Data Breach At Experian Credit Reporting Service

Experian has notified the New Hampshire Department of Justice of data breach where unauthorized third parties may have obtained consumers credit reports. The company discovered the breach in February 2012 and began notifying affected consumers on May 17, 2012.

The breach notice did not disclose the number of consumers affected. The unauthorized access occurred between November 2010 and March 2012. An investigation into the breach was conducted including the analysis of computer logs. In its breach notice, Experian stated:

"... we do not believe that any third party obtained access to any specific data elements that are covered by the New Hampshire security breach law because those data elements (e.g., financial account numbers) were redacted or truncated on any credit report disclosure..."

New Hampshire is one of about 46 states that require entities (e.g., companies and state agencies) to notify both the state and affected residents in each state whose personal information archived by that entity was lost, stolen, or accessed by unauthorized persons.

In its breach notice to consumers, Experian stated:

"While any consumer report will contain public information like name and address, Experian masks or displays only partial social security numbers, birth dates, and account numbers, so they are not identifiable and cannot be abused."

This is troublesome because, a) the breach went undiscovered for a long time, 16 months; b) partial social security and bank account numbers, partially masked, and c) the extremely sensitive personal and financial information contained in consumer credit reports.

Experian placed fraud alerts on the files of breach victims, and, of course, is offering breach victims two years of fee credit monitoring services through its ProtectMyID service.

Experian is one of the three larges credit reporting agencies. The other two are Equifax and TransUnion. Experian also operates the Triple Alert and FreeCreditReport.com websites. In 2010, the U.S. Federal Trade Commission changed the disclosre rules for web sites offering free credit reports. Consumers should know that the official webiste for truly free credit reports.

5 Things You Should Know About Prepaid Cards

Right now, there probably are three different types of plastic in your wallet or purse. Each type has different rules, disclosures, government regulations, and fees. So, wise consumers use the best type of plastic instead of cash.

Most consumers are familiar with credit cards and debit cards -- the first two types of plastic. Credit cards include an interest rate applied to all purchases, plus a variety of fees (e.g., overdraft, annual usage). Debit cards are offered by banks to their account-holders to access money in their checking and savings accounts.

Prepaid cards often look like debit cards but have several important differences. Prepaid cards must have value stored or "loaded" onto them before they can be used. Usually, consumers use cash to add value to a prepaid card. Then, the consumer uses the prepaid card for purchases, which are deducted from the balance on the card until there is no value left on the prepaid card. Then, more value must be added to the card before it can be used again.

Retail stores, restaurants and malls offer prepaid cards, usually called gift cards. Chances are you may have already received a prepaid card as a gift. I've received and given several prepaid cards as gifts. Customers use the Dunkin' Donuts prepaid card are the chain's retail stores. Prepaid cards from The Old Spaghetti Factory, Starbucks, and Target all operate similarly. Some retailers use their prepaid cards to track customers' purchases for rewards for loyalty programs.

Besides retail stores, many other companies and entities offer prepaid cards. Some employers pay their employees via prepaid cards, often called payroll cards. These payroll cards are designed for employees who don't have checking and savings accounts. Behind every payroll card is a bank that handles the transactions.

Some employers offer their employees prepaid cards only for qualified healthcare spending purchases. Some golf clubs offer prepaid cards for their members to use at the club's golf store and restaurant.

Some banks offer prepaid cards, too, for consumers who lack checking and savings accounts. With all of these prepaid cards in use, it is important for consumers to to know the advantages and disadvantages. There is a pretty good CNN Money article that discusses what consumers should know about prepaid cards:

"Watch out for the fees: The average prepaid card charges nearly $300 in basic fees a year, such as monthly charges, ATM fees and reloading fees, a recent NerdWallet study found... many prepaid cards also charge activation fees, transaction fees, bill payment fees, declined transaction fees, inactivity fees, customer service fees and paper statement fees."

"They don't build credit: Using a prepaid card doesn't help you build credit with the three major credit bureaus... don't be fooled into thinking they are doing anything to boost your credit score."

To browse the entire list of five tips, read the CNN Money article. To learn more about the differences between the three types of plastic in your wallet/purse, read the FDIC alert about consumers' rights. You can also select Prepaid Cards in the tag cloud in the near right column.

What has been your experience? What prepaid cards have you used?

FTC Survey: The Good And Bad Experiences Of Identity-Theft Victims With Consumer Reporting Agencies

The U.S. Federal Trade Commission (FTC) released the results of its survey of consumers who had reported to the FTC that they were identity-theft victims. The survey assesses consumers experiences with recovering from identity theft and contacting the national consumer reporting agencies (CRAs). The survey also assesses how consumers exercise their rights under the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA - 2003).

Overall findings:

• 68% of survey respondents were somewhat or very satisfied with their overall experiences with the national consumer reporting agencies (e.g., Equifax, Experian, and TransUnion), but many consumers said it was difficult to reach a live person.
• Less than half of the respondents were aware of most of their rights under FACTA before they contacted the consumer reporting agencies.
• Few consumers exercise their right to block selected information in their credit reports from identity theft and fraud, since most consumers (78%) don't know about this right
• Some respondents complained about feeling pressured to buy additional identity theft monitoring products when they called the consumer reporting agencies.

FACTA gave consumers the right to:

• Pace Fraud Alerts on their credit file with the nationwide CRAs,
• Request a free credit report from each of the three national CRAs when placing a fraud alert,
• Block fraudulent information from appearing in their credit reports,
• Receive a notice of these and other rights from the CRAs

When placing a fraud alert, consumer only need to contact one of the three national CRAs. After successfully placing a Fraud Alert on their credit file with one CRA, most of the time the other two CRAs will automatically add Fraud Alerts to the consumer's file on their systems. When requesting a Fraud Alert, consumers can also request a free copy of their credit report. Survey results about Fraud Alert and free credit report requests:

• 44% of survey respondents were not aware before contacting a CRA of their right to place a Fraud Alert on their credit file. Despite this, 85% of respondents ultimately requested a Fraud Alert on their file.
• When requesting a Fraud Alert, 58% of survey respondents reported that all three national CRAs placed alerts when requested. 36% of respondents were unsure what happened, and 6% reported that at least one CRA didn't place a Fraud Alert.
• 44% of respondents who requested a Fraud Alert said they were very satisfied with the process, 32% said they were somewhat satisfied, and 17% said there were either somewhat or very dissatisfied with the process.
• Most survey respondents (56%) requested their free credit report (when placing a Fraud Alert) by telephone, compared to the website (33%), and postal mail form (14%).
• Most (51%) said that they received their free credit report from all CRAs they contacted, while 33% stated that they received it from only some of the CRAs they contacted. 11% said that they did not receive any credit reports.
• 43% of respondents said that they were very satisfied with the process of requesting free credit reports after placing a fraud alert. 32% said that they were somewhat satisfied. 22% said that they were either somewhat or very dissatisfied.

Errors occur in credit reports, either from identity fraud or from honest mistakes by the CRA or lender. Consumers can dispute this erroneous data and demand that it be removed or corrected. Survey results about credit report accuracy:

• Most survey respondents (60%) were aware before contacting a CRA that they had the right to challenge the accuracy of information on their credit report.
• 36% of respondents who contacted a CRA disputed the accuracy of information on their credit report in connection with the identity theft that led to the contact. Of those who disputed information, 72% filed disputes with a CRA and while 46% contacted the creditor that provided the information to the CRA.
• The types of credit report information disputed: 47% challenged identification and employment (47%), payments (48%) about a specific debt, and unauthorized lenders who obtained their credit report (40%).
• Of survey respondents who disputed information in their credit reports, 52% said that the information was corrected or removed, 22% said that the information was not corrected, and 18% said that they were not sure what happened.
• Of survey respondents who had information corrected by the CRA, 42% said that the error was corrected after a single contact. 27% said the error was corrected after two contacts. 24% said the correction required three to five contacts, and 4% said they contacted the CRA six or more times.
• Of survey respondents who disputed information in their credit reports, most (57%) said that they were either very or somewhat satisfied with the process. 17% said that they were somewhat dissatisfied, and 21% said that they were very dissatisfied.

