Mari Frank, a lawyer and author of two books on the subject, offers tips on how to protect your good name.
DURING THE PAST FEW MONTHS, thousands of consumers have received letters with disturbing news: files with their Social Security numbers and other sensitive information have been lost or stolen.
It all started in February, when information broker ChoicePoint (CPS) revealed that the records of 145,000 American citizens had been illegally obtained by a Nigerian crime ring. In April, the LexisNexis Group, another data provider, divulged a massive security breach affecting more than 300,000 individuals.
Banks, brokerages and even universities have also been coming forward with news of lost customer files: Bank of America (BAC) announced in March that it had lost a tape with information on 1.2 million customers. The University of California at Berkeley sent out more than 98,000 letters to graduate students and applicants to its graduate programs, informing them of a theft of a laptop containing their Social Security numbers. In April, Ameritrade (AMTD) advised 200,000 of its customers that a computer backup tape containing their personal information had been lost. And earlier this month, Time Warner (TWX) disclosed that a tape containing information on 600,000 of its current and former employees was lost during a truck ride to a data-storage facility.
And the events are just starting to unravel, says Mari Frank, an attorney in Laguna Niguel, Calif., and the author of two books on identity theft. In 2003, Frank worked with California legislators to help pass the California Law on Notification of Security Breach, which is the reason why ChoicePoint divulged the security breaches in the first place. "Without the California law, none of these breaches would have been made public," she says. "It's a blessing in disguise that this happened with ChoicePoint and LexisNexis. It also explains why we've had such an incredible increase in identity theft in the past few years. It's because we've had many, many breaches that have been under the radar screen, and most victims haven't a clue how their identity was stolen."
The slew of security breaches has also attracted the federal government's attention. A number of Senate hearings on identity theft and data brokers have taken place recently, including one today in which Frank is scheduled to testify. We recently spoke with her about this new threat to Americans' personal information and ways to protect it.
SmartMoney.com: Is it possible to find out what information companies like ChoicePoint and LexisNexis have that could be exposed to identity thieves?
Mari Frank: Under new federal legislation that became effective in December 2004, you have a right to get three of your profiles for free once a year from ChoicePoint. These are specialty consumer reports and are different from your credit reports. They include a claims history report, an employment history report and a tenant history report. My concern is that most people don't know they are entitled to some of these specialty reports.
And that's just the tip of the iceberg. Even though you can get these three files from them, that's not nearly all they have on you. And there may be errors in them. With credit reports, 75% of them have errors and 25% of the errors are bad enough to keep you from getting a job, a car or a house. When people get your background check from ChoicePoint, there's information in there that may be erroneous and they're using that to make a decision whether to hire you. So just like we have the right to see our credit reports, we should have the right to see what's in these databases.
SM: Why are these reports still inaccessible for consumers?
MF: Because there's no oversight. That's why we've been having all these legislative hearings on information brokers lately. There is legislation being introduced by Sen. Bill Nelson (D-Fla.) that basically says the Federal Trade Commission will have oversight on the industry.
And if it weren't for the California law on notification of security breach, people still wouldn't know about the security breaches. That law became effective in July 2003, and it says that if a company finds out that sensitive information was acquired by an unauthorized person or persons, then that company must notify all potential victims.
What happened was, after the L.A. sheriff started investigating the Nigerian fraud ring, he told ChoicePoint that it must notify the 35,000 Californians whose records the fraudsters had obtained. Subsequent to that, 38 state attorneys general said, "Wait a minute, ChoicePoint -- you're collecting data on every person in this country. Why didn't you tell us?" And ChoicePoint had to inform every victim nationwide.
ChoicePoint had had a similar breach in 2002, and the criminals were prosecuted, but it had never divulged that to the public. It admitted that at the April 13 Senate hearing on information brokers.
SM: What should consumers who have been notified of the breaches do to protect their information from being used?
MF: They must put the fraud alert in their credit report. If they use their mother's maiden name as a password for any of their accounts, they should change that because someone can get that information easily from databases. (They should) put fraud alerts on everything that they have, all of their bank and brokerage accounts, and change their passwords.
