> The burden of "Identify theft" should at this point is no longer on the victim but the defrauded institution.

This is how it's always been, but the lack of any real privacy protection laws in the US allows institutions to wipe their hands clean of any negligence when they can just blame the affected individuals. Better, the defrauded institution can just offer "free" "credit monitoring" that they themselves created.