Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms? (Part 4)

Prior posts discussed offshore outsourcing about TransUnion and TrueCredit. Laurie has problems with TransUnion's credit monitoring service, TrueCredit, and support from its call center. Laurie is worried that if TransUnion (and TrueCredit) outsource their operations and her credit information, she won't have the same protections she would have otherwise -- since data security laws vary in other countries. I'd promised Laurie that I'd try to find some answers to her questions. So far, I've learned that both TransUnion and TrueCredit, its credit monitoring service, both offshore outsource.

To learn more about offshore outsourcing within the credit bureau industry, I reviewed the 10K document Equifax filed with the U.S. Securities and Exchange Commission. Equifax is publicly-traded while TransUnion is privately-held. The S.E.C. requires public companies to submit certain filing documents. Both collect consumers credit information, sell credit reports to potential lenders, and operate credit monitoring services. A publicly-traded company's 10K filing usually tells more about its operations than its Annual Report document.

A view of Equifax's operations would provide a perspective about TransUnion, since both companies perform similar activities. To stay competitive, TransUnion would attempt to maintain a similar cost structure to its competitors -- Experian and Equifax.

From the Equifax 10K document:

"Upon our acquisition of TALX Corporation, or TALX, on May 15, 2007, we became a leading provider of payroll-related and human resources business process outsourcing services in the United States of America, or U.S. We currently operate in three global regions: North America (U.S., Canada and Costa Rica), Europe (the United Kingdom, or U.K., the Republic of Ireland, Spain and Portugal) and Latin America (Brazil, Argentina, Chile, El Salvador, Honduras, Peru and Uruguay). Of the countries in which we operate, 73% of our revenue was generated in the U.S. during 2007."

Some interesting information about the business risks Equifax sees and how that risk relates to outsourcing activities:

"Our ability to provide reliable service largely depends on the efficient and uninterrupted operation of our computer network systems and data centers. Some of these systems have been outsourced to third-party providers. Any significant interruptions could severely harm our business and reputation and result in a loss of customers."

If you read further into the 10K document, Equifax lists its contractual obligations which include outsourcing expenses:

Payments Due By:	Total	Less Than 1 Year	1 To 3 Years	3 To 5 Years	Thereafter
Data processing, outsourcing agreements and other purchase obligations* ($millions)	$305.5	$88.5	$103.3	$90.2	$23.5
* These agreements primarily represent our minimum contractual obligations for services that we outsource associated with our computer data processing operations and related functions, and certain administrative functions. These agreements expire between 2008 and 2014.

The document also states:

"Data Processing, Outsourcing Services and Other Agreements. We have separate agreements with International Business Machines Corporation, or IBM, Acxiom, GenPact, TCS and others to outsource portions of our computer data processing operations, applications development, maintenance and related functions and to provide certain other administrative and operational services. The agreements expire between 2008 and 2013. The estimated aggregate minimum contractual obligation remaining under these agreements is approximately $305.0 million as of December 31, 2007, with no future year expected to exceed approximately $90.0 million... In certain circumstances (e.g., a change in control or for our convenience), we may terminate these data processing and outsourcing agreements, and, in doing so, certain of these agreements require us to pay a significant penalty."

I wonder exactly what's in "related functions and to provide certain other administrative and operational services." That sounds like call centers. Equifax's outsource agreement with IBM:

"Our data processing outsourcing agreement with IBM was renegotiated in 2003 for a ten-year term. Under this agreement (which covers our operations in North America, Europe, Brazil and Chile), we have outsourced our mainframe and midrange operations, help desk service and desktop support functions, and the operation of our voice and data networks. The scope of such services varies by location. During 2007, 2006 and 2005, we paid $115.0 million, $112.1 million and $120.8 million, respectively, for these services. The estimated future minimum contractual obligation at December 31, 2007 under this agreement is approximately $255.0 million, with no year expected to exceed approximately $55.0 million. We may terminate certain portions of this agreement without penalty in the event that IBM is in material breach of the terms of the agreement."

