Skip to main content
main content, press tab to continue
White Paper | WTW Research Network Newsletter

Personal Identity Insurance: Coverage and Pricing in the US

By Daniel Woods , Stuart Calam and Omar Samhan | September 07, 2023

Whenever third-parties use personal identifiers to decide whether & who to send funds to, there’s a risk of identity theft but the economic costs mean individuals can insure against its consequences.
Cyber Risk Management

Personal identity theft occurs when a criminal uses stolen personal identifiers to manipulate third-parties into taking actions under the false belief they are communicating with the individual whose identity has been stolen. A typical example is the criminal taking a loan out under someone else’s name or tricking tax authorities into sending a tax rebate to the criminal’s account. The bank will then pursue the identity theft victim for funds that were sent to the criminal.

The Federal Bureau of Investigation’s Internet Crime Complaint Centre received over fifty thousand reports of identity theft in 2021, which is 300% higher than in 20191. The total economic cost in 2021 is estimated to be $278 million, which amounts to over $5000 per incident[1]. Typical individuals will suffer an identity theft every 10 to 100 years, with the exact estimate varying based on the crime survey’s methodology and target population[2].

50000 reports of identity theft in 2021, 300% higher than in 2019

$278 million estimated total economic cost in 2021, amounts to over $5000 per incident

10 to 100 years typical individuals suffer an identity theft

A market for personal identity insurance has emerged to mitigate the associated harms. In a study supported by the WTW Research Network, Dr Daniel Woods from the University of Edinburgh extracted 34 personal identity insurance products that were uniquely filed with regulators in the US and conducted a content analysis on the policy wordings, pricing algorithms and actuarial tables to answer the following:

  • Which harms are covered by personal identity insurance?

  • What is the implied likelihood and severity of each harm?

  • How do insurers justify the scope and pricing of coverage?

Analysing the policy wordings reveals that personal identity theft causes several costs in terms of monitoring credit records, lost income and travel expenses, attorney fees, and even mental health counselling. The research analysis shows there are few exclusions related to moral hazard, suggesting identity theft is largely outside the control of individuals. The study also extracts actuarial calculations, which reveal financial impacts ranging from a few hundred to a few thousand dollars. Finally, insurers provide support services that are believed to reduce out of pocket expenses by over 90%.

The insights could help individuals to manage privacy risk by evaluating the effectiveness of transferring the consequences to an insurer. Individuals may be further supported by the risk-reduction services that are often provided alongside insurance[3]. Thus, one could consider privacy insurance as a form of privacy enhancing technology, notably a financial product that diverges considerably from the usual technical approach. The study also contributes to an emerging field of technology insurance that covers cyber attacks[4], cryptoassets[5], cyber bullying[6] and artificial intelligence liability[7].

The following extract, which was included word-for-word in multiple regulatory filings, provides a concise summary of the study:

“While there are ways to reduce one’s exposure to identity theft, it is a crime that can strike anyone. Those who are victims of this crime need to make identity recovery a top priority, because otherwise:

  • Credit rating can be ruined
  • Arrest warrants can be issued against the victim
  • Liens can be applied against the victim’s assets

While many financial institutions provide protections to consumers for the actual fraud loss, most individuals have no help for the time and expense required to restore their personal identities."

While the extract suggests there are “ways" of reducing exposure, the research shows insurers do not push policyholders towards implementing them. One explanation is that identity theft risk reduction is too ineffective or too onerous to ask of policyholders. This supports a narrative in which consumers are powerless to prevent privacy harms resulting from personal identity theft. The corresponding insurance coverage reflects a need for ex-post response solutions to both reduce privacy harms and indemnify the financial cost.

This study confirms one aspect of the privacy harm literature. Legal systems fail to recognise and remedy privacy harms[8]. This is evidenced by the emergence of a private market covering the harms associated with identity theft incidents. The market also shows that the lack of support services leads individuals to suffer more harm. For example, one insurer anticipates case management services lead to a 90% reduction in the cost of an identity theft incident. Thus, policy makers could reflect on whether the impacts of identity theft and the expertise to remedy are fairly distributed across society. The status-quo in which financial smoothing and risk reduction services are privately provided undoubtedly skews towards affluent consumers.


  1. Federal Bureau of Investigation. Internet Crime Report, 2021. Return to article
  2. Daniel W Woods and Lukas Walter. Reviewing estimates of cybercrime victimization and cyber risk likelihood. In2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pages 150–162. IEEE, 2022. Return to article
  3. Rob Thoyts. Insurance theory and practice. Routledge, 2010. Return to article
  4. Sasha Romanosky, Andreas Kuehn, Lillian Ablon, and Therese Jones. Content analysis of cyber insurance policies: how do carriers price cyber risk? Journal of Cybersecurity, 5(1), 2019. Return to article
  5. Adam Zuckerman. Insuring crypto: The birth of digital asset insurance. U. Ill. JL Tech. & Pol’y, page 75, 2021. Return to article
  6. Nir Kshetri and Jeffrey Voas. Thoughts on cyberbullying.Computer,52(4):64–68, 2019. Return to article
  7. Anat Lior. Insuring AI: The role of insurance in artificial intelligence regulation. Harvard Journal of Law and Technology, (1):in print, 2022. Return to article
  8. Danielle Keats Citron and Daniel J Solove. Privacy harms. Boston University Law Review, 102, 2022. Return to article

University of Edinburgh
email Email

Head of Technology Risks Research,
Programme Director and Climate & Resilience Hub
email Email

Technology and People Risks Analyst
email Email

Contact us