Identity Theft Services

I recommend that everyone avail themselves of an identity theft protection service. Similar to insurance in concept, such a service should provide professional services to the client who finds him or herself victimized by identity theft. Are all services equal? No. As we have already established identity theft can be divided into 5 major categories.

• Theft of personal information to establish new credit accounts, take over existing accounts or otherwise establish retail purchases or cell phone accounts.
• Theft of personal medical insurance data to obtain medical procedures, or to file insurance claims.
• Theft of a drivers’ license in order to assume a new identity for a host of reasons ranging from commission of crime to obtaining employment, to air travel without otherwise proper identification.
• Theft of another’s Social Security information to synthesize a new identity, gain employment, obtain insurance, file false IRS refund claims, etc.
• Posing as another person so as to cause legal or libelous harm, perhaps even committing crimes and providing false identification to law enforcement. This type of identity theft is most common with illegal immigration. Often the result of a synthesized identity.

There are almost as many methods of obtaining the information, as there are thieves to steal it. Our information is under siege and no one solution will suffice in providing reasonable protection. We want a catch net type of service that will help us through most episodes of identity theft, foreseen or not. Although there are hybrid services that don’t quite fit into any one category, the basic types of service concepts are as follows,

Fraud alert services. Fraud alerts are free to anyone who reasonably suspects they are identity theft victims. The most common method is effective for 90 days, and is renewable with each credit bureau, although by law if one bureau is notified that bureau is responsible to notify the other bureaus. Under law (FCRA), before issuing new credit a business must contact anyone who has a fraud alert flag with the credit bureaus. Some companies acting on behalf of the client, set these alerts and advertise that this mechanism can“ stop” new account activity or "prevent" identity theft. Note; a significant number, but not the majority of new credit issuers, mostly retailers, do not run credit checks prior to issuing credit. A fraud alert service will only stopgap the setting up of new credit accounts.

Credit Monitoring. As the credit bureaus receive attachments from businesses and agencies describing activity from new accounts to payment activity, inquiries, etc credit monitoring services receive notices of those reports on behalf of the client and report that activity to the client depending on frequency from hourly to monthly. Somewhat broader in scope than fraud alerts, monitoring is reporting activity after the fact of the incident. Obviously the more frequent the monitoring activity the more effective the service.

Banks and Credit Card Companies often have products that provide identity theft services for their clients. The credit card companies are only interested in protecting that particular account from fraud. In other words they are protecting their own interest and the services do not extend beyond that account.

Banks have a variety of identity theft services but are fairly ineffective, and stripped down in the actual services they provide. All are administered by 3rd parties with whom the bank's service provider has a contract. It is very difficult to find who is actually performing the services, if any. They are largely based on insurance, (see below), and are tied to that bank to induce loyalty. If you close that account the services will stop. They also do not cover anyone other than the depositor. Generally there are two levels of service, free and fee based. Free is close to worthless, and the fee based version is a lower insurance deductable or slightly higher coverage, and a few ancillary services of little use to an identity theft victim.

Restoration. With a proliferation of new identity theft products on the market a lot of them claim to perform restoration of the client’s records. It is important to understand what each company means by restoration, and who performs the services of restoration. Very often the company is little more than a marketing firm and the restoration services are provided under contract with third party businesses not advertised in the literature. Some claim to have former law enforcement personnel on staff to ferret out thieves, some have caseworkers to represent the client during an identity theft episode. Ask about about the accreditation of these representatives, and the scope of their authority. Most of these services however, do not provide restoration for all of the forms of identity theft mentioned above. Instead they concentrate mostly on the financial types of the crime.

Insurance Any company that offers any sort of re-compensation insurance for loss or expenses us using the tactic of promising thousands or even a million dollars in insurance to lure customers. What they don’t tell you is that you first have to spend the money and then file an insurance claim. Also most of them have in the fine print of the contract language like “in the aggregate", indicating that this insurance amount is available over the lifetime of the client, not per incident. As we all know insurance claims are subject to underwriting and review by the carrier. Although they are obligated under insurance laws in each state most all claims are never paid because they don't meet threshold tests. Just to be clear, only the FDIC can insure money. The products can only claim to reimburse for out of pocket expenses related to resolving identity theft issues.