If my friend, Laurie, decides to switch credit monitoring services... drop TrueCredit and sign up for another credit monitoring service by Experian or Equifax, she can reasonably expect that they outsource also. Like TransUnion, Equifax also operates several credit monitoring services, with varying features.

The economic reasons for companies to outsource work are understandable: to manage costs and stay profitable in a competitive business environment. My point is this: should they? Is it wise to offshore outsource work involving sensitive financial data? Is it wise to do so if the company can't provide a high-quality call center operation?

I had to dig deep to find some information about the company's offshore outsourcing activities, since this data isn't readily available in the company's web site. Is it wise to do so without informing consumers? Is it wise to do so if consumers prefer otherwise?

The three national credit bureaus assume that the lowest-cost for credit information is best for consumers. Laurie's concerns suggest otherwise, that consumers want both protection and a reasonable price; not the absolute lowest price. A service with a low price and no data security isn't worth much. Consumers now realize that bad things happen: data breaches. There is always risk. And, one can reasonably expect bad things to happen with offshore outsourced credit information just like data breaches within the USA.

There has to be a balance between a company's need to manage costs, and consumers' need to trust the companies they do business with. Consumers now know today that companies suffer data breaches. Some consumers know first-hand the expense, hassle, and grief involved with restoring their information and credit after a criminal has hacked their financial accounts.

I'll bet that when given a choice, consumers prefer that their credit and financial data is kept within their country's borders, rather than being transmitted around the globe. Laurie's concerns reflect this. It all goes to the level of risk people are willing to accept. Experts have identified the data security risks of offshore outsourcing. The fewer places credit and financial data are transmitted, the less chances for bad things to happen. More importantly, it is unclear about exactly which country laws govern the protection of consumer credit and financial data. It is unclear which country laws govern the notification when the company (e.g., TransUnion, True Credit) suffers a data breach by an outsource call center vendor in another country.

That data breach in another country may never happen, but if and when it does, consumers have a right to know - promptly.

What do you think? Take our poll today or submit a comment below.

Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms? (Part 3)

Prior posts discussed offshore outsourcing and TransUnion. Laurie has problems with TransUnion's credit monitoring service, TrueCredit, and support from its call center. Laurie is worried that if TransUnion and TrueCredit outsource portions of their operations, she won't have the same protections she would have otherwise -- since data security laws vary in other countries. I'd promised Laurie that I'd try to find some answers to her questions.

A wider search found information about TransUnion's participation in industry events for outsourcing professionals. The International Association of Outsourcing Professionals published information about a June 2007 event:

"Performance Monitoring Goals and Requirements for BPO Operations (Call Centers)
Brad Rubin, Director of Operations for TransUnion Interactive (formerly TrueCredit)

• Overview of the business requirements for using tools to monitor the overall performance of BPO Call Center Operations
• Discussion of the functionality needed and the types of tools that were examined to achieve TransUnion’s goals.

Brad Rubin is responsible for managing all BPO operations where he has transformed the service operations into a global multi-site operation. Prior to TransUnion, Brad was with Accenture in San Francisco.

So, it appears that TransUnion, parent company, and TrueCredit both perform offshore outsourcing. This is the first time I have ever heard of a credit monitoring service that performs offshore outsourcing. According to a 2006 Janeeva, Inc. press release:

"Janeeva, Inc., the industry leader in ORM (Outsourcing Relationship Management) software, today announced that TrueCredit, a division of TransUnion and a provider of credit management services, has implemented Janeeva Assurance™ software to manage multiple outsourced vendor relationships. True Credit is experiencing rapid growth, and customer care via their call centers is critical to their success. With multiple offshore call center locations comes increased complexity that Janeeva helps manage."

So, TrueCredit has contracts with several outsourcing firms. According to a November 2006 entry at Outsourcing Magazine (OM):

"About Blogger Brad Rubin: Brad Rubin is currently the Director of Operations for TrueCredit, a wholly-owned subsidiary of TransUnion, LLC. While at TrueCredit, Mr. Rubin has been responsible for managing all business process outsourcing (BPO) operations. He has successfully transitioned the TrueCredit service delivery platform into a global, multi-site operation. In addition to his work at TrueCredit, Mr. Rubin is an active speaker within the outsourcing community. In 2006, he participated in the Outsourcing Relationship Management Forum at the University of Michigan and the Telecommunications Risk Management Association (TRMA), Summer Conference. In 2007, he will be presenting a case study entitled Managing Multi-Vendor Environments with Relationship Management Software at the International Association of Outsourcing Professionals (IAOP), World Summit."

