There can be real economic damages to an individual who is the victim of identity theft. The FTC has ruled that it is the individual’s responsibility to check their credit card statements for unauthorized statements. If a victim of credit card theft, for example, notifies the credit card company within 60 days of receipt of the statement, then the consumer’s liability is limited to $50.
Much of the literature on identity theft assumes that the value of an online identity has a fixed price. Say $.10 for an email password. $20 for a credit card number, etc. What this fails to take into account is that there is both supply and demand. Demand, most likely, is fixed. There are only so many possible ‘fences’ for stolen data. When a breach like TJ Max, Heartland, or Sony happens, the supply of stolen identities goes up by an order of magnitude while the demand remains the same. With this assumption, it is likely that the value of an online identity also goes down by an order of magnitude.
Maybe this is good for identity theft overall. What it could do is lower the risk/reward quotient for future identity thieves. If they knock over a small credit card merchant and only get 10,000 credit card numbers…then they may only be able to make 1/10th of what they would have before, while the risk of getting caught remains the same. Economically speaking, this might actually help deter future identity theft.