I recently wrote a series of episodes in what I called a Privacy Miniseries on LinkedIn in which I shared the true story of my best friend "Michelle's" experience with her wallet being stolen and the ensuing saga that involved identity theft, fraud, and, in an interesting twist, my best friend taking an active role that lead to the arrest and confession of the thief. The following is second part of the series "Epilogue," where I share information for consumers.
1. Time is of the Essence. Now, Michelle's experience was not the typical one. What I mean by that is she had immediate notice that her wallet had been stolen, and thus the opportunity or prompting to take action. This, however, is often not the case with identity theft as the information may be taken and used with no physical contact with the victim or notice of any kind. Indeed, Michelle's circumstances provided her a higher likelihood of success in mitigate any harms as she had timely notice and took timely action. So, how can you reduce the time window from theft to notice? Here are some tips:
a. Limit the number of accounts you maintain. I always advise business clients that one of the best forms of security is not keeping the sensitive information in the first place. In short, if these companies do not need to keep personal information or other sensitive information for some business or regulatory purpose, they should securely return or destroy it. You don't have to secure information you do not have.*
The same is true for the number of credit, bank or online merchant accounts you maintain. Cancel those credit cards you don't need or use. You know the ones. Like, the one you got for one store to get that whopping 10% discount. Or, perhaps you no longer frequent that store because it is in another city. As it happened, with Michele, it was one of these very "one time" accounts that reported the fraudulent activity that tripped up her identity thief because they knew there had been so little activity on the account since her original purchase. I wouldn't bank on a company always responding so quickly to a dormant account. You should also consider consolidating your consumer credit into one or two accounts.
b. Select security-forward companies. As part of your efforts to determine which accounts to delete or consolidate, consider keeping only those that will allow to you monitor your accounts real-time from your mobile device or computer. Financial institutions and card issuers have recognized the importance of security to not only you, but also to their business. Many companies have come up with some impressive real-time security features. Perhaps you have seen this video from a card issuer? Also, read the fine print and see what these companies promise to do in the event of theft. Will they refund all such charges or reverse payments, in the case of a bank account? What do YOU have to do to ensure they will? Only give your business to those that are security-forward. By the way, the deadline for the EMV chip requirements for credit cards is Thursday, October 1. Is your company doing the right things to keep your business?
c. Be vigilant and monitor! Once you have reduced your number of accounts and for those that have special security features……….wait for it…………..actually monitor your accounts! Regularly monitor your accounts manually (daily, weekly?) or by setting alerts for special circumstances (large withdrawals, purchases outside your zip code, etc) Many companies provide a variety of alert mechanisms for you to keep tabs on money flowing in and out of your accounts. But, you have to actually use them. In the past, I have written or spoken on the importance of layered security in business. Specifically, you have to implement physical, technical and administrative safeguards. Strong passwords, encryption and fraud alerts on an account (technical safeguards) only work if you actually learn about them, use them and respond to them (administrative safeguards). Technology is only a tool. You have to use it.
2. Protect the real treasure. Credit cards can be cancelled and charges reversed. Banks can (hopefully) give your money back. What is so much more valuable is your good name, specifically the creditworthiness attached to your name through your Social Security Number. There is a reason identity thieves are going after non-financial accounts with vigor—-they can get your SSN from less secure places and can do more with it. A cancelled credit card is not valuable on the black market. But, the ability to open up many new accounts in your name and do other things using your name and credit? Well, that is invaluable up until the time it is discovered. And, as we have discussed, the clock is ticking. You may or may not know your information has been taken.
Fortunately, you can actively monitor your own credit through any of the three major credit reporting agencies (Equifax, TransUnion, Experian), or through a variety of vendors who will do it for you. As with your bank accounts, such services can keep you apprised of any inquiries into your credit record. Now, there are pros and cons to every vendor and solution, and I am not endorsing any service or product offering of any kind here nor in this series. However, depending on your particular situation or risk profile, using such a service as a preventive or responsive solution may make sense. Again, anything you can do to reduce the window of time in which bad things can be done in your name further reduces the risk and costs of any resulting harm.
3. Exercise your legal rights. If you should fall prey to identity theft or some form of related fraud, there are several rights you can exercise to prevent or mitigate any resulting harm.
a. File a police report. Regardless if the theft was local as in Michelle's case, you should always file a police report to document that a theft, or an alleged theft, has taken place. Not only does such a filing give the authorities notice of the event, it also serves as your proof that such activity is involved. Such proof might be needed if you want to establish fraud alerts or otherwise dispute charges with banks or card issuers. Furthermore, by giving notice to law enforcement, you provide them more information on potentially broader issues. In Michelle's case, it appears like the alleged thief was a first time offender and lone wolf (with the exception of allegedly enlisting family members to expedite the purchasing power of the credentials she had stolen). However, in the case of a broader event or "crime spree," the more information law enforcement has the better they can potentially identify criminal activity that may be impacting more people than just you.
b. Place a fraud alert with one of the national consumer reporting agencies. You can actually request such an alert be placed by one of the national consumer reporting agencies every 90 days under the Fair Credit Reporting Act ("FCRA"). You can even get seven years protection if you can show proof (i.e. police report) that you have been the victim of an actual theft or fraud attempt. Under the FCRA, the bureau with which you file a notice will share that notice with the other national bureaus. If you haven't familiarized yourself with the FCRA and the national consumer reporting agencies, it might be worth a look.
c. Chill out: Request a security freeze. Unless you live in Michigan, if you have been the victim of theft or fraud, you may also have a right to request that your credit accounts with the national consumer reporting agencies be "frozen." In other words, no credit can be issued from these accounts without your explicit permission. You can always get the freeze lifted temporarily when you need to get credit (i.e. car loan, job application), by following the agency's procedures for such temporary lifts. Even if you have not been the victim, you can sign up for such a freeze service, much time with just a nominal fee.
These are but a few tips and lessons learned from our Miniseries. We are not suggesting this is all-inclusive. The best tip, of course, is vigilance. The best person to stay on top of your privacy is YOU. Taking steps to proactively minimize your risks and responding quickly when they materialize can mean a significant difference in the impact on your personal and financial life. The good news is that there are lots of tools (both administrative and technical) that can assist you in such diligence. You just need to use them.
*Even better, you don't have to notify consumers and regulators of a breach of information you didn't have. That's a cost savings on two fronts for business and should motivate any company to do some house cleaning.