The OM site provides Mr. Rubin's e-mail address and his blog address: www.sourcingprofessional.com. I scanned several posts in Mr. Rubin's blog. He mentioned TransUnion's offshore outsourcing activities with vendors in Manila (Philippines), Central America, and New Delhi (India). According to Mr. Rubin's blog, TransUnion is considering new offshore outsourcing arrangements in Cebu (Philippines) and Guatemala. While I haven't read all of the posts in Mr. Rubin's blog, so far I haven't seen any posts about data security or data breach notification.

Now, my friend Laurie knows that both TransUnion and TrueCredit perform offshore outsourcing. We now have idea of some of the country locations. We don't know yet which outsourcing firms. Maybe Mr. Rubin can help Laurie resolve her problems with TrueCredit's customer service department. Maybe Mr. Rubin can explain the scope of TrueCredit's offshore outsourcing activities. Maybe Mr. Rubin can explain the data security processes TransUnion takes to ensure the protection of Laurie's and others' credit information. Maybe Mr. Rubin can provide a list of the specific offshore outsourcing locations and firms.

Last weekend, I wrote to Mr. Rubin asking for answers to the questions above. In my e-mail message to Mr. Rubin, I shared Laurie's message and concerns. So far, I haven't received a response from him, or from anyone at TransUnion. If he responds, I will post his reply in the I've Been Mugged blog.

The economic reasons for companies to outsource work are understandable: to manage costs and stay profitable in a competitive business environment. That's one reason why I titled these posts, "Is It Wise...?" and didn't title it "Is It Profitable...?" Of course, outsourcing and offshore outsourcing are profitable. That's why companies do it.

My point is this: should they? Is it wise to offshore outsource work involving sensitive financial data? Is it wise to do so without informing consumers? Is it wise to do so if consumers prefer otherwise? Is it wise to do so if the company can't provide a high-quality call center operation?

There has to be a balance between a company's need to manage costs, and consumers' need to trust the companies they do business with. Consumers intuitively sense that there's less risk to their sensitive data if companies keep it within their country borders. Some experts have identified the data security risks of offshore outsourcing.

I'll bet that when given a choice, consumers prefer that their credit and financial data is kept within their country's borders, rather than being transmitted around the globe. It all goes to risk. The fewer places credit and financial data are transmitted, the less chances for lost or stolen data. More importantly, it is unclear about exactly which country laws govern the protection of consumer credit and financial data. It is unclear which country laws govern the notification when the company (e.g., TransUnion, True Credit) suffers a data breach by an outsource call center vendor in another country.

That data breach in another country may never happen, but if and when it does, consumers have a right to know - promptly.

More about this next week.

Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms? (Part 2)

Yesterday's post discussed the problems Laurie is having with her TransUnion credit monitoring service, and the related questions about legal protections when credit companies perform offshore outsourcing. I'd promised Laurie that I'd try to find some answers to her questions.

Meanwhile, Laurie contacted me again:

"I continue to call TransUnion (TrueCredit) and I leave messages for somebody in a managerial position to contact me but I never get a domestic employee. When I ask the phone associates where they are located they tell me they are prohibited from telling me. It's a vicious cycle because there's no mailing address and the potential for online help abuse is the same as telephone support. This is sensitive information I'm disclosing and all my alarms are going off like bells and buzzers."

Yesterday's post covered news reports from 2003 and 2004 about the credit bureaus' offshore outsourcing activities. In 2003, the bureaus promised more openness about their outsourcing plans, but the call center representatives' answer above does not show any openness.

So, I decided to look more closely at TransUnion, since that company was the source of Laurie's difficulties. Like most companies, TransUnion publishes its Corporate Privacy Policy on its main Web site. This seemed like a good starting point, since this document usually discloses what the company does with any sensitive consumer data collected within the site:

"Please carefully read our privacy policy to understand how we will treat the information you provide while visiting this web site or the web sites of most of our domestic subsidiaries and affiliates ("Web Site")... This privacy policy applies to TransUnion and its domestic subsidiaries and affiliates, except for TransUnion Consumer Solutions and TrueLink, Inc., who maintain their own privacy policies."

Note the emphasis on domestic subsidiaries. That refers to TransUnion divisions, companies, or business units within the USA. It implies that divisions, companies, or business units elsewhere are not subject to this Privacy Policy, a different Privacy Policy, or none at all. That should be unsettling to consumers. Why? TransUnion's approach to privacy policies forces users to wade through several documents that aren't that easy to read nor find. TransUnion has operations in 25 countries on 5 continents. So far, no explicit mentions about outsourcing in this TransUnion Privacy Policy.

Next, I checked the Privacy Policy at TrueCredit, TransUnion's credit monitoring service, since Laurie is a subscriber. The TrueCredit Privacy Policy is more detailed and more comprehensive. It contains details about several subjects: what data the company archives, what happens when users opt-in to e-mail updates, how its web site works with the user's Web browser, the company's approach to online advertising, what situations TransUnion shares data with contractors, and so forth.

I'd like to give TransUnion and TrueCredit at least one "attaboy" for sharing this amount of detail in the TrueCredit Privacy Policy. However, this document didn't mention outsourcing either.

I also checked the Public Policies pages within the TransUnion site. No mentions of outsourcing there, either. Sadly, this site section was very thin regarding content. The little bit of copy on three pages could have easily been presented on a single page. Whatever promises TransUnion made in 2003 about more openness about its outsourcing activities, weren't being fulfilled in 2008.

Next, I looked for TransUnion's Annual Report and 10K filings; documents by publicly owned companies within the USA. TransUnion is privately held, so it is not required to provide these filings which the U.S. Securities & Exchange Commission requires of publicly-traded companies. Hence, it is more difficult to obtain detailed information about a privately-owned company... and any offshore outsourcing activities it might be engaged in.

Difficult, but not impossible. More about this tomorrow.

Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms? (Part 1)

A friend, Laurie, wrote to me recent about difficulty she is having with her credit monitoring service:

"In my effort to reduce the likelihood of identity theft, I've ordered a credit check from TransUnion this year as I have for the past 3. This year I had a hard time logging on so I called the help line. It was answered instantly by somebody who asked for my Social Security number. Of course it seems like a natural question from a credit bureau but I had the feeling the operator was an outsourced worker from India. I gave her my data but I still couldn't log in. After further attempts to reach TransUnion in the USA I've discovered it is nearly impossible. I feel like I got sucked into a trap door set for the financially paranoid! Have you heard of this being a problem? Do institutions outsourcing labor in other countries have to comply with the same laws? Do you have any way around credit reporting when it's done overseas?"

Laurie's situation caught my attention first because a friend was having difficulty getting the help she needed. Her situation also caught my attention because of the increasing popularity of credit monitoring services. All consumers demand effective and high-quality customer service... perhaps more so when it involves sensitive personal data, like credit reports.

So, I promised Laurie that I'd try to find answers to her questions. Maybe Laurie had encountered a new or poorly trained call center representative; or a representative with a thick accent. This could happen with any business. Regardless, consumers have an expectation for efficient, quality customer service. And according to Laurie's message, TransUnion's customer service isn't helping and is difficult to contact.

Some background: TransUnion is one of three national credit bureaus (also called credit reporting agencies) in the USA. The national credit bureaus play three roles in the credit services industry:

1. Collect and archive credit reports with consumers' sensitive personal and financial data
2. Sell credit reports to potential lenders
3. Sell credit monitoring services to consumers

The data collected in role #1 includes: Social Security Number, birth date, full legal name, current and past residential addresses, credit cards, loan accounts and information, credit score, employer information, e-mail address, and payment histories. But this data isn't always accurate. Even though credit bureaus make money by selling consumers' credit reports, it is the consumers' responsibility to check their credit files for accuracy at each of the three national credit bureaus.

Regarding role #3, TransUnion operates the TrueCredit credit monitoring service.

One could debate whether roles #2 and #3 present a conflict of interests, perhaps similar to the role a computer software company has when it sells operating system software and application software. But, that debate must wait until after I answer Laurie's questions.

Laurie's message raised the subject of outsourcing, but more specifically off-shore outsourcing. Like many Americans, Laurie probably has an impression that the three national credit bureaus support their credit monitoring service subscribers with systems entirely within the subscriber's home country. In other words, consumers intuitively sense that there's less risk to their sensitive data if companies keep it within their country borders. Some experts have identified the data security risks of offshore outsourcing.

If this local-same-country processing and archiving isn't the case, then consumers intuitively assume that their personal data is at greater risk. How much more risk? Consumers don't know and the companies rarely say. Laurie has gone the extra step and asked: if her credit service offshore outsources, does she have the same data protections? Does the outsource firm have the same rigorous data security processes and policies? Which country's laws apply, if any, regarding data security standards? If there's a data breach by the outsource vendor in another country, will she be notified? Will that notification be accurate and timely?

Consumers' impressions that the three national credit bureaus don't outsource work are inaccurate. A news literature search found this San Francisco Chronicle article from November 2003:

"Two of the three major credit-reporting agencies, each holding detailed files on about 220 million U.S. consumers, are in the process of outsourcing sensitive operations abroad, and a third may follow suit shortly, industry officials acknowledge for the first time. Privacy advocates say the outsourcing of files that include Social Security numbers and complete credit histories could lead to a surge in identity theft because U.S. laws cannot be enforced overseas... The top credit agencies -- Equifax, Experian and Trans Union -- have refused in the past to comment on their outsourcing plans. No longer."

The article also reported this about TransUnion:

"A hundred percent of our mail regarding customer disputes is going to go to India at some point," said David Emery, executive vice president and chief financial officer of TransUnion in Chicago. "We are now testing the system and negotiating a contract with an outside vendor. We expect to sign that contract by the end of the year." Emery said in an interview that the decision to have an Indian firm handle thousands of written requests for changes to credit files each year was necessitated in part by the amended Fair Credit Reporting Act, which was approved by the U.S. Senate on Wednesday.

So, it would appear that (for a variety of reasons) at the end of 2003, TransUnion was planning to outsource work to firms in other countries. Since I am not a lawyer, I cannot provide a legal opinion on the laws which govern outsourcing and the credit industry. Nor can I provide an interpretation of the Fair Credit Reporting Act referenced by Emery above. For legal assistance regarding credit information, the Privacy Rights Clearinghouse recommends that consumers contact the National Association of Consumer Advocates, or the list of attorneys at My Fair Credit.

A Wired story from 2004 titled "Outsourcing: Danger to Privacy" reported:

"Democratic Sen. Dianne Feinstein warned the chief executives of banks and credit companies this week that she would crack down on them if they didn't take steps to protect their customers' private data, such as medical and financial information, which is increasingly being handled by clerks working abroad. In a letter to the CEOs of Citigroup, Bank of America, Equifax and TransUnion, Feinstein (D-California) said she might introduce federal legislation to protect the personal data of Americans if the companies don't establish safeguards... All of the recipients of Feinstein's letter already have outsourced clerical services, or have stated their intent to do so."

To my knowledge, that crack-down never happened. It would seem that the US Congress has basically said to credit bureaus: go ahead and outsource, but you'd better not have any consumers' credit or financial data lost or stolen. And, we consumers have elected those members of Congress.

The article didn't explain exactly how Congress would oversee the companies' outsourcing activities in other countries. The article didn't say how Congress would monitor or audit the companies' compliance with the safeguards, or collect timely and accurate data breach notices about any lost, stolen, or mishandled consumer data by firms operating outside the USA.

A lot has happened since that 2003 article. Maybe, the companies' outsourcing plans, activities, or scope have changed. The fact is identity theft and fraud have blossomed as a problem since 2003. Plus, the 2003 San Fran Chronicle article made it clear that the credit bureaus were no longer going to hide their off-shore outsourcing plans and activities.

