So..you’re NOT going to keep my data safe? (securing yourself in an insecure world)

Lately, there have been radio ads hawking some or another of various Identity Theft products.  It will surprise nobody, of course, that they use fear as the motivator to get you to buy their services.  The pitch sounds a lot like Glum, the endlessly-pessimistic character from the ‘Gulliver’s Travels’ cartoon that is older than nearly everybody who is reading this.  “If you don’t get our ID protection, you’re all doomed!” (or something like that) But, whether to buy ID theft protection is not the slam dunk that you might think.

Lifelock (which is one of the most recognizable products) has a history that is almost laughable.  This is the company that ran an ad on the radio where their CEO would state his social security number slowly and clearly.  (“If our Identity Protection wasn’t the best around, would I say my Social Security Number on the Radio?”)  I used to enjoy those commercials. But, I didn’t enjoy them nearly as much as the Identity Thieves who used his Social Security Number to steal his identity  (13 times!)  Lately, another credit protection service had troubles of its own.  Credit Karma was nabbed by the FTC because they “failed to secure the transmission of millions of consumers’ sensitive personal information from their mobile apps.”

But I should do SOMETHING, right? 

Oh, you’d better believe it.  If you have a Target Card; if you have ever shopped at Michael’s Crafts; if you have ever shopped at Neiman Marcus; or have used any website that has the padlock and the little ‘s’ in the IP address, your Identity MAY have been stolen.  (and it doesn’t matter if you’re famous – Just ask the First Lady)  I say that your data ‘may’ have been stolen, because when massive data-breaches get announced, there is always some squishy statement disavowing any possible harm to any consumers. Much like Kevin Bacon, during the riot scene in Animal House (“Remain Calm! All is well!!”), the idea that none of us has to worry, even though millions of bits of data was stolen by some hacker in a basement in Kiev strains credibility.

In fact, even Experian has had trouble keeping the wolves from the door.    To be sure, the Experian breach first happened to a company before they were purchased by Experian. But, it continued for almost a year AFTER they became part of the Experian Empire.  (And, Experian didn’t notice that the bad guy was buying access to their records with cash payments to a bank in Singapore?  C’mon Experian, it’s like you’re not even trying….)

But, don’t they HAVE to keep my personal data safe?

Yes they do.  Banks, finance companies, retailers and other companies that collect private information, in order to do business with you are required to keep your private information private.  They can share it with companies that they are affiliated with, unless you ‘opt out’ (i.e. – say in writing that you don’t permit them to share your information) If this sounds familiar, it’s because they send you a letter every year which states their ‘privacy policy’ and that you have the chance to limit the amount of information that they share.

Plenty of people send each credit card company, retailer, auto-finance company, etc. a letter that says “Don’t share my information with anybody,” in the hopes that this will stop them.  And, it is supposed to curtail what they share and who they share it with.  Unfortunately, what should concern you is the data that they give away, unwillingly.

If there is a breach, don’t they HAVE to tell? 

In fact, there is no federal law that requires a corporation to reveal the extent of any data breach that they suffer or come clean with any kind of report.  Wonder why the retailers that announce a massive system-data hack wait months to tell us?; why the stories sometimes change by the day?; Or why the government doesn’t levy massive fines every time it happens?  It’s because there are no rules.  (Well, almost no rules)  Here’s a great synopsis of how different states treat data breaches and what kind of requirements they place on the companies that get hacked.  But, don’t get too excited.

In Ohio, for instance, there is a duty for the company to tell the Consumer (not the Attorney General), but only AFTER they have determined that the Consumer’s personal information was taken by somebody not authorized to do so – and that there is a “material” risk of ID theft or fraud to the Consumer.  (Can they get around the reporting thing if they say “Gee, we have no idea who took it.” or if they say “we think there’s no risk to anybody.” ?  You tell me)   To add water to an already-diluted Consumer protection statute, the Ohio consumer does not have the ability to sue the company on his own for the breach and if the data that was stolen was ‘encrypted’ (or what I like to call ‘every piece of data that they own’) the duty to report the breach disappears.

Not only are you at the corporations’ mercy when it comes to safe-guarding your data; you are at their mercy, when it comes to finding out if they’ve been hacked.  How do the corporations view whether or not they should report the breaches to us?  Here’s a quote from Target’s attorney from a national conference about data breaches:

“if you never disclose the breach at all then you don’t have the class action suits…it’s the disclosure of the breach that creates the firestorm of litigation.”  Or put another way:

“it’s cheaper for our clients to just pretend that nothing happened.”