Consumers can block certain information within their credit reports that resulted from identity theft and fraud. Blocks are different from disputes. CRAs must respond within four (4) days after receiving a valid request to block certain data in a credit report. Survey results about blocking fraudulent information:

• Of survey respondents who contacted a credit reporting agency, 78% were not aware of the right to block information in the credit file. Few survey respondents (21%) exercised this right to block the reporting of information resulting from identity theft.
• Of those who requested that information be blocked, 46% said that all CRAs blocked the information. 18% said that some of the CRAs blocked the information, and 9% said that none of the agencies blocked the information.

The FTC concluded in its report (bold emphasis added):

"Despite the 68% general satisfaction rate with the CRAs, the survey reveals three areas where respondents faced difficulties in exercising their FACTA rights. First, one prominent complaint was the difficulty in reaching a representative at a CRA with whom to speak about identity theft. Many respondents said that it was difficult or impossible to move past the automated response system... Second, the survey results suggest that a relatively small number of identity theft victims are aware of their FACTA rights. Less than half of the respondents were aware of most of their rights prior to contacting the CRAs. Even for the most well-understood right – disputing inaccurate information – only 60% of respondents who contacted a CRA were aware of this right prior to contacting the CRA... Third, both the survey respondents and the focus groups raised concerns about the CRAs using consumer contacts about identity theft as an opportunity to sell identity theft protection products. Several respondents and focus group participants complained that they felt pressured to buy one or more products and that, in some cases, they received services that they did not want or need."

The FTC sent survey invitations to about 3,000 consumers who had previously reported to the FTC hotline that they were identity-theft victims. The survey questions were based on six focus groups conducted in 2009. 634 consumers responded. The FTC maintains the anonymity of all survey respondents. Download the FTC, Using FACTA Remedies Report (Adobe PDF - 4.9 M Bytes), which is also available here.

Want to learn more? Suggested readings about credit and CRAs:

• Fraud Alert Renewal: Easy And Fast
• Placing a Freeze (Or Lock) On Your Credit Files
• Fraud Alert or Credit Freeze: What's The Difference?
• Are Fraud Alerts Useless?
• Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms (Part One)?
• Have You Heard About Credit Reports From Innovis?
• Directory Of Credit Reporting Agencies
• What It Means To Have An Unrequested Security Freeze On Your Credit Report
• A Primer On Credit Scores
• FTC Testifies Before Congress About Identity Theft And Fraud
• FTC Changes Disclosure Rules For Sites Offering "Free" Credit Reports
• FTC Releases Report Of Top Complaints Submitted By Consumers During 2011

What It Means To Have An Unrequested Security Freeze On Your Credit Report

Recently, an I've Been Mugged reader wrote asking:

"I went to annualcreditreport.com to acquire my [free credit] report. I then get told i have a security freeze on my file that i DID NOT put in place?!?! What does this mean? Does this mean someone is stealing my identity?"

First, this reader went to the right place to get her free credit reports: annualcreditreport.com. When using the website, it is important to complete the online forms accurately.

Second, the credit reporting agencies do make mistakes. This is one reason why it is important for consumers to periodically check the accuracy of their credit reports. Mistakes happen because many people have the same name and/or share the same birth date. In 2004, I had a credit report agency list me as deceased when it erroneously co-mingled in my credit report data from both me and from my deceased father. So, while I have not heard before of the problem this reader described, I wouldn't be surprised if a credit reporting agency made a mistake and placed a freeze/lock on the wrong person's credit report.

What this reader must do next requires an understanding of how security freezes work. Identity-theft victims place a security freeze on their credit reports so criminals cannot obtain new credit (e.g., loans, mortgages, etc.) in their name without their consent.

I first suggested that this reader learn more by browsing the Security Freeze section of the Experian website. Perhaps a parent or relative placed a freeze/lock on their credit reports while the reader was a minor. Some parents have proactively signed up for credit monitoring services with coverage for their children due to the increase in identity theft affecting children.

The TransUnion and Equifax websites each have sections that explain the security freeze feature. Perhaps, the reader can use the instructions for "What do I do if I lose my PIN?" to get a new PIN to remove the freeze/lock on their credit reports.

I also suggested that the reader try to determine if a freeze/lock is on all 3 of their credit reports at Experian, Equifax, and TransUnion. I suggested this because of the way a security freeze works: a consumer pays to place (or remove) a freeze/lock on their credit report at each credit reporting agency. The reader may find that the freeze/lock is only on one or two credit reports -- and not on all three. That might decrease the amount of work, time, and fees to remove any freezes/locks on their credit reports.

The fees vary by state, so where this reader lives is important. Each credit reporting agency website includes those state-specific instructions.

This reader might think back as to whether she used a credit monitoring service previously. Perhaps the reader paid for that service to place a freeze/lock on her credit report(s).

I also suggested that she contact the Identity Theft Resource Center (ITRC). The ITRC has resources for consumers, and may have already encountered other consumers with the same situation.

What do you think? Do you have any suggestions for this reader?

FTC Testifies Before Congress About Identity Theft And Fraud Affecting Children

On September 1,the U.S. Federal Trade Commission (FTC) testified before the House Committee on Ways and Means Committee Subcommittee about identity theft and children. At the hearing in in Plano, Texas, Deanya Kueckelhan, Director of the FTC’s Southwest Regional Office, delivered the FTC testimony.

The theft and fraud involving children's Social Security numbers is a growing problem. Identity thieves can access and steal Social Security numbers from children’s records in schools, doctors offices, social services agencies, and other sources. Sometimes, family members who have fallen on hard economic times use the identities of their children to obtain credit they couldn't obtain otherwise. Experts explore the problem recently in the Stolen Futures forum, hosted jointly by the FTC and the Department of Justice’s Office for Victims of Crime.

For adult identity theft, the Bureau of Justice Statistics reported in its National Crime Victimization Survey Supplement that about 11.7 million persons, about 5% of all Americans ages 16 or older, were identity-theft victims during a two-year period ending December 2008. The financial of that theft was $17.3 billion.

For child identity theft, a study by ID Analytics found 142,000 instances of identity fraud each year in the United States where children are the victims. Another study by the Carnegie Mellon CyLab of 40,000 children who had been enrolled in an identity protection service found that 4,311 of those children -- about 10.2 percent -- had loans, property, utility, and other accounts associated with their Social Security numbers.

In her testimony, the FTC's Kuechelhan describe another aspect of the child identity theft:

"... a child’s unused SSN is uniquely valuable to a thief because it typically lacks a previous credit history and can be paired with any name and birth date. In effect, a child’s identity is a blank slate that can be used to obtain goods and services over a long time period because parents typically do not monitor their children’s credit..."

Kuechelhan also described the identity protection problem:

"... fraud alerts, a key tool used by adult victims of identity theft to warn potential creditors of possible identity theft, are premised on the existence of a credit file. Parents ordinarily cannot place a fraud alert on their child’s credit file if the child has no such file. Further, remedies available under federal law such as extended fraud alerts, access to documents underlying the theft, and blocking of erroneous debts typically require a victim to obtain a police report to document the crime... children victimized by parents or guardians are often reluctant to file a police report naming a loved one or a source of financial support as the perpetrator."

Read the FTC testimony (PDF).

What is a parent to do? First, concerned parents should understand the available credit file protection tools: fraud alert, credit-file freeze, and the differences between the two tools. Second, investigate a credit monitoring and identity protection service to cover both parents and children in your family. Several services exist, which I will explore in future blog posts. Shop around because monthly prices and features vary.