More about all of this tomorrow.

Security Freeze: Peace Of Mind And Protection For Your Credit Reports

Since I started this blog in July 2007, I've learned a lot about identity theft. I had to after IBM exposed my sensitive personal data. First, I placed a 90-day Fraud Alert on my credit reports. Then, I signed up for the free credit monitoring service IBM provided from Kroll. 90 days later, I renewed my Fraud Alerts.

So far, so good. No problems with identity fraud.

Given the ongoing risk, I wanted more protection for my credit reports than what the credit bureaus provide with their Fraud Alert tool. The fact is, the credit bureaus just append the alert to your credit report whenever they sell it to a potential creditor. A shady creditor could still issue new credit in my name to an identity criminal. So, I placed a Security Freeze (also called a "Credit Freeze") on my credit reports at the three national credit bureaus.

While the Fraud Alert tool is free, that didn't seem to be a good value for me given the risk. The free credit monitoring service IBM arranged with Kroll was only for one year, and it did not provide an automatic Fraud Alert renewal service. While I could have continued to renew my Fraud Alerts every 90 days, stronger protection was more important to me than a freebie.

I didn't want to pay a credit monitoring service (e.g., LifeLock) to renew my Fraud Alerts because this is an easy task any consumer can do by their self -- for free. I've done it and I know. More importantly, I wanted stronger protection for my credit reports. The Security Freeze option fills that need.

To place the Security Freeze, first I visited each credit bureau's web site and printed their Security Freeze instructions page. All three credit bureaus have similar instructions. You have to provide them with documentation verifying, a) who you are, b) your current residential address, c) valid payment; and send a letter via snail mail (or overnight express) requesting the Security Freeze. You can't place a Security Freeze over the phone, via e-mail, nor via text messaging.

While all three national credit bureaus offer the Security Freeze option nationwide, the fees vary by state. According to Massachusetts law, each credit bureau can charge a Massachusetts resident a maximum of $5 to place, lift, and remove a security freeze. Each credit bureau's web site lists the fees for your state. If you are an identity theft victim (e.g, you can prove so by providing a copy of a filed police report), then the Security Freeze is usually free. In many states, the Security Freeze is free for residents 65 years of age or older.

Should IBM have paid for my Security Freeze fees? That's a discussion I'll save for another post. For me, the $15 total fees is a good investment for both protection and peace of mind. I'd like to thank my state's legislators and Governor Patrick for keeping the Security Freeze fee low for Massachusetts residents.

Next, I assembled my Security Freeze letters. Some credit bureaus require a photocopy of your Driver's License, and/or an insurance or bank statement. This was time consuming, but easy to do. The whole process took me about 4 hours.

At the post office, I mailed all letters via Certified Mail - Return Receipt. While this cost a little more, it is a smart investment because it minimized my worries. The Return Receipt notice informed me when each credit bureau received my Security Freeze letter. About 8 business days later, I received confirmation letters from the credit bureaus.

Each confirmation letter included an explanation of that credit bureau's Security Freeze process, additional instructions, and my personal PIN number. You'll need this PIN when communicating with the credit bureau to temporarily lift or remove your Security Freeze. I stored these confirmations in a secure location.

Will a Security Freeze prevent all types of identity theft and fraud? No. A Security Freeze is not a cure-all. I don't have any illusions about this. While a Security Freeze will prevent criminals from opening new credit and new financial accounts in your name, it won't stop criminals from committing a crime in your name, if your personal data has already been stolen or exposed -- like IBM exposed mine. Nor will a Security Freeze prevent criminals from breaking into my financial accounts. There are other things consumers must do like use rotating and stronger passwords, and set up e-mail or text messaging alerts for your financial accounts.

Discover Changes Its Credit Monitoring Service Vendor -- Is It An Improvement?

Since 2004, I have used the credit monitoring service offered by my Discover Card issuer. Recently, I received this notice with my monthly Discover bill:

"For Discover Identity Theft Protection members who receive membership materials through the Internet: This is to inform you that we are in the process of changing the service provider of the Discover Identity Theft Protection product. Effective on or after September 1, 2008, the provider of Identity Theft Protection will become ConsumerInfo.com, Inc. an Experian company. Experian is one of the three major U.S. credit reporting companies."

