Wednesday, March 4, 2009

Identity Theft Services

I recommend that everyone avail themselves of an identity theft protection service. Similar to insurance in concept, such a service should provide professional services to the client who finds him or herself victimized by identity theft. Are all services equal? No. As we have already established identity theft can be divided into 5 major categories.

  • Theft of personal information to establish new credit accounts, take over existing accounts or otherwise establish retail purchases or cell phone accounts.
  • Theft of personal medical insurance data to obtain medical procedures, or to file insurance claims.
  • Theft of a drivers’ license in order to assume a new identity for a host of reasons ranging from commission of crime to obtaining employment, to air travel without otherwise proper identification.
  • Theft of another’s Social Security information to synthesize a new identity, gain employment, obtain insurance, file false IRS refund claims, etc.
  • Posing as another person so as to cause legal or libelous harm, perhaps even committing crimes and providing false identification to law enforcement. This type of identity theft is most common with illegal immigration. Often the result of a synthesized identity.

There are almost as many methods of obtaining the information, as there are thieves to steal it. Our information is under siege and no one solution will suffice in providing reasonable protection. We want a catch net type of service that will help us through most episodes of identity theft, foreseen or not. Although there are hybrid services that don’t quite fit into any one category, the basic types of service concepts are as follows,

Fraud alert services. Fraud alerts are free to anyone who reasonably suspects they are identity theft victims. The most common method is effective for 90 days, and is renewable with each credit bureau, although by law if one bureau is notified that bureau is responsible to notify the other bureaus. Under law (FCRA), before issuing new credit a business must contact anyone who has a fraud alert flag with the credit bureaus. Some companies acting on behalf of the client, set these alerts and advertise that this mechanism can“ stop” new account activity or "prevent" identity theft. Note; a significant number, but not the majority of new credit issuers, mostly retailers, do not run credit checks prior to issuing credit. A fraud alert service will only stopgap the setting up of new credit accounts.

Credit Monitoring. As the credit bureaus receive attachments from businesses and agencies describing activity from new accounts to payment activity, inquiries, etc credit monitoring services receive notices of those reports on behalf of the client and report that activity to the client depending on frequency from hourly to monthly. Somewhat broader in scope than fraud alerts, monitoring is reporting activity after the fact of the incident. Obviously the more frequent the monitoring activity the more effective the service.

Banks and Credit Card Companies often have products that provide identity theft services for their clients. The credit card companies are only interested in protecting that particular account from fraud. In other words they are protecting their own interest and the services do not extend beyond that account.

Banks have a variety of identity theft services but are fairly ineffective, and stripped down in the actual services they provide. All are administered by 3rd parties with whom the bank's service provider has a contract. It is very difficult to find who is actually performing the services, if any. They are largely based on insurance, (see below), and are tied to that bank to induce loyalty. If you close that account the services will stop. They also do not cover anyone other than the depositor. Generally there are two levels of service, free and fee based. Free is close to worthless, and the fee based version is a lower insurance deductable or slightly higher coverage, and a few ancillary services of little use to an identity theft victim.

Restoration. With a proliferation of new identity theft products on the market a lot of them claim to perform restoration of the client’s records. It is important to understand what each company means by restoration, and who performs the services of restoration. Very often the company is little more than a marketing firm and the restoration services are provided under contract with third party businesses not advertised in the literature. Some claim to have former law enforcement personnel on staff to ferret out thieves, some have caseworkers to represent the client during an identity theft episode. Ask about about the accreditation of these representatives, and the scope of their authority. Most of these services however, do not provide restoration for all of the forms of identity theft mentioned above. Instead they concentrate mostly on the financial types of the crime.

Insurance Any company that offers any sort of re-compensation insurance for loss or expenses us using the tactic of promising thousands or even a million dollars in insurance to lure customers. What they don’t tell you is that you first have to spend the money and then file an insurance claim. Also most of them have in the fine print of the contract language like “in the aggregate", indicating that this insurance amount is available over the lifetime of the client, not per incident. As we all know insurance claims are subject to underwriting and review by the carrier. Although they are obligated under insurance laws in each state most all claims are never paid because they don't meet threshold tests. Just to be clear, only the FDIC can insure money. The products can only claim to reimburse for out of pocket expenses related to resolving identity theft issues.

