[tappio]

Not sure about US, but this definitely does not apply in the EU. The banks are responsible. Also, the PSD2, which just came into effect here sets standards on person identification, which every financial institution needs to comply.

Of course, this does not mean that being a victim of identity theft does not suck.

The stolen information has some other severe side effects, which are not directly personal. The stolen credit card information and the drivers licenses are typically used for things like human trafficing. You buy some airline tickets with fake passport and stolen credit card, and travel as someone else.