Third, teach your children, tweens, and teens about money, credit, the sensitive personal information they must protect, and their responsibility when they become adults to monitor their credit files produced by the major credit-reporting agencies: Equifax, Experian, and TransUnion. You can find plenty of information in this blog.

In my opinion, a broader solution to the problem would be for credit reporting agencies to automatically place a free Security Freeze on the credit reports of all children. This freeze would automatically be lifted (for free) when the child turns 18. Parents could temporarily lift the freeze for children younger than 18 for instances to apply for education loans for that child.

What do you think of child identity theft?

California Amends Its Breach Notification Law

California was the first state in the nation to enact a breach notification law. The 2002 law required organizations that store records with consumer information -- both companies and government agencies -- to notify consumers when their sensitive personal information was lost or stolen. Last week, California Governor Brown signed into law SB 24. What's new about SB 24:

"Specifically, SB 24 establishes standard, core content for data breach notifications including a general description of the incident, the type of information breached, the time of the breach, and toll-free telephone numbers and addresses of the major credit reporting agencies in California.... In addition, SB 24 also requires data holders to send an electronic copy of the notification to the Attorney General, if a single breach affects more than 500 Californians."

SB 24 (Adobe PDF) goes into effect January 1, 2012.

This is good news for consumers, as other states' breach notification laws have followed California's lead. I believe it is also good because too often, consumers have no idea what to do next when they receive a breach notificaton letter. Too many don't know about the credit reporting agencies: Experian, Equifax, and TransUnion; nor the consumer's responsibility to keep their credit reports accurate; and the need to monitor their credit reports after a breach/theft.

Since writing this blog I have talked with many consumers. A breach notification letter is often a wake-up call that he/she needs to take action to protect their sensitive personal and financial information.

Moreover, the InfoLaw Group appropriate emphasized that SB 24:

"... adds California to the list of states and other jurisdictions that require some type of regulator notice in the event of certain types of data security breaches... Other states that require some form of regulator notice in some circumstances for certain kinds of entities (sometimes for a breach, and sometimes to explain why an entity has determined there was no breach) include Alaska, Arkansas, Connecticut, Hawaii, Indiana, Louisiana, Maine, Maryland, Massachusetts, Missouri, New Hampshire, New Jersey, New York, North Carolina, Puerto Rico, South Carolina, Vermont, and Virginia."

Don't see your state on this list? Write to your elected officials and demand an improved breach notification law for your state.

Sadly, only four states' governments post online the breach notifications they receive: Maryland, New Hampshire, Vermont and Wisconsin. Online postings are a good way for consumers to verify the breach notifications they receive.

The Frenzied World Of Companies Collecting Consumers' Financial Histories

Many consumers believe that if you pay your bills on time, keep your (Experian, Equifax, and TransUnion) credit reports accurate, and keep your credit scores high, then all is well. Not necessarily. There are many more companies that track and collect data about consumers financial history.

Chances are, you haven't heard of their names. The Washington Post reported:

"But little attention has been paid to the firms that target consumers outside the mainstream financial system. Often they are students, immigrants or low-income consumers who do not qualify for traditional loans or choose not to use them... they carry particular weight for the estimated 30 million people who live on the margins of the banking system."

Who are some of the smaller firms? Some of them this blog has covered: ChoicePoint, Innovis, RapLeaf, Quantcast, First Data, Acxiom, Intelius, US Search, and Spokeo. Some are data brokers. Some collect website visitation statistics. Others focus on finance or insurance. Some are technology vendors working with ISPs. A prior blog post discussed the variety of brands of credit scores. Some other firms' names you may not have heard about:

"LexisNexis, whose parent company bought ChoicePoint three years ago, handles background checks, tax assessments and criminal histories. Bounced checks can be tracked through Chex Systems, TeleCheck or SCAN. Payday lenders report to a company called Teletrack. Alliant Data compiles information on so-called “installment payments,” industry jargon for recurring monthly fees such as gym memberships. The National Communications, Telecom and Utilities Exchange collects account information for 63 of that industry’s largest firms..."

The accuracy of the information collected by these firms is suspect:

"Arkansas resident Catherine Taylor didn’t learn about the fourth bureau until she was denied a job at her local Red Cross several years ago. Her rejection letter came with a copy of her file at a firm called ChoicePoint that detailed criminal charges for the intent to sell and manufacture methamphetamines. The information was incorrect... Taylor said she has identified at least 10 companies selling reports with the inaccurate personal and financial information, wrecking her credit history so badly that she says she cannot qualify to purchase a dishwasher at Lowe’s. Taylor must apply for loans under her husband’s name and has retained an attorney to force the firms to correct the record..."

And all of these firms do not include social networking websites, advertising networks, and mobile device marketers -- all collect information and profiles about consumers.

Given the long list of companies across several industries collecting consumers' personal information, you could call this a feeding frenzy.

12 Tips For Consumers To Avoid Identity Theft And Fraud

First, to avoid identity theft and fraud consumers need to first know the ways which identity thieves try to steal your sensitive personal information:

• Skimming-thieves attach devices to ATM machines, ATM booth doorways, and gas-station pumps
• Phishing e-mail messages
• Change of Address: thieves divert your billing statements to another location by completing a change of address form at the post office
• Old-fashioned theft: stealing your wallet or purse
• Pre-texting: thieves pretend to be you and contact (online or via phone) your bank or financial institution to obtain your personal information and money
• Fishing: accessing unlocked snail-mail mail boxes, or lowering "pieces of cardboard covered with glue down blue mail boxes and open envelopes that stick looking for personal information they can steal"
• Dumpster diving for financial statements and "convenience checks" you've thrown out in the trash without shredding them
• Discarded computers, with hard drives that contain personal information, that haven't been properly erased or destroyed before disposal
• Online research of government registers, Internet search engines, and public records to gain pieces of your personal information
• Remote-theft with portable readers that scan and read your contactless (e.g., RFID) debit/credit cards
• Shoulder surfing: simply looking over your shoulder when you make ATM transactions in public places
• Malware: using computer viruses to accesses the personal information on your (home) computer
• Employment scams: thieves advertise fake job openings and use the personal information submitted by applicants
• Social networking sites: thieves access profile pages left publicly open by consumers who ignore privacy settings, produce bogus quizzes, and/or hack a friend's account to gain access to your sensitive personal information

To combat these theft methods, the Los Angeles County Sheriff's Department suggests these 12 tips for consumers to protect themselves:

1. Identity theft starts with the misuse of your personal identifying information such as your name, Social Security number, credit card numbers, or other financial account information.

2. Check your credit report from each of the three major credit bureaus every year.

3. Open your credit card bills and bank statements right away. Review your statements and close unused accounts. Be aware if bills don’t arrive on time. It may mean that someone has changed contact information to hide fraudulent charges.

4. Don’t carry your Social Security card or PIN numbers in your purse or wallet because of what can happen if they fall into the wrong hands.

5. Avoid giving any personal information over the phone, mail, or Internet unless you know who you are dealing with. Give it to them in person instead.

6. Criminals pretend they are collecting money for victims of a natural disaster. Sometimes they claim to be police officers and ask for donations.

7. Elderly people are frequently targeted in money scams. Keep a helpful eye for elderly family members and vulnerable neighbors.

8. Make sure that you disconnect your laptop from a broadband or a shared connection when you are not using it.

9. Avoid offers and pop-up ads that sound too good to be true. They want you to enter your information so they can access all of your personal information.

10. Remove your name from mailing lists for pre-approved credit offers. Pre-approved credit card offers are a target for identity thieves who steal your mail. Have your name removed from credit bureau marketing lists. Call toll-free 888-5OPTOUT (888-567-8688).

11. Only enter personal information on secure Web pages that encrypt your data in transit. You can often tell if a page is secure if "https" is in URL or if there is a padlock icon on the browser window.

12. If you’re going to use a mail box, do so during or close to the posted pick up hours. Better yet, drop your mail off at your local post office. Retrieve mail promptly and discontinue delivery while out of town.

Protection Direct, Auto Warranty Service Program: A Good Deal?

Recently, I received the letter below from a company named "Program headquarters (SPD)." Perhaps you have received this letter, too:

At first, I was not going to write about this, but after receiving two letters from SPD a blog post seemed appropriate. I hadn't heard of SPD before, and the way the company listed its name in the letter seemed odd.

A quick Google search found an entry about SPD at the Better Business Bureau website. SPD, which has an "F" rating, goes by the names "Service Protection Direct" and "Protection Direct." When a company uses several names, the names on its letterhead and website don't match, and the letter fails to provide a website address that is usually a red flag alert to me. This letter reminded me a lot of my experience with Shelton & White (a/k/a Larson Keller).

While most of the complaints against SPD on the BBB website appear to have been resolved, the nature of the complaints was troubling:

"Complainants primarily allege misleading sales or advertising practices, in many cases claiming that they were led to believe that this firm was associated with the manufacturer or dealer, when they are not, difficulty canceling contracts and obtaining refunds, that the firm failed to cover needed repairs, poor customer service and that they received harassing sales calls or solicitations, even after the consumer requested that they cease."

That didn't sound good. My Google search also found this St. Louis Business Journal article from 2009:

"Despite an agreement last year between the Missouri attorney general’s office and one of St. Louis’ largest vehicle service contract companies, the BBB said Thursday it has received 80 complaints about the firm so far this year. That’s up from the 60 complaints received in the four months before the state’s agreement with Service Protection Direct, now known as Protection Direct and owned by TXEN Partners..."

So SPD or Protection Direct has been doing this form of marketing since 2008. Maybe things have gotten better during the three years since. In March 2010, the Missouri Attorney General's office stated that it was:

"... creating a task force to look at sales practice guidelines designed to stop auto service contract fraud, the number one complaint to the Attorney General's office in 2009... the Department of Insurance, Financial Institutions & Professional Registration began regulating service contract providers and administrators in 2008, but some independent marketers are not licensed and have continued to run roughshod over consumers... these marketers have used misleading letters, postcards, and telephone sales marketing to lure consumers into purchasing service contract coverage without providing basic information about that coverage... while consumers believed they were extending auto warranties, they were actually purchasing service contracts or automotive additives."

While complaints in Missouri about auto warranty/service programs have dropped due to prosecution, the Missouri Attorney General's office on February 25, 2011 still listed auto warranty/service scams in its the top 10 scams listing. So, there are several companies operating in the auto warranty/service program space, besides SPD. The reverse side of the SPD letter I received mentioned several states: New York, Wisconsin, Texas, and Florida. So, Protection Direct is marketing in several states.

Next, I visited the Protection Direct website to see how it addressed any of the above concerns. My experience at the website wasn't much better than the letter. The Service Facts page seemed to only list the costs of various auto repairs. That was technically accurate, but not very helpful. And, it seemed like a scare tactic.

The News page included an April 4 item about the poor BBB rating above, with a general promise that the company is working with the BBB to improve that rating. I completed the "Find Your Plan" form on the home page, and the results page didn't deliver any plan information. Instead, the results page linked me to another form page. That was not helpful, and it seemed to me like a slick attempt to get website visitors to reveal more personal data without delivering a quote or any real value first.

To learn a little more, I called the phone number on the SPD letter. The representative that answered was very polite; not pushy at all. When I asked how SPD got my name and auto information, she said, "SPD has access to the same databases as auto dealers." That answer wasn't helpful. I asked what that meant and the phone representative said she didn't know. Not good.

I expect more from a company. It should be able to sufficiently explain where it got my name and auto information from. The reverse side of the letter I received included this fine print:

"PRESCREEN & OPT-OUT NOTICE: This "prescreened" offer of credit is based on information in your credit report indicating that you meet certain criteria."

What? I wonder how accurate that statement is. If it is true, SPD should not have contacted me because it shouldn't have been able to access my credit reports. I placed a Security Freeze on my three credit reports three years ago. And, I opted out of pre-screen credit offers years ago. Perhaps, SPD obtained my name from one of the smaller, regional credit bureaus.

More likely, SPD purchased my name and auto data from the state registry of motor vehicles. Many consumers don't realize that many states do sell this driver data. This lawsuit highlighted the fact that many states sell driver information to marketing companies. If true, then the disclaimer on the back of the SPD letter is misleading and inaccurate.

The phone representative (and the letter) mentioned Marathon Financial Insurance as a provider of coverage for SPD. To the good, Marathon has a far better BBB rating: A+. That is encouraging, but the BBB "F" rating for SPD and my negative experience far outweigh that.

While on the phone, the rep promised a quote if I answered a few questions. After answering about four questions, that seemed again like an attempt to get more personal data out of me. I refused to answer any more questions and asked for a quote. I'd already provided my auto's mileage, year, and general condition -- which should have been enough. The rep declined politely and said that she needed to ask all of these questions to get to a quote. I asked for a quote range instead, and again she declined. At that point, we agreed to end the phone call.

About five days later, a different phone rep from Protection Direct called me at home and provided a quote: about $3,800 over three years. Then, the phone rep explained what repairs were covered and discounted the quote to $2,800 to get me to sign up immediately. I asked for a contract to review first. The rep said the Protection Direct doesn't send out contracts due to cost reasons, and offered a 30-day trial instead. I could cancel in 30 days and get a refund.

I thanked the phone rep for his flexibility and repeated my request to see the contract first. At that point, we decided to terminate disucsson as Protection Direct and I couldn't agree on how to proceed. If there is one thing I have learned while writing this blog, it's that the contractual fine print is critical. It always lists what is provided and what is covered/reimbursed.

Should consumers buy an auto replacement warranty/service program? Only you can decide that for yourself. You know your needs and budget best. Me? I'll pass. I don't see the value. The amounted quoted by Protection Direct was about the same amount as I would have spent anyway on auto maintenace and repairs. Protection Direct's clumsey letter, unhelpful website, and refusal to provide a contract first were obstacles.

If my auto needs repairs, I get it repaired at an auto dealer. If the repairs are expensive, I'll get several estimates first; and then get my auto repaired at the shop with the lowest estimate. If the repairs are prohibitively expensive, I'll just buy another used car.

What is your opinion of Protection Direct? If you purchased a warranty program from Protection Direct or another company, what was your experience?

A Review of Bank of America PrivacySource

A couple weeks ago, I received a letter from Bank of America via postal mail:

"Records Request
Please Review Important information Below
Please Reply Within: 14 Days"

"THIS NOTICE IS REQUIRED BY LAW
You have the right to a free credit report from AnnualCreditreport.com or 877-322-8228, the ONLY authorized source under federal law."

"Complimentary Credit report and Credit Score -- Your signature is required to try the Bank of America PrivacySource(®) at no cost for 30 days so you can receive delivery of your Compiled Credit Portfolio. your benefits will include the following:
1. Your Complimentary Triple-Bureau Credit Report
2. Your Complimentary Triple-Bureau Credit Score
3. Daily Monitoring notifications"

I had not heard of the PrivacySource service before. I had heard of the PrivacyAssist credit monitoring service from BofA, and reviewed it in this blog. Inside the BofA PrivacySource envelope was a single sheet of paper with this offer and a return envelope. I read the entire offer letter looking for a website address. When I receive an offer like this, I expect the offer letter to provide a website address so I can learn more. Surprisingly, the offer letter didn't mention a website: neither a BofA website nor a PrivacySource website. Not good.

I then performed a few Google searches for PrivacySource which turned up this BofA page. I followed the PrivacySource link at the page bottom, and then entered my state on the next page. The problem: the BofA site redirected to a Privacy Assist page which didn't mention anything about PrivacySource. This was confusing and frustrating. Maybe PrivacySource is replacing BofA's PrivacyAssist credit monitoring service. Or maybe PrivacySource isn't available in my state. The BofA website didn't say. Not good.

After some more searching, I found a page at the CreditReportCamp.com site which mentioned the website address for Privacy Source: PrivacySource.Bankofamerica.com. It should not be this hard to find a website address. Whoever built the BofA PrivacySource website failed miserably at SEO. BofA should have listed the website address in the offer letter. And, the BofA website should have linked me directly to it.

But, back to the offer letter. Part of the way down the page, the letter included some important information:

"By signing this form you are authorzing a debit from your Bank of America checking account to the amount of $12.99 per month for a membership in the Bank of America PrivacySource (®) service unless you cancel within the 30_Day Trial Offer period.

That told me a lot. PrivacySource is a credit monitoring service. The offer was similar to offers I've seen before from FreeScore.com and the major credit reporting agencies, except there were two freebies: a "Triple-Bureau Credit Report" and a "Triple-Bureau Credit Score." That sounded nice.

Like most people, I like free things. But, what is a Triple-Bureau Credit Report, and what does it look like? Is it a summary, or does it provide the same details as a credit report from Experian, Equifax, or TransUnion? The offer letter didn't say. Nor did it include an example report. It's hard to evaluate an offer when the service doesn't provide an example report. Not good.

I also wanted to know what a "Triple-Bureau Credit Score" is. Is it the same as a FICO credit score? Or is it a VantageScore? There are several different brands of credit scores available, and I want to know what I am buying. The offer letter didn't say. Nor did it provide a sample score. Not good.

Near the bottom of the offer letter, there was this important information in tiny type:

"By signing this form, you authorize bank of America to share your Social Security Number with Trilegiant, the service provider of the Bank of America PrivacySource service, and authorize Trilegiant and its credit information providers, which may include First Advantage Credco and FAMS, to obtain and monitor your credit files and information from the credit reporting agencies..."

Well, that said a lot. Trilegiant operates the credit monitoring service for BofA under the brand name PrivacySource. I know a little about Trilegiant as I wrote briefly about it previously in this blog. And, Trilegiant was involved in 2008 in at least one class-action lawsuit, which the company settled for $25 million:

"Trilegiant, a subsidiary of Cendant Corp., has also been the target of actions by attorneys general in California, Connecticut and Florida. In 2006, it settled charges brought by 16 states alleging that Trilegiant and Chase Bank had deceived consumers into paying for membership programs."

This is the best vendor BofA could find for its credit monitoring service? More troubling are the recent consumer complaints about Trilegiant.

But let's get back to the BofA PrivacySource offer letter. The language of this authorization troubles me... particularly the "may include" phrase. It essentially says that BofA through Trilegiant will share my sensitive personal information with other companies and doesn't name all of companies, only a couple of possibilities. That is partial and insufficient disclosure to me. Not good.

And, who is First Advantage Credco? And FAMS? I did a little searching and found this First Advantage Credco profile on LinkedIn.com. The company's official website is credco.com, and it appears to be in the midst of a name change to CoreLogic. CoreLogic Credco appears to collect and data mine consumer information, with perhaps an attempt to enter the credit report marketplace.

I have not been able to determine who FAMS is. If you know, please share a description and website link in the comments section below.

About the PrivacySource website, to its credit the site does provide sample credit reports and credit scores. I compared the reports to actual credit reports I already have from Experian, Equifax, and TransUnion. The PrivacySource credit reports look like summaries. To adequately manage my finances, I need the real thing -- not summaries.

Consumers who visit the PrivacySource website should read the service's Terms and Conditions. This is important to understand what you get for $12.99 per month. You get a credit monitoring service and no credit resolution services. If you are the victim of identity theft and fraud, you'll need both services-- you'll need resolution service to help you communicate with various companies, lenders, and government agencies to fix your credit and all affected financial records.

PrivacySource uses CreditXpert Credit Scores (TM) from CreditXpert.com. Consumers should be aware that this is a different credit score brand. It is not the same as FICO from the Fair Isaac Corporation. The My ID Alert service from Capital One also uses CreditXpert Credit Scores.

If you have the time, you might compare PrivacySource and PrivacyGuard.com, Trilegiant's credit monitoring service. I didn't bother comparing the two sites because I'd already made up my mind about PrivacySource. First impressions are important. The PrivacySource offer letter was underwhelming and the site was difficult to find.

Is BofA PrivacySource for you? Only you can make that decision. It's not for me. Why? First, the letter didn't contain enough information for me to to make a decision, and it didn't include the service website. Second, the difficulty I encountered with finding the PrivacySource website gave me the impression that if the company can't do that well, the actual service is probably problematic, too.

Third, the sample credit reports seemed like summaries and not the full detail. Fourth, I prefer a comprehensive service that includes both credit monitoring and resolution services. Fifth, there are more comprehensive services that also help with medical identity theft and fraud.

If you already signed up for PrivacySource, please share your experience below. I've Been Mugged readers would love to hear your experiences, good and bad. If you have experiences with FAMS and/or First Advantage Credco, we'd like to hear about that too.

Cities Whose Consumers Have The Highest Credit Scores

I found this report very interesting. The Experian State of Credit report ranked cities in the United States by consumers' average credit score. Residents in these cities had the highest average credit scores:

1. Minneapolis (MN): 787
2. Madison (WI): 785
3. Cedar Rapids (IA): 781
4. Green Bay (WI): 780
5. San Francisco (CA): 780
6. Boston (MA): 779
7. Peoria (IL): 778
8. La Crosse (WI): 778
9. Seattle (WA): 777
10. Sioux Falls (SD): 777

The average credit score was based on January to June 2010 inputs by Designated Marketing Area (DMA) from VantageScore and other leading credit reporting agencies. VantageScore is a newer credit-score score brand which competes with the FICO score, produced by the Fair Isaac Corporation. Consumers' VantageScores range from 500 to 990. 16% of the population has a VantageScore between 900 to 990.

The cities with the lowest average VantageScores:

1. Harlingen (TX): 684
2. Jackson (MS): 698
3. Corpus Christi (TX): 700
4. Shreveport (LA): 701
5. El Paso (TX): 706
6. Monroe (LA): 706
7. Las Vegas (NV): 707
8. Bakersfield (CA): :708
9. Myrtle Beach (SC): 709
10. Tyler (TX): 709

Residents in Harlingen had an average of 1.4 credit cards, $23,500 outstanding credit card debt, and an 11.7% unemployment rate. Residents in Minneapolis had an average of 2.1 credit cards, $25,100 outstandind credit card debt, and a 6.8% unemployment rate. Coincidentally, the Minnesota Attorney General's website provides its residents with good information about both personal finance and credit scores. The website lists these factors that affect consumers' credit scores:

• Have you paid your bills on time?
• How much outstanding debt do you have?
• How long have you had credit?
• How often do you apply for credit?
• What types of credit are you using?

When comparing credit scores, consumers need to know which brand of credit score they have. Want to learn more? Visit the attorney general or consumer protection website for your state. Also, you may find these related blog posts helpful:

• A Review of FreeScore.com
• After a Data Breach, Will a Replacement Credit Card Affect Your Credit Score?
• 'Hard' Inquirieis Will Negatively Affect Your Credit Scores
• 5 Sneaky Ways To Ruin Your Credit Score

South Shore Hospital Breach Exposes 800K Patients' Records

On July 19, South Shore Hospital in Weymouth Massachusetts announced details about a data breach, where 800,000 patients' records from the last 14 years were lost by a data management vendor. The hospital shipped backup computer files on February 26, 2010 to the data management vendor for off-site destruction. The hospital became concerned when it did not receive confirmation from the vendor of destruction of the computer files.

The lost, or stolen, computer files contained sensitive personal and medical information about hospital employees, doctors, volunteers, donors, vendors and business partners. The hospital stated in a press release:

"The information on the back-up computer files may include individuals’ full names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, patient numbers, health plan information, dates of service, protected health information including diagnoses and treatments relating to certain hospital and home health care visits, and other personal information. Bank account information and credit card numbers for a very small subset of individuals also may have been on the back-up computer files."

May include? An organized hospital should know what is on those lost/stolen backup data tapes. After all, it had over four months -- from late February into July -- to investigate and determine exactly what was on those data tapes.

And, the information on these backup computer files encrypted. It should have been.

Moreover, the delay between discovery of the breach and notification was too long. I see this type of delay repeatedly in data breaches. A 4+-month delay in notification to breach victims gives identity criminals plenty of time to do damage. The announcement and the delay give the impression that the hospital did not have a breach response plan:

"The hospital also has ceased the offsite destruction of back-up computer files and is putting in place policies to ensure that a similar situation cannot occur. The investigation into the matter remains ongoing."

Moreover, the hospital had not yet notified its breach victims at the time of the announcement. It said it would notify breach victims during the coming weeks. Weeks?

In my opinion, that is not good and simply sloppy. This breach is a disaster for any health care organization as the lost (or stolen) information is pure gold for identity thieves: everything needed to gain health care fraudulently and/or open new lines of credit.

Experts advise patients, employees, former employees, contractors, or vendors of South Shore Hospital to check your credit reports for fraudulent entries. The hospital listed the telephone numbers for the three major credit reporting agencies in its Sample Individual Notification letter. The ID-Theft Resources page in this blog lists the website addresses of the three major credit reporting agencies.

If you discover fraud (e.g., bogus entries in your credit reports, another person's medical information in your medical records, another person has committed a crime in your name, etc.), the hospital's Sample Individual Notification letter correctly advised breach victims to:

• File a police report with local law enforcement (and keep copies -- you'll need them later)
• File an identity theft complaint with the U.S. Federal Trade Commission
• Access the official site -- annualcreditreport.com -- to get free copies of your credit reports from the three major credit reporting agencies
• Notify the credit reporting agencies in writing of any errors or fraudulent entries on your credit reports
• For protection, place a Fraud Alert or your credit reports. If you have experienced fraud, use a Security Freeze instead. Not sure? Browse the differences.

However, the hospital should have done more. First, the standard post-breach response is for an organization to its provide breach victims with free credit monitoring services. And that service should provide credit resolution services, since it will cost breach victims much time and money to repair their credit files. South Shore Hospital didn't offer this service in either its press release or Sample Individual Notification letter.

How long for complimentary credit monitoring? IBM provided its breach victims, including me, with one year, but other companies and hospitals have provided two years. The longer, the better.

Second, it is extremely difficult to correct medical files when another person has used your personal information to obtain health care fraudulently. Any identity monitoring and resolution service should also help breach victims with this. After its data breach of 1.5 million records, in 2009 Health Net selected Debix as the complimentary credit monitoring service for its breach victims. Earlier this year, AvMed offered its 1.2 million breach victims complimentary services with Debix. Debix provides services that cover both credit files and health records.

Third, the hospital should setup a website to answer common questions breach victims typically have, to share the results of the breach investigation, and to present actions the hospital is taking so this breach doesn't happen again. For many consumers this will be their first experience with a data breach and identity theft. A certain amount of guidance and assistance are appropriate.

Fourth, the hospital should have named the data management vendor in its initial press release. In later news reports we learned that the data management vendor, Archive Data Solutions, had subcontracted the work to another company. That's still no excuse. Consumers deserve timely breach notification, and the hospital's contract has to anticipate this.

Fifth, I was surprised that the hospital's Sample Individual Notification did not mention, for breach victims that are also Massachusetts residents, the Massachusetts Attorney General website which contains several identity theft resources, including this handy guide for fraud victims (PDF format, 113K bytes). This is appropriate content for a post-breach support website, too. WHDH reported several tips from the Attorney General's office for breach victims to protect their medical records.

What do you think? If you are a South Shore Hospital breach victim and received a breach notification letter, we would like to hear your experience.

My ID Alert From Capital One (Product Review)

A few days ago, a representative from Capital One Bank, where I have a credit card account, called me at home about identity theft. The representative was polite and asked if I knew much about the increasing risks of identity theft. Her solution was to sign me up to My ID Alert, a credit monitoring services offered jointly by Capital One Bank and Intersections, Inc..

I listened to her pitch and thanked her for the call. I asked if My ID Alert included medical identity theft coverage. She said it didn't and she didn't know much about that. I mentioned that this was important to me since I am interested in a comprehensive identity protection service that includes credit monitoring, public records monitoring, and medical identity theft protections.

Plus, I was not about to sign up for any credit monitoring service over the phone without, a) understanding what specific services are included in the monthly fee, and b) reviewing the contract terms and conditions. Since writing this blog, I have learned that the important stuff is always listed in the contract terms of a credit monitoring service. If it's not in that document, then it's not provided.

I visited the My ID Alert website to learn more. I had encountered Intersections previously in 2007 when reviewing the Bank of America's Privacy Assist credit monitoring service. A review of My ID Alert would be a good follow-up to see if Capital One negotiated an improved service with new features. The My ID Alert main page:

The site was well organized and easy to read. Consumers can quickly find the major features of the service. For $12.99 monthly, subscribers get:

• Unlimited access to valuable credit tools and your credit score
• Daily monitoring of your credit files at all 3 credit bureaus
• Up to $50,000 identity theft insurance with no deductible and at no extra cost

It was easy for me to find and read the website Privacy Policy. It explained that the site uses HTTP browser cookies, but it didn't mention whether or not it uses Flash Cookies. The website probably uses Flash Cookies (a/k/a Local Shared Objects) since it mentions that it works with unnamed third parties.

It was tricky to find the contract terms. First, click the "Enroll Now" button on the home page. On the "Order Form: Step 1" page, there are two links you'll want to use. The first link, "more info," is next to ID Alert and it provides access to summary information in a pop-up window:

The second and more important link, "Print and Review Terms of Use," is further down the page and provides access to the contract terms:

Both links should be more accessible to users, ideally on the home page, the FAQ page, and the Privacy Policy page. The contract terms contain critical information consumers need to evaluate the service. It shouldn't be this hard to find important information.

It is important to note that Capital One already sells a credit monitoring service by Intersections: CreditInform Premier. The My ID Alert website didn't mention this, nor did it provide a comparison. So, I developed this brief comparison:

Item	CreditInform Premier	My ID Alert
Unlimited access to credit tools and credit score	Yes	Yes
Quarterly Notification / credit updates	Yes	Yes
Insurance	$20,000	$50,000
Notify Express. Includes: Inquiries to your credit files New accounts opened New public records Address changes Changes to public records Changes to account information	Yes. Based on Experian credit report only	No
Credit Score ( From CreditXpert, Inc. which is not a FICO score)	Yes	Yes
Monthly fee	$8.99	$12.99

Then, I read the contract terms more closes and noted some important language about the credit score provided (links added for improved readability):

"Any credit score provided as part of the Service is provided by CreditXpert products. The information used by CreditXpert products is derived from one or more credit reports produced by the major credit reporting agencies, also called credit bureaus... CreditXpert Credit Scores(TM) are provided to help users better understand how lenders evaluate consumer credit reports. Lenders may use a different score to evaluate a person's creditworthiness... Also, CreditXpert Inc. is not connected in any way to Fair Isaac Corporation; the CreditXpert Credit Score is not a so-called FICO(®) score. CreditXpert Inc. does not represent that CreditXpert Credit Scores are identical or similar to any specific credit scores produced by any other company."

I have not heard of CreditXpert before. And, like most consumers I thought that FICO was the only source of credit scores. This is an important disclosure since potential lenders may treat different brands of credit scores differently.

I have not done an analysis of the difference between a credit score from FICO versus CreditXpert. Perhaps a reader has and will add a comment below. So, I can't state what the impact might be on a consumer's credit worthiness. Consumers wanting to purchase a FICO-brand credit score may want to look elsewhere. The website didn't present any testimonials from My ID Alert customers, a helpful feature that could have addressed concerns about the credit score source.

One indicator I use to judge a company responsiveness to consumers' needs is whether or not the service has built pages on social networking sites like Facebook, Twitter, and Youtube. These are often a rich source of customer opinions and consumer testimonials, if the service does not have a blog site.

I searched and didn't find a My ID Alert page on Facebook, Twitter, or Youtube. This makes me wonder how serious executives at Capital One and Intersections are about reaching consumers. You have to fish where the fish are.

I also browsed the My ID Alert service looking for evidence it offers real-time alerts via e-mail or text messaging. To help me monitor my financial accounts, my bank offers this where I set the threshold amount to trigger an e-mail alert 24/7. The sooner I can discover fraudulent activity, the less money I am likely to lose. So, I look for this in a credit monitoring service. I couldn't find any evidence in the My ID Alert website about whether it offers real-time alerts. So, I assume no.

Should you sign up for My ID Alert? To me, it is a starter credit monitoring service... it is an option for a person who is just learning about identity theft and wants basic coverage. Each consumer's situation is slightly different, so it is always wise to shop around. For example, parents may seek a service that covers several family members. I've reviewed several credit monitoring service in this blog.

As I mentioned above, I seek an identity protection service that is comprehensive... that includes credit monitoring, public records monitoring, and medical identity theft protections. I want the convenience of subscribing to a single service... one-stop shopping.

The MY ID Alert service doesn't fit my identity protection needs. And, its price seems high. Yes, you get more insurance but you don't get the Notify Express feature Capital One offers in CreditInform Premier. And, the service Capital One negotiated with Intersections didn't seem much different from Bank of America's offering when I last reviewed it.

What do you think? If you use or have used My ID Alert, please share your experiences. We'd love to hear them.

Identity Theft Prevention Tips For College Graduates

Maybe you graduated from college recently. Or, you are the parent (or family member) of a recent graduate.

There are certain things college graduates need to know to be an informed consumer, and not get ripped off or scammed. The U.S. Federal Trade Commission created the "How To Be a Class-Value-dictorian" (Adobe PDF format) alert for college students and graduates. The FTC's advice:

1. Keep your personal information to yourself
2. Socialize safely online
3. Consider the National Do Not Call Registry
4. Stay away from “guarantees” of scholarships
5. Don’t buy bogus weight loss products
6. Understand credit and use annualcreditreport.com
7. Travel scams turn summer breaks into summer busts
8. Peer-to-peer file-sharing can be risky
9. Phishing scams reel in personal information
10. Some employment services are scams

To this list, I would add the following:

• Don't share publicly your friends' private information, especially on social networking sites (some Facebook members are already aware of this)
• Use strong passwords online
• Use anti-virus software on your home laptop/desktop and keep it current
• Learn how to recognize phishing e-mails and phishing websites
• Learn how to recognize ATM machines that has been tampered with by criminals
• Opt out of telemarketing and pre-approved credit card offers
• Use a snail-mail mailbox that locks
• Shred documents you no longer need that contain sensitive personal information
• Don't pay at the pump. Pay with credit/debit cards inside at the cashier
• Use a credit card when shopping, and not your debit card

What identity theft prevention advice would you give to college graduates?

Poll: Readers' Attitudes About Offshore Outsourcing

Over the past few months, I ran an informal poll on this blog asking readers about their attitudes toward offshore outsourcing. While corporations are good at assembling resources and products from various geographic areas to deliver low-priced goods to consumers, a seldom discussed aspect is that corporations also transmit customers' sensitive information between offices and vendors in several countries.

Consumers are well aware of offshore outsourcing when they talk with a customer service representative who clearly has an accent and is located in another country. Many offshore outsourcing activities are hidden from consumers and customers when those activities are performed in back-office or support operations. I explored in a four-part blog series the issues with offshore outsourcing by the major credit reporting agencies. For example, when consumers submit via paper corrections to their credit reports, those corrections are often entered by staff or vendors located in other countries.

With all of this in mind, I asked I've been Mugged readers to select the statement which best describes their attitudes about offshore outsourcing and consumers' credit information. Here are there responses:

• 14% of respondents felt that companies should not perform offshore outsourcing under any circumstances
• An equal number (14%) felt that offshore outsourcing is okay generally, but shouldn't be used for financial and credit information
• The greatest number of respondents (36%) felt that companies should notify customers if they perform offshore outsourcing and customers should have a choice to opt-out
• Far fewer respondents (9%) felt that companies should notify customers if the company's offshore outsourcing includes customers' sensitive data
• 18% of respondents felt that U.S. Congress needs to do more about offshore outsourcing (e.g., legislation for oversight, auditing, data breach notification, etc.)
• 5% felt that credit monitoring services shouldn't perform offshore outsourcing
• 5% don't care whether companies perform offshore outsourcing or not

What to make of these results? First, this was an informal poll. So, it captured the opinions of only I've been Mugged blog readers. Readers of this blog are consumers who have been affected by identity theft, fraud with bank accounts, fraud with their credit reports, and/or data breach victims.

So, the readership of this blog is somewhat of a self-selecting group that has an interest and knowledge about privacy and their sensitive personal information. For the results to be applicable to the entire U.S. population, the survey participants should have included a random selection from the broader U.S. population.

Second, I believe these results are directional in that consumers want to be informed and want control over their sensitive personal information. It was not surprising to me that the greatest number of respondents (36%) felt that companies should both notify customers if they perform offshore outsourcing and provide their customers with an opt-out mechanism.

This indicates that consumers want to be notified and want control over who has access to their sensitive personal information. The company-customer relationship is built on trust. This sensitive customer information It is not for corporate executives to treat as if it is theirs alone.

Like it or not, companies will have to recognize and deal with this reality.

TransUnion And Acxiom Modify Their Arrangement

I wrote a 4-part series in 2008 about the three major credit reporting agencies and offshore outsourcing. I have not written much about Acxiom, a company that archives and data-mines massive amounts of information about consumers. This blog post is a start to correct that reporting oversight about Acxiom.

RTT News reported:

"TransUnion, and Acxiom Corp. announced a renewed agreement... Under the new multi-year agreement, Acxiom said it will continue to manage the operation of TransUnion's sophisticated mainframe environment and supporting network processes. In addition to delivering robust and secure infrastructure management, Acxiom and TransUnion will continue to combine their data and technology expertise to help clients create accurate, real-time and consistent information across their enterprises and also enable them to drive highly personalized marketing via both companies' multichannel solutions."

A Review Of FreeScore.com

I saw the ad below recently on late-night television. Perhaps you have seen it too:

I know Ben Stein more for his comedy than his economic commentaries. He's also in some funny cable TV service commercials with Shaq. So, I have nothing against Stein. Everyone has to make a living.

I don't know anything about Filbert, the squirrel in the ad. I have nothing against Filbert either.

At first view, the ad seemed harmless enough. It is wise for consumers to know their credit score, since many purchases depend upon having good credit. To learn more, I visited the FreeScore.com site.

That's when things really got squirrely.

The site is easy to read and easy to navigate. There are huge buttons on the home page to start the registration process to get those free credit scores. Consumers can get "free" credit scores from each of the three major credit reporting agencies: Equifax, Experian, and TransUnion:

The above page copy also inform users that they can get their credit reports when ordering their free credit scores. Further down the page (out of view when the page first loads) is as a huge button for consumers to click to view a sample report compiled with information from the three credit reporting agencies. A sample report is a good thing to view before registering. A more friendly page design would place that sample button further up the page so it is easier to see.

Now, I already know my credit score, so I didn't register for the FreeScore.com service. If you scroll to the bottom of the page, you will see tiny text that is easy to miss, especially if you clicked on any of the large buttons near the top of the page. So, I've repeated the tiny text here:

"FreeScore.com is not affiliated with the annual free credit report program. Under a new Federal law, you have the right to receive a copy of your credit report once every 12 months from each of the three nationwide consumer reporting companies. To request your free annual report under law, you must go to www.annualcreditreport.com.

Translation: while you can get credit reports at the FreeScore.com site, they aren't free. The credit scores are free but the credit reports have a monthly fee. The tiny text explains why there is a monthly fee:

"FreeScore provides you with the tools you need to access and monitor your financial/credit information through the program's credit reporting and monitoring benefits. FreeScore and its benefit providers are not credit repair service providers and do not receive fees for such services, nor are they credit clinics, credit repair or credit services organizations or businesses, as defined by federal and state law. Credit information provided by TransUnion Interactive, Inc."

Translation: the site is operated by TransUnion, one of the three major credit reporting agencies. FreeScore will help you monitor your credit scores and credit reports, but it won't help you fix them should something bad happen. You are on your own if you need to remove errors in your credit reports, or if you are already an identity-theft victim and thieves have made fraudulent purchases affecting your credit scores and reports.

So, if the credit reports at FreeScore aren't free, how much do they cost? In my opinion, a better design would have displayed the price along with the credit report offer on the home page. Instead, the consumer has to hunt for the price information, which appears on the FreeScore registration page below. The price is in small type in the right column under OFFER DETAILS:

I've repeated the tiny copy here so it is easier to read:

"Simply click "View Scores" on the next page to activate your FreeScore trial membership and claim your 3-in-1 Credit Profile and Triple Credit Score. After your 7-day FREE trial period it's just $19.95 per month for FreeScore. Remember, you can call FreeScore toll-free at 1-800-316-8824 within the first 7 days to cancel, and you will not be charged/debited."

Translation: you get free credit scores only during the seven (7) day trial period. After that, charges apply if you don't cancel your trial membership, which automatically signed up for a credit monitoring service costing almost $20 per month. The trial membership period is awfully short, too.

This offer by FreeScore.com reminded me a lot of the pitch by FreeCreditReport.com, a site that pitches free credit reports but enrolls consumers in a credit monitoring program with a monthly fee if you don't read the tiny text and cancel. Yesterday's post discussed the new Credit Report disclosure rules mandated by the FTC. The FreeScore.com site never pitches free credit reports, so I guess that TransUnion believes that they don't have to comply with the new disclosure rules since they aren't selling free credit reports at the site.

In my opinion, the FreeScore.com site is the same as the FreeCreditReport.com site. Both advertise X (e.g., get something for free) but really offer Y (credit monitoring for a monthly free) and place the important details in small print rather than say so upfront in easier to read type. Both sites use the auto-opt-in method: the user is enrolled in the credit monitoring service unless they cancel in time. To me, this is a sleezy marketing approach. The old "buyer beware" advice definitely applies here.

In my opinion, FreeScore.com is expensive since the price includes credit monitoring and not credit resolution services. And, the FreeScore monthly fee of $19.95 is higher than the FreeCreditReport.com monthly fee of $14.95. So, maybe the cost of those "free" credit scores is baked into the higher monthly credit monitoring fee.

Is FreeScore for you? That's a decision only you can make. You know your credit situation best. Having good credit is critical and monitoring your credit reports is wise to ensure their accuracy. If you are a victim of identity theft and fraud, then monitoring your credit reports for fraudulent purchases is critical, but getting credit resolution service is equally important.

My advice: shop around and always read the FINE PRINT at a Web site; especially sites offering freebies and/or credit monitoring services. Know the limitations of the credit monitoring service you are considering. Be an informed consumer.

FTC Changes Disclosure Rules For Sites Offering "Free" Credit Reports

In a press release late last month, the U.S. Federal Trade Commission (FTC) announced new disclosure rules that will go into effect on April 2 for Web sites offering "free" credit reports. The new rules aim to help consumers better understand Web sites offering "free" credit reports. The new FTC Credit Reports Rule effective April 2:

"... will require new prominent disclosures in advertisements for “free credit reports.” For example, any Web site offering free credit reports must include a disclosure, across the top of each page that mentions free credit reports, which states:

THIS NOTICE IS REQUIRED BY LAW. Read more at FTC.GOV. You have the right to a free credit report from AnnualCreditReport.com or 877-322-8228, the ONLY authorized source under federal law."

The Credit CARD Act of 2009 required the FTC to change the Credit Reports Rule by February 22, 2010 to prevent deceptive marketing of “free credit reports.” During the interim period from February 22 until April 2, the disclosure requirement is shorter, includes only text, and excludes links:

“Free credits reports are available under Federal law at: AnnualCreditReport.com.”

After April 2, the disclosure includes longer text (see above), a clickable button to "Take me to the authorized source" for free credit reports, and clickable links to both AnnualCreditReport.com and FTC.GOV. Prior to issuing the revised rules, the FTC sought and received feedback about the proposed rule change from consumers, consumer reporting agencies, consumer report resellers, business and trade organizations, state attorneys general, consumer advocates, law firms, members of Congress, and academics.

This is the best that the FTC could do? It doesn't seem to prevent deceptive advertising but, moderate it instead.

Is the interim disclosure enough? Obviously not. While it is a step in the right direction, it is a small step. It includes minimal text and no links.

Is the April 2 disclosure enough? This is two steps in the right direction, but still not enough. While it includes more text and links, one link is to the FTC home page. A better link destination would be the FTC site page about free credit reports and the AnnualCreditReport.com site.

A even better solution would be for the rule to prohibit companies from making what is essentially, in my opinion, a "bait and switch" offer. Then, these micro-managing rule changes would be unnecessary and not waste limited government resources. At FreeCreditreport.com, the "free" credit reports really aren't. The site currently contains the interim disclosure, as required by the FTC.

I am sure that the credit reporting agencies are happy with the FTC's new rule change because it allows business-as-usual with minimal changes. Experian doesn't have to pull all of its FreeCreditReport.com ads that appear on both Youtube and late-night television and cable.

Sadly, the new rules are a business-friendly solution that allows companies to continue presenting Web sites with similar "bait and switch" offers; only to replace "free credit reports" with other freebies to evade the new disclosure rules.

How? I'll discuss one example tomorrow.

Ripoffs For Consumers to Avoid

This blog is all about what to do if you have been "mugged" or abused by a company or identity criminal, and what to do to avoid getting "mugged." Recently, CNNMoney published a list of, "America's Biggest Ripoffs." Thanks to my friend and I've Been Mugged reader, Bill, for the link.

I knew that text messaging and hotel mini-bars would definitely be on the list. I was happy to see this item also on the list of ripoffs:

"There's nothing free about forking over $179 a year for information at Freecreditreport.com. Instead you can go to AnnualCreditReport.com, which is run by the Federal Trade Commission, and get a truly free report once a year from each of the credit agencies: Equifax, Experian and TransUnion. Freecreditreport.com's catchy ditties can get stuck in your head for days -- but subscribing to the service will haunt your credit card bill for a year. When you sign up, you're asked for your credit card number. Then the site automatically enrolls you in its "Triple Advantage credit monitoring," which pledges to continuously track your credit status for $14.99 per month."

A warning: if you decide to use FreeCreditReport.com, read the fine print and contract terms closely, first. You do have seven (7) days within the trail period to cancel the credit monitoring service. I strongly urge you to browse the entire list of ripoffs.

What do you think? Should FreeCreditReport.com be on the list of ripoffs?

Credit Smart Consumers