It is important to note that some companies offer to provide protection to entire families. This can be a little sticky. While it is important for adults to have identity theft services no one under 18 can legally obtain credit in the United States, or be held responsible for debt. Therefore minors should not have credit reports. If a report exists on a minor that might be an indication that identity theft has occurred in that minors' name. Parents should order copies of their minor children's credit reports by using . There is no cost for that and can be done once every 12 months. There shouldn't be a report but if one does exist an attorney can contact creditors and authorities on behalf of the family of the minor to handle these issues.

In conclusion anyone looking into an identity theft service is wise to choose a company that is transparent about the scope and nature of the services they offer. You should be able to look up the members of the Board of Directors biographies, and information about the company itself. Never trust any business that hides its operations behind its products. They should be a professional privacy and risk management type of firm with demonstrable experience in safeguarding sensitive information. They need to offer a full restoration service preferably performed by licensed professionals. They should offer proactive searches of non-financial databases such as FBI, IRS, Postal authorities, DMV and SSA for example. Such searches turn up other types of activity that usually do not show up on credit reports. The company should provide access to attorneys for all of the legal aspects of identity theft. They should also provide regular communications with the client on a weekly or monthly basis irrespective of any identity theft episodes. Whether the client opts to have a fraud alert service or not credit report monitoring is essential as it picks up non credit notices in credit bureau files such as change of address requests, criminal attachments, etc. Those are in my opinion the minimum requirements for any good service. Beware of claims such as preventing identity theft or any guarantees of results. Identity theft is a changing set of crimes and frankly the legitimate world is constantly playing catch up and trying to be as forward thinking as they possibly can. We only have one identity to protect. Be certain that the service you choose is going to be there for you when you need it.

Protecting Employees?

Who said that companies only have to be concerned with protecting the personal information of clients?

I have been reading and studying the privacy laws very carefully for several years and I've found the same thread over and over. These laws are in effect to protect the public from having their personal information stolen, lost, or otherwise misused. It's about identity theft, not compliance. And nowhere is it written that companies don't need to bother with employees' personal information.

Other laws require that companies who lose data contact everyone at risk that the information has been breached. Why do these so called "notification" laws exist? Is it so a business can be in compliance? No, it is to try and protect the public. Disregarding employee data from the mix won't help either. Aren't they part of the public too? Businesses have a special obligation to their employees.

Every expert in the field of privacy protection that I have read says the same thing when asked about which businesses are covered by which laws. The response is always the same. "It's the smart and responsible thing to do regardless of the nature of the business." If every business were to initiate a plan to safeguard the information they hold on employees and clients who would be left out?

On the practical side having such a plan which includes employees greatly reduces the employers' exposure to law suits filed by employees if they are exposed to increased risk at work. Arming employees with a good risk averse identity theft protection service can nearly eliminate lost work time on the part of employees and their families who have identity theft problems off the job too, if restoration is a part of the service.

Employers, toss out that compliance thinking and develop a mindset of complete security. You will accomplish a greater goal. It is to your advantage.

Remember, when you protect the information you keep on others you are protecing them. When someone else does it they are protecting you.

Tuesday, March 3, 2009

A Violation of your Privacy Rights

I want everyone to read something posted by my good friends at I've Been Mugged .
If you are not aware of this you should be. When you bury your heads in the sand on issues of your personal privacy it is the same as agreeing to have your privacy invaded and being used for someone else’s gain with little or no regard for you. In my opinion George does a great public service by researching and bringing these issues to you.

A good friend once told me "If you don't know your rights you don't have any." My friends you have the right to not be treated in this cavalier fashion by companies posing as a service.


Monday, March 2, 2009

New Payment Processor Breach Reports Unfounded

Last week's reports that another payment processor may have experienced a data breach remain unfounded and in a statement issued Friday, Visa said that new alerts recently sent to banks and credit unions regarding a compromise were part of efforts to clean up after an already-known breach, reports Computerworld. According to the report, the statement stands in contrast to those issued last week by Visa and MasterCard International, which suggested that a new breach had occurred.

I guess sometimes we are predisposed to "go to press" before we get more facts. Data breaches happen so regularly that we become inured to the impact of each and every case. I'm glad to set the record straight on this one.