“You cannot have data compromised that you do not have.” James Lee has spent two decades watching breach transparency collapse—from near-total disclosure in 2020 to just 30 percent today. The president of the nation's leading identity crime nonprofit breaks down why your Social Security number is worthless on the black market. Why your driver's license isn't and what individuals can actually do when the system designed to protect them has already failed.
Episode Summary
James Lee has seen the identity crisis from both sides. He was a senior executive at ChoicePoint when a 2005 data breach triggered the first wave of breach notification laws in the United States. He now leads the Identity Theft Resource Center, the nation's only nonprofit providing free identity crime victim assistance. The ITRC's 20th annual data breach report, released weeks before this conversation, tracked a record 3,322 compromises in 2025—a 79 percent jump over five years—while 70 percent of breach notices failed to disclose how the attack happened.
Lee walks through the real economics of stolen identity: Social Security numbers carry zero resale value because the market is so flooded, while driver's license numbers command $150 to $2,000 depending on the state, a direct consequence of pandemic-era digital verification expanding their use far beyond the DMV. The conversation moves through the limits of KYC, the case for data minimization over data hoarding, and why the ITRC advocates for more friction in financial transactions. What it means is that breached data from years ago is being recycled into new attacks. Lee makes the case that individuals, organizations, and government all need to act—and none can solve identity crime alone.
About the Guest
James E. Lee is president of the Identity Theft Resource Center (ITRC), the nation's leading nonprofit dedicated to supporting victims of identity crime at no cost. Before joining ITRC's staff in 2020 as COO, Lee served over a decade on its board of directors, including three years as chairman. His career spans senior leadership at ChoicePoint (now LexisNexis), where he navigated the landmark 2005 data breach, and Irish cybersecurity firm Waratek. He chaired two ANSI working groups on identity management and privacy and has testified before the Senate Commerce Committee on identity crime trends. Lee holds credentials from the University of Texas Center for Identity, the Wharton School, and the University of Arkansas.
Key Quotes
- “You cannot have data compromised that you do not have. So data breaches go down right there. Data breaches go down, victims go down. Data breaches go down, cybersecurity attacks go down.” — James Lee
- “That one percent of revenue put a hundred percent of the enterprise at risk.” — James Lee
- “Your driver's license has become the de facto social security number because the social security number is so compromised.” — James Lee
Key Takeaways
- Breach transparency is collapsing, and it's by design: In 2020, nearly 100 percent of organizations disclosed root cause details in breach notices. By 2025, only 30 percent did—leaving individuals unable to assess their own risk or take informed action.
- Your Social Security number is worthless, but your driver's license isn't: SSNs are so widely compromised they're given away free in stolen data bundles. Driver's license numbers, newly valuable because of pandemic-era digital verification, sell for $150 to $2,000 on criminal marketplaces.
- Data minimization beats data security: The most effective defense against breaches isn't better encryption—it's collecting less data in the first place. If you don't need it, don't collect it. If the purpose is fulfilled, delete it.
- Freeze your credit and adopt passkeys today: Credit freezes are free, take minutes, and are the single most effective step individuals can take. Passkeys eliminate the credential-reuse problem that fuels most account takeovers.
Timestamps
- [00:04] The ChoicePoint breach: what a 2005 data disaster taught James Lee about institutional accountability
- [09:26] Are data brokers a net positive? The uncomfortable tradeoff between utility and risk
- [12:07] Breach notice fatigue: when data breach letters become a humiliation ritual
- [15:24] From ChoicePoint to ITRC: how James Lee ended up on the other side of the table
- [18:42] Breach transparency on the decline: better legal cover, worse consumer protection
- [23:33] The golden age of identity crime: what ITRC advisors hear from victims today
- [28:27] Recycled stolen data: old breaches fueling new attacks at scale
- [30:21] Why your driver's license is now worth more than your Social Security number
- [33:42] KYC under pressure: app-based identity verification getting duped by stolen credentials
- [38:13] The case for friction: why instant payments make fraud easier
- [44:44] Government data sharing: DOGE, SSA, and the fight over federal databases
- [48:18] Data minimization: should anyone be holding this much data in the first place?
- [53:19] Credit freezes, passkeys, and individual control over identity
- [57:33] Redesigning identity from scratch: ITRC's new vision
- [1:01:06] Three things to do today if you've been breached
Mentioned in Episode:
Podcast: