Yesterday I received a call from a victim of identity theft who had been informed through one of those now-common data breach notification letters that thieves had obtained her personal information and she could be a victim of identity theft.
The letter came from a Southern California healthcare company called Crescent Healthcare, owned by pharmacy giant Walgreens. According to the letter, the stolen information could include her Social Security Number, along with her name and address, phone numbers, and her date of birth. And as if that wasn’t enough the worry about, the thieves may have also stolen her medical records and health insurance information.
Although she was now panicked at the thought of how much damage this information could do to her credit and her life, she got little comfort from the letter. No further information, no web site to answer questions, no hotline number for victims, and no offer of any identity protection or credit monitoring.
She was, however, given the phone number of one of the credit bureaus who would gladly freeze her credit for a fee of $10 – for each credit bureau. That’s hardly a robust response to a data breach, given that any consumer in the country can freeze their credit reports for a fee.
According to the victim, the credit bureau did offer to waive the fee if she could produce a police report to verify she was indeed a victim – again, a right every consumer has. The problem with that request is two-fold; as she doesn’t yet know if she’s a victim of identity theft and not just a data breach, her police department refuses to take a report. As far as they’re concerned, she has yet to be the victim of a crime.
Even if she could get a police report, it would probably take a couple of weeks. Then she’d have to mail the report, along with a bunch of other information, to each credit bureau to request the free freeze. By the time the freeze is in place, weeks or even months could have elapsed, giving thieves plenty of time to wreak havoc on her identity and her life.
I tried to learn more about the breach from Crescent, but not surprisingly, they were trying hard to pretend like it never happened. There was no mention of the breach anywhere on their web site, no information for victims, no-one to contact for more information.
When I checked the Walgreens site, I got the same result. Nothing. Complete radio silence. But I wasn’t surprised. There are plenty of CEOs out there who are completely, and probably genetically, unable to do the right thing. They hope that by shifting very quickly into denial mode and ducking behind their executive desks, they can escape the wrath of a data breach.
And they’re probably right. Victims can do little to hold these indifferent executives responsible. And with an average of one new reported data beach every single day in the U.S., there’s little the media can do to publicly shame these companies.
What these heartless executives don’t realize is the enormous long-term emotional impact that data breaches can have on victims, even if the carelessness of the breached business never actually leads to identity theft. Victims of identity theft liken it to severe stalking. You know that someone out there has enough information on you to make life very difficult, but you just don’t know when the manure is going to hit the air conditioning system.
At the end of our conversation the victim asked me directly “If they have all this information, including my Social Security Number, will I have to look over my shoulder for the rest of my life?” I had no good answer for her.
Shame on Walgreens for victimizing their customers, twice in a row. I hear there are rumblings of a class action lawsuit but I doubt this will be of much consolation to the victims, as these lawsuits rarely fix the long term fallout.
Ever wondered if you have a ghost identity? Not necessarily a doppelganger or a fetch (you’d have to be Irish to get that) but a real person living secretly and mysteriously under your identity? It’s more common than you might think, and it’s often because of something in your credit report called a sub-file.
Take the case of Marco (not his real name). He’s an artist, in his late sixties, and leaving a very peaceful life in Northern Arizona. Peaceful, that is, until he gets yet another alert from his identity monitoring service that someone else is using his Social Security number.
Thinking immediately that he had become yet another victim of identity theft, he went straight to his credit reports to see how bad the damage was. But there was no damage. The problem for Marco is that there’s no sign of any fraud or identity theft in his credit report, no fraudulent accounts opened, no damage to his credit score, and no debt collectors looking for money from him.
Marco is the victim of a sub-file, an almost secretive additional credit file that the credit bureaus keep on millions of consumers. Credit bureaus are really like intelligence agencies, and some boast that they have more personal information gathered on U.S. citizens that all the U.S. national intelligence agencies combined.
The bureaus are hounds for information, and any time a Social Security number is used in the wild, it usually ends up in the files of the bureaus. Even if it’s the wrong name associated with the SSN, even if no credit is applied for, and even if no fraud has been committed.
That information can simply come from a mistake, an incorrect filing, a typo, or some other innocent event. But as soon as the bureaus come across the information, and can’t figure it out, it usually ends up in a consumer’s sub-file where it lives forever.
And that’s why Marco continues to get these alerts. Some other person or persons are associated with his Social Security number, which keeps triggering the alerts. The bureaus won’t do anything about it because they either don’t know or don’t care who the real owner of the Social Security number is.
As the bureaus are very quick to point out, they don’t grant credit and can’t be blamed for people who give credit to the wrong identity. Bureaus simply gather personal information, package it, and sell it. Even if there’s a ghost or two in the machine.
As a story on NBC reported, often the ghost identity is as a result of identity theft. Illegal workers might purchase or even invent a Social Security Number in order to get a job, and if the new employer doesn’t verify the person’s identity, that new hybrid identity is now in the system. But it’s not in the credit report of the person that Social Security Number really belongs to because his or her name doesn’t match.
And in the NBC story, that same SSN can then be shared among and between other illegal workers so that eventually dozens of people are all working under the victim’s Social Security number. Yet no trace of it in credit reports, Social Security earnings, or anywhere else. Except that is, in a sub-file somewhere in the deep dark basement of a credit bureaus.
In another blow to the dishonest peddling of questionable credit monitoring and identity protection services, today the Consumer Financial Protection Bureau (CFPB) announced a massive fine of $210 million against Capital One, for allegedly tricking consumers into paying for things like credit monitoring services without their consent.
$150 million will go to reimburse an estimated 2 million consumers who were affected by this scam, with the remaining going into a Civil Penalty Fund to help future victims.
It looks like the CFPB is not done either, and may have many other financial services companies in its sights, companies that engaged in practices to trick customers into subscribing for worthless services.
In an interview with Reuters, Ed Mierzwinski, consumer program director of advocacy group U.S. PIRG, said “Consumers should know that credit protection and monitoring are the worst add-on products you can buy.” According to Reuters, Travis Plunkett, legislative director of the Consumer Federation of America, is no kinder, referring to these services as “junk products.
Capital One seemed to be blaming its vendors and identity protection partners. According to an investigation by the Wall Street Journal, the settlement ordered that 500,000 customers who were signed up for identity protection through Affinion, makers of the PrivacyGuard monitoring service, and Intersections, makers of the IdentityGuard product, also be reimbursed
It never cease to amaze me that an industry that is supposed be based on absolute trust – inviting consumers to trust their identities to these vendors – deliberately and without apology breach that trust as part of their business model.
More than one in ten U.S. computers are infected by difficult-to-detect “bots” or “zombies,” which “botmasters” can use for anything from sending spam, to eavesdropping on network traffic, to stealing user passwords.
The Online Trust Alliance (OTA) joined a unanimous vote at the Federal Communications Commission’s (FCC) Communications Security, Reliability and Interoperability Council (CSRIC) meeting today, approving the voluntary U.S. Anti-Bot Code of Conduct for Internet Service Providers (ISPs), also known as the ABCs for ISPs. As a member of the CSRIC appointed by FCC Chairman Julius Genachowski, the OTA has been working with the FCC and leading ISPs to develop this voluntary Code. Under the Chairman’s leadership, this example of private and public sector collaboration is an important step forward to help protect our nation’s critical infrastructure and consumer data.
“Today is an example of the importance of self-regulatory efforts to help improve the safety and performance of the internet,” said Craig Spiezle, executive director and president, Online Trust Alliance. “Sustainable solutions to contain bots must include all stakeholders in efforts to detect, prevent, and remediate these threats.”
Chairman Genachowski said, “The recommendations approved today identify smart, practical, voluntary solutions that will materially improve the cyber security of commercial networks and bolster the broader endeavors of our federal partners.”
The development of the ABCs for ISPs was a multi-stakeholder effort over the past 12 months, with the participation of ISPs, trade associations and companies, including OTA members PayPal, Microsoft, Symantec, and Internet Identity, and leading ISPs, including ATT, Comcast and CenturyLink. Focusing on residential users, the Code includes five areas of focus for ISPs: education, detection, notification, remediation, and collaboration.
Based on OTA analysis and initial ISP self-reporting, approximately 51 percent (or 41.2 million) of the 81 million U.S. households who have broadband service are realizing added protection from ISPs who have adopted the Anti-Bot Code of Conduct. The CSRIC report cites research that ISPs also benefited – from reduced upstream traffic, spam, and helpdesk calls – when they took a proactive approach to bot remediation.
OTA as an independent organization committed to enhancing online trust and confidence, encourages ISPs to self-report to OTA. Future reports will include the adoption of similar efforts by other stakeholders and industry segments. More information including the Code and summary of ecosystem support.
“The ABCs for ISPs is a significant step forward and we applaud those ISPs who have already stepped up to the plate,” said Neal O’Farrell, executive director, Identity Theft Council. “We have a shared responsibility to help protect consumers from abuse and identity theft. Consumers should encourage their ISPs and telecommunications carriers to adopt these and other best practices.”
Summary of Public Support
Voluntary Code of Conduct Participation Requirements – To participate in this Code, an ISP is required to engage in at least one activity (i.e., take meaningful action) in each of the following general areas:
Education – an activity intended to help increase end-user education and awareness of botnet issues and how to help prevent bot infections;
Detection – an activity intended to identify botnet activity in the ISP’s network, obtain information on botnet activity in the ISP’s network, or enable end-users to self-determine potential bot infections on their end-user devices;
Notification – an activity intended to notify customers of suspected bot infections or enable customers to determine if they may be infected by a bot;
Remediation – an activity intended to provide information to end-users about how they can remediate bot infections, or to assist end-users in remediating bot infections;
Collaboration – an activity to share with other ISPs feedback and experience learned from the participating ISP’s Code activities.
