Stealing (Identity) From the Poor

The law of data breaches is new, dynamic, and evolving. The number and complexity of breaches increases each year and legal scholars, courts, and policymakers scramble to respond. In 2019, 14.4 million consumers became victims of identity theft, the most problematic consequence of data breaches for consumers. Indeed, one-third of all Americans have experienced identity theft at some point in their lives. Yet despite low-income groups comprising at least thirty percent of all identity theft victims, existing discourse and debate on the regulatory regime governing data breaches and identity theft primarily reflects the experiences and concerns of middle- and high-income groups. Debates remain uninformed by detailed analysis of how the use of illegally obtained data may uniquely harm low-income individuals and how these harms may be exacerbated for low-income victims who are Black. We lack careful theoretical assessment of the complex relationship between identity theft victimization and wider structures of inequality. This Article uses original data to fill these significant descriptive, theoretical, and normative gaps in the literature. It then turns toward exploring the common and understudied problem of aligning regulatory regimes with the needs of prototypical higher-income people, leaving those who are low-income to operate within a system that was not designed to help them—what I call plutocentric regulation. Finally, the Article proposes a new federal agency, the Data Privacy and Identity Recovery Agency (DPIRA), to streamline the process for identity theft victims and make the recovery process equitable for all victims, regardless of their income.