It is important to note that some companies offer to provide protection to entire families. This can be a little sticky. While it is important for adults to have identity theft services no one under 18 can legally obtain credit in the United States, or be held responsible for debt. Therefore minors should not have credit reports. If a report exists on a minor that might be an indication that identity theft has occurred in that minors' name. Parents should order copies of their minor children's credit reports by using http://www.annualcreditreport.com/ . There is no cost for that and can be done once every 12 months. There shouldn't be a report but if one does exist an attorney can contact creditors and authorities on behalf of the family of the minor to handle these issues.

In conclusion anyone looking into an identity theft service is wise to choose a company that is transparent about the scope and nature of the services they offer. You should be able to look up the members of the Board of Directors biographies, and information about the company itself. Never trust any business that hides its operations behind its products. They should be a professional privacy and risk management type of firm with demonstrable experience in safeguarding sensitive information. They need to offer a full restoration service preferably performed by licensed professionals. They should offer proactive searches of non-financial databases such as FBI, IRS, Postal authorities, DMV and SSA for example. Such searches turn up other types of activity that usually do not show up on credit reports. The company should provide access to attorneys for all of the legal aspects of identity theft. They should also provide regular communications with the client on a weekly or monthly basis irrespective of any identity theft episodes. Whether the client opts to have a fraud alert service or not credit report monitoring is essential as it picks up non credit notices in credit bureau files such as change of address requests, criminal attachments, etc. Those are in my opinion the minimum requirements for any good service. Beware of claims such as preventing identity theft or any guarantees of results. Identity theft is a changing set of crimes and frankly the legitimate world is constantly playing catch up and trying to be as forward thinking as they possibly can. We only have one identity to protect. Be certain that the service you choose is going to be there for you when you need it.

Protecting Employees?

Who said that companies only have to be concerned with protecting the personal information of clients?

I have been reading and studying the privacy laws very carefully for several years and I've found the same thread over and over. These laws are in effect to protect the public from having their personal information stolen, lost, or otherwise misused. It's about identity theft, not compliance. And nowhere is it written that companies don't need to bother with employees' personal information.

Other laws require that companies who lose data contact everyone at risk that the information has been breached. Why do these so called "notification" laws exist? Is it so a business can be in compliance? No, it is to try and protect the public. Disregarding employee data from the mix won't help either. Aren't they part of the public too? Businesses have a special obligation to their employees.

Every expert in the field of privacy protection that I have read says the same thing when asked about which businesses are covered by which laws. The response is always the same. "It's the smart and responsible thing to do regardless of the nature of the business." If every business were to initiate a plan to safeguard the information they hold on employees and clients who would be left out?

On the practical side having such a plan which includes employees greatly reduces the employers' exposure to law suits filed by employees if they are exposed to increased risk at work. Arming employees with a good risk averse identity theft protection service can nearly eliminate lost work time on the part of employees and their families who have identity theft problems off the job too, if restoration is a part of the service.

Employers, toss out that compliance thinking and develop a mindset of complete security. You will accomplish a greater goal. It is to your advantage.

Remember, when you protect the information you keep on others you are protecing them. When someone else does it they are protecting you.

A Violation of your Privacy Rights

I want everyone to read something posted by my good friends at I've Been Mugged .
If you are not aware of this you should be. When you bury your heads in the sand on issues of your personal privacy it is the same as agreeing to have your privacy invaded and being used for someone else’s gain with little or no regard for you. In my opinion George does a great public service by researching and bringing these issues to you.

A good friend once told me "If you don't know your rights you don't have any." My friends you have the right to not be treated in this cavalier fashion by companies posing as a service.

John

New Payment Processor Breach Reports Unfounded

Last week's reports that another payment processor may have experienced a data breach remain unfounded and in a statement issued Friday, Visa said that new alerts recently sent to banks and credit unions regarding a compromise were part of efforts to clean up after an already-known breach, reports Computerworld. According to the report, the statement stands in contrast to those issued last week by Visa and MasterCard International, which suggested that a new breach had occurred.

I guess sometimes we are predisposed to "go to press" before we get more facts. Data breaches happen so regularly that we become inured to the impact of each and every case. I'm glad to set the record straight on this one.

John

A Culture of Compliance or a Culture of Security?

In 2007 the Federal Trade Commission published a small booklet called Protecting Personal Information, a Guide for Business. It lays out steps any business should look at to improve its internal security practices. One of the paragraphs begins, "Create a Culture of Security". That term stuck with me and has become part of my personal lexicon when I talk about data loss in a business setting.

GLB and the new Red Flags Rule lay out in pretty specific terms a short list of simple steps every business needs to adopt across the board regardless of the industry. There are fundamental file types shared by all businesses like payroll and HR records, receivable accounts, and so forth that need to be safeguarded. Add to that client personal information, patient records for medical organizations, company intellectual property and strategies, and then the access other businesses have to that information by way of contract arrangements, and you have quite a lot to keep track of. Therefore, whether a business is an accountancy covered by GLB, or a bank subject to FACTA Red Flags, or any other business type, a written identity theft prevention and response policy adopted by a board or owners is the basic element. From that policy flows company-wide training, and documentation. Next, oversight into the identity theft prevention policies of the other businesses that can access the information makes sense to tie the program together.


Whether it is apparent or not every business looking into adopting an identity theft strategy has two basic choices in philosophy as to how they will approach their program.

First is what I call a Culture of Compliance. A culture of compliance is simply that. Looking at the letter of law and taking the traditional step by step route of signing off on each point of compliance. Now, this business might well be concerned about losing valuable information, and implementing their program for all the right reasons, but is their goal more skewed to compliance and business liability, or to lowering the risk of identity theft? The reason I say that is not to impugn anyone’s compliance program but to point out a subtle difference that can make a very large difference in how effective the program will be when it is put to the test. Compliance is almost always a top down policy adopted by management, explained in some detail to department heads and managers, and then finally presented to the rank and file as the new way to perform certain tasks. Employees are then instructed to sign off that they understand the new procedures, and that’s pretty much it.

Now on to the second choice a business has, a Culture of Security. In this mindset the policy begins in much the same way by being adopted by the board and then explained in detail to department heads, etc. Here is where the different mindset comes into play. It needs to be understood that no matter how simple or extensive a program it is the employee that protects the information, not management or department heads. While ultimately responsible management doesn’t necessarily handle the data personally. So it is essential to thoroughly educate the staff. Not just the IT or records keeping personnel but all staff.
Identity theft is a real crime with real victims. I don’t know anyone that doesn’t at least know one victim of identity theft. It touches all of us in some way. I hear devastating stories from victims all the time. This is at the heart of why a company needs such a policy. Certainly the business logic of preventing data loss is key to survival. I don’t want to minimize that, but I also don’t want to minimize the risk to the employees themselves, or the individual client. Their lives can be ruined by identity thieves in a number of ways. That can have a serious impact on the business too, from lost work-time to loss of public confidence and potential loss of clientele.
Training the employees, and I mean all employees, needs to include a solid awareness of the crimes of identity theft and how they themselves can learn to mitigate their personal risk as well as that of the clients. Those trainings are also an opportunity for the employees to offer their own solutions to how office flow might be tightened up and certain procedures changed to increase security. I have not visited a business yet that did not have issues that need improvement. That not only has the net effect of helping the staff but also sensitizing them as to the risk to the client. If you make the staff a part of the solution you have a much more effective program that grows away from management and takes on a culture of security. "When you protect the information you keep on others you are protecting them. When someone else does it they are protecting you." It is also imperative to offer the entire staff a mitigating identity theft service. It is not a matter of whether the company pays for that or if it is an employee option. It will have the net effect of protecting the company and the employee, and saving both money and time.

Which method will you choose for your business?

Another Payment Card Processor Breached

Computerworld reports that another payment processor has been rocked by a security breach. Details are few and the affected company has not been identified, but according to reports, attackers breached a U.S.-based company, uncovering the account numbers and expiration dates of payment cards used in card-not-present transactions between February 2008 and January 2009. It is the third breach incident involving a payment processor since December, coming on the heels of Heartland Payment Systems' breach announcement just weeks ago. Visa Inc. and MasterCard International Inc. have begun notifying banks and credit unions of the compromise. Some fraudulent transactions have been reported as a result of this latest breach.

An Identity Theft Risk Management Program

In the last four posts I have described the fundamentals of a good identity theft program that takes into account the basic requirements for all parties. There are also additional compliance requirements placed on specific industries such as healthcare, banking and so forth. But it is very important to have all of the fundamentals in place so the program will be more effective. Let me introduce you to the Affirmative Defense Response System offered to businesses from Pre-Paid Legal Services Inc..

First, we covered The Victim and the effects different forms of identity theft might have. We talked about the laws enacted to protect individuals from having their information stolen from databases, company spreadsheets, or HR files and used by thieves.

In The Company I described briefly that entities that keep information for business purposes have a legal responsibility to try and safeguard it. We then outlined the basic procedures that any business can undertake as the foundation of an identity theft prevention program. It is important to remind the reader that without these basics all of the higher order compliance procedures are much less effective.

Documentation Without documentation the company cannot mitigate its exposure to liabilities such as litigation, fines, prosecution, and damaged public relations.

There are companies that provide services to assist with portions of these necessary steps. Some offer training programs, some identity theft products for the employee or client. Some companies provide a complete response package of notification to potential victims, and forensic services to the affected business. In other words there are a number of companies that offer a lot of services to the business. The ones I have looked at are very good at what they do. They are also specifically in the business of providing only these types of compliance services.

Here’s why Pre-Paid Legal Services is unique and very effective. We are the only company in the field that not only offers a highly effective identity theft product to protect from all forms of identity theft, not simply from financial crime, regardless of how and where the crime occurs. It is also the only product that provides complete restoration of the victims’ identity again regardless of the nature. Restoration means no matter what records are affected, Kroll Fraud Solutions has licensed forensic investigators on staff to fully manage all of the restoration processes on behalf of the victim. We also offer the largest and most mature network of major law firms in each state and four provinces of Canada that will represent the client for all forms of identity theft if needed, with 24/hour access to their firm in emergencies, from anywhere in North America. For the 62% of all identity theft victims who have warrants issued in their name that can be very reassuring. (Sorry for the stat). Moreover the entire family has the services of their law firm for all of their life’s legal events such as mortgage contract help, help with estate planning, tax law help, representation in civil court, criminal court, and traffic court, and many other areas of law that otherwise most everyone cannot afford to use an attorney for. You should know that between these two public companies we have amassed over 70 years of experience in our fields. Pre-Paid Legal is celebrating it's 37th year of business this year. We don't do anything else. Those are very briefly our products. No other company in the world offers comprehensive identity theft and comprehensive legal services together as a suite of coverage.

Now on to identity theft help for a business. You recall that the first essential step is to enact a company policy illustrating the company’s position and procedures to protect information. We provide that written policy to the business at no cost. This document is the product of our Advisory Council and is current with the laws including all of the 26 red flags specified in the latest FACTA legislation. The Advisory Council is comprised of three former states Attorneys General, and the General Counsel of one of the nation’s largest energy companies. Each company is encouraged to make whatever changes to customize the policy to the nature of their industry. Next is employee training on the new policy, and a general awareness discussion of identity theft as it affects millions of Americans every day. A key reason for hands on meetings is the interchange if ideas, and the problem solving unique to every business. Very important is documentation of those meetings too. We also provide that hands on training and proof of training documents at no cost. In fact we provide all of the documents the business will need including letters notifying contractors and service providers of the policy. Once those are sent we can then follow up with each contracting company regarding their policy.

We have taken into account the needs of
· The client company by providing an entire package of identity theft prevention services at no cost to the company. Remember Kaiser? As I said before if they had provided the level of awareness training to all staff they might have avoided the recent breach of employee data. That is a very real advantage, and at no cost.
· We have offered all of the employees services that will greatly reduce their family risk while providing much needed help for the family in a number of areas. These voluntary benefits are typically paid for by the individual employee on a month-to-month basis.
· This, by the way also has the effect of limiting the company liability if an internal breach were to occur, since a mitigating service has previously been offered.
· Companies such as financial advisors, accountancies, banks and other financial services can optionally make this available also to clients, which will provide an early warning and restoration of possible identity theft episodes from any source.

Have I left out anyone? I believe not. I can provide all of the above for your company at no direct cost to the business, and provide substantial benefits to the staff that they can use from day one to help with all of the families' identity theft and legal issues they might be facing.