BOSTON – When Fidelity Investments acknowledged last week that a laptop holding the financial data of nearly 200,000 retirement plan customers had been stolen, investors started worrying about the wrong thing.
The problem wasn't the stolen laptop — in fact, Fidelity's response was exemplary — but rather the potential problems that don't make headlines.
Fund investors have significant personal data stored in many places, and while known breaches of security are exceedingly rare, they are always possible. The smart consumer takes precautions against potential problems, but the average guy waits until they are caught up in a situation like the one Fidelity brought to light.
The Fidelity situation is a bit extreme. On March 15, a team of Fidelity executives brought a laptop loaded with data on participants in Hewlett-Packard's (HPQ) pension and 401(k) plans to a meeting with H-P officials. At some point that evening, the computer was stolen, lifted from a public place that company executives are not discussing.
The information on the 196,000 Fidelity customers was encrypted, and the license to the software that could open and read the data expired within 36 hours of when the laptop was taken.
Obviously, no one knows the thieves' intentions, but laptops typically are taken more for the hardware than the data they contain. There was no indication before or after the theft that the people who took the laptop know what they've got.
Fidelity responded to the situation by notifying Hewlett-Packard first, then told affected customers either by e-mail or in a letter. The firm is paying for a year of free credit monitoring for everyone whose account may have been compromised, and provided suggestions of how those consumers might protect themselves. The firm's ideas included placing an "initial fraud alert" on credit files, a move that would make it hard for an identity thief to use stolen information to create new, fraudulent accounts.
Fidelity spokeswoman Ann Crowley noted the firm told all of its representatives about the situation, flagging the accounts of the H-P retirement-plan participants and requiring an additional layer of security before money can be moved in those accounts. Fidelity will reimburse shareholders for any losses tied to unauthorized transactions, but there is no evidence yet that any withdrawals have been attempted.
Crowley noted that Fido typically doesn't send its data around the country on laptop computers, but industry observers note that all financial firms have meetings with big clients, and that it was the theft — and not the laptop filled with client information — that was the rarity.
For the average consumer, however, the bigger concern may be the treasure trove of personal data that is part of every account application. Employees with access to that information are human, and could do the wrong thing with it, either on their own or selling it to others.
Fund firms have always taken personal details; the USA Patriot Act requires financial institutions to obtain, verify and record this information, so the only way a consumer can get out of providing it to a management company is to simply not invest.
That's a bit harsh.
Instead, consumers should be aware that putting personal information out there — even in a setting that appears safe — requires some pro-active protective measures. That does not include an initial fraud alert — because that requires some reason to suspect that account information has been compromised — but it does mean checking your credit report regularly.
"It's not time to raise a red flag and tell everybody to get crazy and stop investing to protect their identity," says Paul Richard, director of education for the Institute for Consumer Financial Education, "but you see a situation like this one and it does tell you that you should take the protections that are out there for you."
For fund investors (okay, for all consumers), that means taking advantage of the Fair and Accurate Credit Transactions Act, which went into effect last year and requires the major credit bureaus to provide one free copy of your credit report each year. Review your reports to make sure that your basic financial underpinnings are accurate and have not been misappropriated by identity thieves.
There is just one central location for getting reports from the three major credit bureaus. Forget any site that promises your reports — they're just trying to sell you something — and go to annualcreditreport.com or call 877-322-8228.
Alternatively, review one report every four months, allowing you to catch any new activity — and to be sure any corrections are made — by going to each credit bureau directly at Equifax.com (800-685-1111), Experian.com (888-397-3742) or Transunion.com (800-888-4213).
This won't just keep you safe if your fund company ever has a snafu with your data, it will help protect you from every situation where you put personal data out there where it might be used against you.
Copyright (c) 2006 MarketWatch, Inc.