They should also immediately request that the company who had the security breach provide them a copy of everything that was in their file, so that they know what's in there and can go in and close accounts and open new ones. If the broker doesn't give it to them, they need to see an attorney.
Also, they should take advantage of the free credit monitoring they are offered. Truthfully, I don't think one-year credit monitoring is enough. A lot of these fraudsters who steal the information will keep it, sell it and resell it before anybody even uses it. They could use it two or more years from now. We have found that a lot of times they have thousands of names, and they're not going to use them all at once.
I would ask for 10 years' worth of credit monitoring. I don't think they're going to get it, but I think that's really what you're going to need. I know people who've lost their wallets years ago and they've become a victim now. So you always have to look over your shoulder, you always have to be vigilant. SM: What about consumers who haven't received a security breach letter but still want to protect their information? Is there anything they can do?
MF: In California we recently created the "security freeze." Four states have since passed this and 19 have introduced legislation, and I think it should spread like wildfire.
It works like this. If you've been a victim of identity theft or if you're a consumer and you don't want anyone to be able to pull your credit reports, in California you can write to the credit-reporting agencies and ask them to put a security freeze on your file. That basically takes your profile offline so that no one can pull your credit report in order to issue you credit unless you have given them a password to unfreeze it.
That means if I have a security freeze on my file and someone is trying to get credit in my name, they can't get it because when the creditor tries to pull my credit, the credit bureau is going to tell them that it's frozen.
In California, our law (stipulates) that if you're a victim, you get a freeze for free. If you're not a victim, you've got to pay $10 per freeze (meaning you pay $30 if you want it for all three major credit-reporting agencies) and then you have to pay $10 to unfreeze it. So if I have my credit report frozen, but then I want to buy a car, I have to write to the credit-reporting agencies and give them my password and tell them I'm going to apply for a car (loan).
Texas, Vermont and Louisiana have security freeze (provisions) for victims as well. I don't think all consumers can do that. But it is my understanding that since all of these security breaches happened, all of these states are (worrying) about their consumers becoming victims. And the only way to protect yourself, really, is to put a security freeze, because we cannot guarantee that a negligent company won't just ignore your fraud alert. If you are from a state that hasn't introduced this legislation, call your legislator and demand it.
SM: Recently, a number of retailers, like DSW and Polo Ralph Lauren, also divulged that credit card information had been stolen. What should consumers know about that?
MF: That's not as scary. They've got credit card numbers. You know if there's any fraud on your credit card, you are protected by federal law. If you get your statement and you see a bunch of fraud, it's upsetting, but it's not a huge deal. You call up the company and say these are not my charges, cancel the card and give me a new one. It's an aggravation, but it takes maybe 20 minutes.
The scarier issue is when Bank of America's back-up tapes get stolen with 1.2 million files with Social Security numbers numbers, or Ameritrade, which had 200,000 people's records stolen. That can be used for so many different purposes. It can be used to get any kind of health services, credit cards, credit lines, mortgages, loans, apartments, utilities. It can even be used to get the refund from somebody's tax return. It's a huge door opener. Whereas if somebody just gets my credit card and that's all they've got, that's an annoyance, but it can be dealt with.
SM: What about the Time Warner situation? It's likely that 401(k) data was among the stolen information. How should employees address that?
MF: At Time Warner, 600,000 employees got their information stolen. And guess what's in there: their Social Security number. If you're an employer, you have sensitive information on these people because otherwise you can't give them a paycheck. (Time Warner) had SS numbers, which is the key to the kingdom of identity theft.
If your information was stolen, you need to know exactly what it was. So for example, Time Warner now needs to tell everybody, "This is what was in your file that was stolen: your 401(k) account number, your password..." and so on. That helps people know what they need to do. They should immediately change their passwords, usernames and account numbers, place a fraud alert on all their credit reports, and put a note on their 401(k) account and any other bank or brokerage accounts, asking that they don't do any fund transactions unless they have requested one with a personal letter or fax.
But the truth of the matter is, unless they can put a security freeze, their credit still could be accessed beyond their control. Because they haven't really put a lock and key on it. They've closed the door, but they haven't locked it up.