Nighan — who doesn't golf and lives in Hartford, Conn. — figured out a way to legally make crime pay: Sell an insurance policy to protect against identity theft.
So in 1999, St. Paul Travelers became the first company to offer identity theft insurance. It cost $25 as an option to a homeowner policy and covered the costs involved in fixing credit report problems in the wake of a crime.
The idea took off and other companies followed.
"Our anti-fraud people say it is one of the fastest-growing areas," said Bryon Tucker, spokesman for the National Association of Insurance Commissioners. Companies offering the coverage include Allstate Corporation, American International Group Inc., Chubb Corporation, Fireman's Fund Insurance Co. and MetLife Inc.
Neither the National Association of Insurance Commissioners nor insurance trade associations keep figures on the number of identity theft policies in effect, partly because the area is relatively new.
Some critics complain that the insurance companies are profiting off a problem they helped create. Like many businesses, insurance companies give or sell information about their customers to data aggregators such as ChoicePoint Inc., which had its database breached by identity thieves and sparked a national debate over how personal information gets used.
"The unpleasant irony is that one of the main reasons we need protection is that actions by insurance companies helped make our personal information too readily available," said Doug Heller, executive director of the Foundation for Taxpayer and Consumer Rights, a consumer advocacy group based in Santa Monica, Calif. "They and other industries insist on their right to trade private information about all of us, and that makes it possible that the information can fall into the hands of thieves."
Insurance companies say the information helps them better evaluate the risks associated with individual policyholders, allowing them to offer more equitable rates.
Rather than rely on insurance, Heller and other activists said, consumers should demand tougher laws regulating how their personal data are used.
California has led the country in anti-identity-theft laws. It was the first to require that information brokers notify state residents if their personal information might have been revealed to scammers as the result of a database break-in. The state's law was seen as key to the disclosure of the breach at ChoicePoint.
Only five other states have notification laws as strong as California's — Arkansas, Indiana, Montana, North Dakota and Washington — according to the Public Interest Research Group.
Another law pioneered in California lets residents control access to their credit reports. This helps keep scammers from opening unauthorized credit card accounts or taking out loans in a victim's name. Only Louisiana has a credit-freeze law as strong as California's.
The insurance generally costs $25 or more per year. Policies don't cover the cost of items bought in the victim's name. But those costs are usually covered by the credit card company if the crime is reported.
Some companies include the coverage free on premium home insurance policies. And a few even allow victims to turn over the tedious and sometimes thorny task of fixing their credit status to a business that specializes in the field.
John Spagnuolo, director of new media for the Insurance Information Institute, a trade association, said he expected more companies to offer the coverage.
"Because of all the coverage of the problem in the media, consumers are aware that the possibility of being a victim of identity theft is not a small one," he said.
The Federal Trade Commission has put the number of yearly victims of identity theft at about 10 million, or nearly 5 percent of the adult population in the U.S. The agency estimates that identity theft costs $50 billion a year in false charges and lost time.