full ranking of the worst U.S. States for identity theft according to our study, with each data point and a detailed explanation.
#1: Rhode Island
Rhode Island made #1 on this list despite having a low incidence of data breaches in the past decade because of its abnormally high average rate of identity theft reports per capita.
Rhode Island residents lost a median amount of $600 to ID fraud in 2022, which might not seem like a lot but is almost 2% of the median state income, which can substantially impact the financially vulnerable in the state.
Rhode Island had an abnormally high volume of identity theft reports in 2020 and 2021. Rates jumped from the high hundreds and low thousands to 12,636 and 30,270, respectively. Most states did, and that’s a result of unemployment insurance fraud during COVID. Mass layoffs during the pandemic meant many unemployment offices were overwhelmed with requests, and due diligence may have been relaxed during that period to ensure people were paid quickly.
Cybercriminals took advantage of the crisis by using individuals’ personal information that had been stolen in prior data breaches to apply for unemployment insurance and steal it from individuals who may have needed it. It appears to be a crime of opportunity at this point: cybercriminals had the data and applied en masse. As a result, more than half of COVID unemployment benefits are predicted to have been requested fraudulently.
Overall, Rhode Island provides solid legal protections against identity theft, at least on paper.
Rhode Island passed the Rhode Island Identity Theft Protection Act in 2015, codified in Rhode Island General Laws Section 11-49.3. Those laws require private organizations and government entities that interact with Rhode Island residents’ personal data to maintain a security program to protect the confidentiality, integrity, and availability of that data.
If there is a breach of those security measures, impacted individuals must be notified. If more than 500 individuals were impacted, then the state Attorney General and credit bureaus need to be notified.
Those reports aren’t publicly exposed and aren’t well reported on, so it’s unclear how well the laws work to incentivize good security safeguards.
On a hopeful note, Rhode Island’s legislature is currently reviewing HB5745, the Rhode Island Personal Data and Online Privacy Protection Act. That will substantially bolster personal data protection in the state, but unfortunately, there’s still plenty of opportunity for business and political interest groups to diminish the impact and safeguards enumerated in the proposed regulation.
Kansas criminalized identity theft in 1998. While it’s a felony to impersonate someone else in Kansas, there’s not a lot in the way of reporting requirements. So if a company breaches the information of Kansas residents, they’re largely on their own to discover potential impacts. By that time, it may be too late to do anything.
Kansas has the #2 spot on this list because of its high average rate of identity theft reports per capita. That’s largely impacted by increased instances of identity theft during COVID. Kansas residents lost a median amount of $500 in 2022 to fraud and that represents 1.57% of the median state income.
Like other states in this list, Kansas was significantly impacted by an increase in identity theft claims during COVID. Rates in 2022 have largely returned to pre-COVID rates, but are still somewhat elevated in comparison.
Kansas hasn’t done a lot in the preventative space and it’s not clear that there are plans to do so. There certainly aren’t any proposed bills in the current state legislative session. It’s disheartening to see states do nothing to protect their residents’ personal information. It’s relatively straightforward for any state that doesn’t have reporting requirements for data breaches of state residents’ personal information to implement those controls. In 2023, there’s really no excuse to not have those laws passed or forthcoming.
Illinois made #3 on this list because of its relatively high per capita identity theft rates. Notable large healthcare breaches in the state may have contributed to that rate because of the relatively high volume of personal information leaked in those events.
Illinois has multiple measures in place to mitigate the impacts of identity theft:
- Defining identity theft as a felony with substantial penalties,
- An anti-phishing law, and
- A personal information protection act.
In total, those laws ascribe jail time and financial penalties to individuals who engage in identity theft practices. They also require protecting personal information, reporting breaches of personal information to affected individuals, and reporting to the state attorney general.
Illinois passed robust data protection laws over the past five years. Those laws may be mitigating the issue to a degree. If someone engages in identity theft and is within Illinois jurisdiction, the penalties are steep. There are even some notable examples of identity theft enforcement actions.
This gave Illinois the highest rating of any state on our list for preventative measures against ID theft. But the continued high incidence of ID theft reports leaves us to wonder whether these measures are effective.
Unfortunately, even though the Illinois attorney general collects identity theft information, they don’t publish that information for public consumption.
The Illinois legislature is debating a new data privacy law, the Illinois Data Privacy and Protection Act. That Act appears to mirror some of HIPAA’s safeguards for the minimum necessary use of data and extends that to other forms of personal data. It’s early enough in the legislative process that it will likely be heavily modified, but it’s a very forward-thinking rule.
Like other states, Illinois was impacted by a significant increase in COVID-era identity theft increases. Unlike some of the other states in this list, it only saw a five-fold increase in reports during that time. That was still enough to propel it into the third list position.
I previously highlighted what I believed to be key deficiencies in Georgia’s data protection measures:
- Georgia doesn’t provide information publicly about data breaches, and
- Georgia requires reporting only when 10,000 or more residents’ information is compromised.
That being said, Georgia does have data security and reporting laws that would cover information implicated in identity theft cases.
While Georgia does have data protection and breach reporting laws, the only notable enforcement actions come from the U.S. Department of Justice, largely operating under federal law. So where that law exists, the impact of that law is unclear.
Notably, Georgia is the only state on this list where identity theft reporting didn’t meaningfully increase during COVID and hasn’t abated. Georgia’s reported identity theft went from 44,889 in 2019 to 65,668 in 2021, and 60,348 in 2022. Where other states saw 3 to 30-fold increases, it’s disheartening to see a state with only a one-third increase and no significant abatement in 2022.