Wanna feel worse? Target got hacked, because of a worm that infected the computer of one of the outside firms that they hired to work on their heating systems.   When that company signed on to Target’s system, the hacker who had infected the repairman hit the digital jackpot.  Even though there were warning signs that Target ignored for months they didn’t stop it from happening.  Meaning to say: Target wasn’t even as careful with your data as you are.  The guess here is that it’s a whole heck of a lot cheaper to just say “Um, we lost your data……our bad,” than it is to pay someone to update and/or monitor your computer system.  (and without a Federal law that deals with this, who’s to tell?)

Editor’s Note that Gov’t regulations aren’t the devil’s work: Next time you hear somebody talk about Government Regulations like they will be the end of all things, think about how Target can ignore safeguarding your personal data and then treat their own data breach with nothing more than a yawn and ask yourself “How would a Government regulation be BAD in this situation?”

So, what’s a fella to do? 

We all dig that our credit reports are very important (it’s used by employers, landlords and nearly everybody who controls whether to lend us money).  What can you do to keep it safe (even while the merchants who use it to turn you down are careless with private information)  There are the things that you should already be doing to protect yourself from Identity Theft:

    • Shred your bills.  Shredders are about $30.  Go get one.
    • Check your credit card statement.  Look through your statement every month.  If there’s a charge that you don’t recognize, call the number listed for the vendor, your credit card company – or both.  (if you don’t flag a charge and pay the bill, it won’t be on the next month’s bill and you’ll pretty much own it)
    • Get a copy of your credit report (at least) once a year.  This is very simple. The FREE government site is AnnualCreditReport.com.  The other ones charge fees and try to stick you with other products. (maddeningly, the site called ‘FreeCreditReport.com’ is not free….go figure)
    • Change computer passwords (at least) once a year.  Keep the passwords written down somewhere other than in your MyDocuments folder in a folder named ‘Passwords.’
    • Don’t write the entire account number on your check.  When you write a check to pay any bill, do not put the entire account number on the check.  Put the last four numbers only (trust me, they’ll find your account)  And for Pete’s sake, do not write your entire Social Security Number on your check. (Remember: your check will be seen by employees from many different vendors while it makes its way through the system. Don’t make it easy for them!)
    • Get your W-2 and file early.  There’s a video of an Identity Thief that is absolutely chilling.  He says that January is his best month, because he can file taxes for tons of people and get refunds.  He simply walked up and down the street, swiping W-2s from mailboxes. “I can get your Social Security Number, income and anything I need to file a return with your W-2.”  (Nearly ½ of the ID Theft complaints received by the FTC are tax-related)  It will surprise no one that the IRS won’t bat an eye when they write you a refund check for $28,542.00 at a new address, with a new job and a bunch of new kids and never-before-utilized deductions.  Ask your employer to hand-deliver your W-2 and then file early in the season.  (if you owe money, you won’t have to pay until April 15. But you will get your return in, before the fake you files his)

It’s Freezing in here!

There is something that you can do to make sure that nobody opens a NEW account with our personal information.  This is what they call a ‘credit Freeze.’  If you call the Credit Reporting Agencies and say that you want a Freeze put on your credit report – they will ‘freeze’ anybody (including you) out from starting a new account in your name.  The only way to open an account is to contact the credit agencies and have them temporarily ‘thaw’ the freeze, until you open your account.

Sounds like a way out? Not so fast.  As with anything, there are pitfalls (summarized below, but shamelessly copied from this article from the Huffington Post Money blog):

    • Credit Freeze doesn’t stop anybody from using existing accounts for their benefit, so you still have to monitor the outstanding credit you do have
    • There’s a fee for that. You’ll get charged to put the freeze in place, to remove it or to get a replacement PIN. (In Ohio, as with many other states, these fees are waived if you were the victim of ID theft)
    • You have to Freeze (or un-Freeze) each credit report separately (so, organization is a must)
    • Freezes don’t affect your overall credit score.
    • You can still get copies of your credit report, if you have a Freeze
    • They can still find YOU.  If a creditor is chasing you for money, the Freeze will not hide you, or protect you from their phone calls.

If you are the victim of Identity Theft (senior or otherwise), call the cops, all three credit bureaus and as many of your creditors that you can think of.  (here are some instructions and sample letters from the FTC)  And try to rest easy – the bad guys sure are.

Posted by: Mark Wiseman (who – after researching for this post – now has one MORE reason to be paranoid….Oy)