About The Online Trust Alliance (OTA) https://otalliance.org
OTA’s mission is to develop and advocate best practices, public policy and self-regulation to mitigate emerging privacy, identity and security threats to online services, brands, government, organizations and consumers. By enhancing online trust and confidence, we can realize the potential of the internet, promote innovation and the vitality of commerce.
One of the biggest surprises for many victims of identity theft is the realization that many things they assumed about the crime and its aftermath were actually wrong. And by the time they realize the truth about identity theft, it’s too late.
So with that in mind, I thought I’d clear up some of the assumptions you may be making and which may be completely wrong. Let me know if any of these sound familiar:
Zero liability is a promise, not a law
It’s a mistake victims often make assuming that if they fall victim to credit card fraud the credit card company is obliged by law to make them whole. Only it’s not. There’s no zero liability law, just a promise by credit card companies not to hold victims liable for fraudulent charges. It’s self preservation really, and the cost of calming consumers and making sure they don’t worry unnecessarily about using their credit cards.
If your Social Security number is being used by 100 other people, don’t expect the Social Administration to do much
You’d think that given the Social Security number is the crown jewel for identity thieves, and loss of your number could lead to a lifelong fight for your identity, the Social Security Administration would be leading the fight against identity theft. Sadly no. Even on their own web site they don’t hesitate to explain that they don’t investigate identity theft and instead will refer you to other sites, like the FTC and Internet Crime Complaint Center, who also won’t investigate your case.
If you’re a victim of identity theft, you could be blacklisted by your bank
This is a growing trend, where victims of identity theft are not held liable for any losses but instead suffer the humiliation of being told by their bank or credit union that they must close their accounts and take their business elsewhere.
Talk about insensitivity, but I can only assume that banks regard victims as an ongoing liability likely to be victimized again and again. So rather than carry that risk they’d prefer to push it on to their competitors.
Don’t expect the thief to be caught or prosecuted
One of the many facts that set identity theft apart from most crimes is the lack of any real satisfactory resolution. If you’re ever a victim, don’t expect to get your day in court to watch your thief face justice and head to prison for the next decade. Identity theft is not a priority for law enforcement, and most police departments investigate less than 1% of identity theft cases. Of those investigated, only a tiny minority is ever prosecuted, and in those very few cases the thief is often allowed to strike a deal that results in little real punishment.
Why zero liability could be meaningless
I’m pretty sure that you’ve heard of zero liability by now – that promise by your credit card company that in the event of a fraud using your credit card, you won’t be liable for any losses. It was a concept introduced years ago by the credit card industry to allay fears consumers had about using their credit cards and shopping online.
Banks were just as quick to jump on the bank wagon and start throwing about similar promises, which unfortunately led consumers to believe that their ATM/debit cards and their bank accounts were covered by zero liability too.
Victims of fraud, however, are finding out the hard way that they were wrong. The truth is, most banks don’t offer zero liability in the case of ATM or debit card fraud, or unauthorized transfers from your bank account. Instead, they’re covered by something known as the Electronic Fund Transfer Act, which has much looser rules when it comes to reimbursing defrauded customers.
For starters, even if you report the theft or scam within 48 hours of discovering it, you’re still on the hook for $50. If you report the fraud outside the 48 hour window, you’re on the hook for the first $500 in losses. And for many victims that’s a month’s rent or a month’s worth of groceries.
And as banks face a tough economy and limits on the fees they can charge their customers, they’re getting tougher on victims of fraud and identity theft. As head of the Identity Theft Council, I’m seeing an increasing number of victims being told by their bank that for a variety of reasons their claim for fraud has been denied and they will not be reimbursed their losses.
Some of the banks rely on outdated security advice that doesn’t seem to take into consideration threats like skimming. Banks will often deny a claim for fraud if both the victim’s card and PIN were used in the transaction and if the victim did not previously report the card as missing. The banks are assuming that if the card and PIN were used, and the victim did not report the card missing, then the transaction could not have been conducted by anyone other than the victim.
But in skimming cases, especially those using compromised card readers, the thieves are able to steal the victim’s card and PIN to make new cards, and start withdrawing money on the other side of the country. So either fraud help desks are not aware of frauds that can capture both the card and PIN, or are simply using that as an excuse to avoid liability.
And is if that were not bad enough, I’m also hearing from victims who, after they’ve notified their bank that they have been a victim of identity theft, are told to close their accounts and take their business elsewhere. It’s as though the banks regard victims of identity theft as a greater liability and would rather push that liability to a competitor.