Georgia doesn’t seem to have any legislation on deck to address significant identity theft issues.
Nevada doesn’t have data breach or identity theft laws in place and there aren’t any currently proposed in the state legislature.
It’s unfortunate to see a state do nothing to protect its residents’ personal information in 2023. Admittedly, Nevada’s 2021 peak was 17,985 reported incidents, up from 7,762 in 2019. In gross numbers, that’s relatively small compared to other entries in this list. Still, in 2022, that trend seems to not be significantly abating with 12,672 reports of identity theft.
Louisiana doesn’t have data breach or identity theft laws in place and there aren’t any currently proposed in the state legislature.
Louisiana, like Nevada, seems to be ignoring a growing number of identity theft cases among its residents. Louisiana’s peak reports were 34,050 in 2021, with that declining to 24,898 in 2022. Pre-COVID numbers were less than half that, indicating a potential trend of persistently increased identity theft.
Florida has the dubious title of being the only state to have seen an increase in identity theft from 2021 to 2022, growing by 528 from 110,693 reported instances to 111,221. In total numbers, Florida is #3 in the United States for identity theft. It’s also the state with the highest percentage of income lost to fraud.
Where there’s such an endemic identity theft issue, one would hope that Florida’s government would take some steps to address the issue. Unfortunately, it appears that Florida is too busy curtailing its residents’ civil rights to do anything meaningful to protect its residents. There is no current or proposed legislation designed to address identity theft or its root causes.
Delaware seems to have avoided a substantial uptick in identity theft cases, peaking in 2021 at 5,452 reported cases, up from 2,187 in 2019. 2022 levels remain elevated at 4,682. It’s not the least number of reported incidents in the United States but is the smallest number on this list.
Delaware doesn’t have data breach or identity theft laws in place and there aren’t any currently proposed in the state legislature.
By not having mandatory data breach or identity theft notification requirements for companies, Delaware residents are on their own to discover potential compromise and misuse of their personal information. Placing the onus on individuals to identify that misuse means that they’ll only discover an issue when their identity is already compromised. It prevents them from taking proactive measures to help themselves and does a massive disservice to residents in a state where data breaches per capita are high.
Texas has a staggering number of identity theft cases and currently ranks #2 in the country in gross numbers, just eeking ahead of Florida. Like most other states, Texas saw a spike in identity theft reports during COVID and peaked in 2021 with 146,113. That shrunk to 113,808 reports in 2022, which is still higher than the pre-COVID reports which hovered around 73,000.
That being said, Texas is taking meaningful action to address its major identity theft problem and has the legislation in place to hold companies accountable for losing Texas resident data. It also has one of the lowest government reporting thresholds in the country and proactively requires all residents to be informed of an issue. It is too early to pass judgment on the efficacy of Texas’ programs, but they are a major step in the right direction.
Among states that have implemented data protection laws, Texas is a relative latecomer, but it’s a vanguard compared to most of the United States. Texas recently implemented TX-RAMP, which is a robust technology security and reporting law. Texas also has a fantastic breach reporting system with a requirement to notify the Texas attorney general if more than 250 records are implicated in a data loss event.
Like some other states in this list, Texas has also criminalized identity theft within its jurisdiction.
Maryland saw a peak of 29,777 identity theft reports in 2021 with an abatement to 20,736 in 2022. That’s still not down to pre-COVID lows hovering in the 12,000s, but it’s a move in the right direction.
There is an interesting note in the ID theft data for Maryland. The state has more data breaches per capita than any other on our list, but they do not translate to identity theft reports at the same rate as other states. It is reasonable to believe that this is due to the strength of Maryland’s ID theft prevention and protection measures.
Maryland provides robust notification for its residents and protection of their rights.
Maryland has robust data privacy laws and keeps an excellent database of notices for security breaches. It requires that Maryland residents be informed of a security breach of their personal information and all security breaches of Maryland residents’ personal information must be reported to the state Attorney General.
The Maryland Attorney General also provides comprehensive identity theft services for Maryland residents. Maryland also criminalizes identity fraud within its jurisdiction.
What We Can Learn?
There are a few great takeaways from this data. First and foremost, COVID was terrible for identity theft. Corporations engaged in mass layoffs, which inundated unemployment insurance offices, and created ideal conditions for threat actors to commit widespread fraud. It’s not the only place where COVID gave rise to rampant fraudulent activity and that says a lot about society, I think.
Second, states that provide robust protections for their residents saw higher rates of identity theft report decline between 2021 and 2022. I would wager that in the “post-COVID” world of 2023, those numbers return to largely pre-COVID levels.
Conversely, states that seem not to care enough about their residents to provide basic identity theft protections saw less of a decrease and in Florida’s case, an increase. There appears to be a direct correlation between identity theft report rates and state laws designed to protect against identity theft.
Third, the value of state laws protecting individuals is twofold:
- State residents are made aware of a loss of their personal information, which allows them to take measures to protect their identity and credit, and
- State Attorneys General are notified so that they can take action against companies that fail to protect their residents’ data. There are many examples of State Attorneys General working both independently and collectively to seek restitution from companies for their security failures.
State laws can’t act extraterritorially, meaning that states can’t prosecute individuals who engage in identity theft outside their borders. The federal government really can’t either, but has extradition treaties with many countries worldwide, which helps extend the reach of United States legal enforcement. So, the value of robust identity theft and data protection laws is to give individuals the opportunity to react to the breach event and protect their data before it’s exploited and to disincentivize companies from suffering a breach in the future.