Well, that seems innocent enough. Discover is definitely free to switch service providers, especially if Experian gave them a better deal. Similarly, I am free to switch credit monitoring service s too, to get the best deal possible. Several years ago, Discover called its credit monitoring product ProfileProtect. I checked my documentation from 2005, which listed Intersections, Inc. of Chantilly Virginia as the credit report services administrator for Discover's program.

The printed paper notice from Discover also said:

"In an effort to ensure that your Identity Theft Protection membership continues without interruption, the following changes will occur:"

• "Our new provider of Identity Theft Protection will obtain and monitor your credit report(s) beginning June 1, 2008 to ensure that you receive your Quarterly Updates without interruption.
• During your membership, you elected to access your Identity Theft Protection services through the Internet. Effective on or after September 1, 2008, we will no longer be able to offer this product to you through the Internet. Please note you will receive all materials via First-Class, but you will no longer have access to the online Credit Analyzer.
• You will begin receiving your membership materials from our new provider on or after September 1, 2008.
• If for any reason you do not want your Identity Theft Protection membership to be serviced by our new provider, which will require that they obtain your credit report for continuous monitoring, please call Member Services at 1-866-329-5760."

This presents a problem. I signed up for Internet access for a couple reasons. One: Internet access provides greater security than updates via snail mail. Two: Internet access provides fast e-mail alerts about my credit reports. E-mail alerts alerts are important because the sooner a consumer discovers abuse on a financial account, the sooner you can take action and the less money you are likely to lose.

Three: it seems that Discover and Experian are unable to agree to provide me with uninterrupted service via the Internet. This vendor change smells more like a hand-off than a true swapping of vendors. I expect uninterrupted service given the money I am paying monthly. Four: Experian already makes money by selling my credit reports, so I am reluctant to give them more money. The combination of credit reports and a credit monitoring service in a single company is something I don't find attractive, while Experian tries to restrict independent credit monitoring service companies.

Five: Experian operates several consumer credit monitoring services besides ConsumerInfo.com. Experian operates FamilySecure.com, which offers several features not found in ConsumerInfo.com. This makes me wonder why this vendor swap included ConsumerInfo.com and not FamilySecure.com. Was it Discover's choice? Was it Experian's demand? Or was it based on cost?

A comparison on price: FamilySecure is $19.95 per month, ConsumerInfo is $11.95 per month, and I have been paying $9.99 a month for Discover's existing credit monitoring service. Discover's notice didn't saying anything about price, so I assume the monthly price remains the same. But that isn't a good value for me, because I'd be paying the same monthly amount for fewer services. In plain English, that's a price increase. And I lose access to online updates, online features, and the Credit Analyzer.

I wonder what brainiac at Discover Financial Services negotiated this agreement with Experian.

Regardless, I had planned this Spring to evaluate my credit monitoring services, since my year of free credit monitoring services with Kroll (thanks to IBM) ends in June. My ultimate choice for a credit monitoring service is not based on price alone, but on value: the balance of features, benefits, and price. Discover's vendor change just added another item to my existing list of reasons to evaluate the available credit monitoring services.

LifeLock Recommends Stronger Fraud Laws

An earlier post discussed the lawsuit Experian filed against LifeLock. It seems that LifeLock is fighting back. According to the Arizona Republic:

"LifeLock Inc.'s chief executive officer is taking the offensive by proposing sweeping changes to how the three major credit bureaus operate as the company prepares for a potentially bitter legal battle with Experian. Todd Davis, co-founder and CEO of Tempe-based LifeLock, kicked off a multi-state tour this weekend in which he is urging businesses and consumers to demand that their legislators do more to fight identity theft and fraud."

Davis wants Fraud Alerts extended from 90 days to at least one year. According to the news report:

"The fraud alerts are at the heart of a lawsuit that Experian filed against LifeLock almost two weeks ago in U.S. District Court for the Central District of California. LifeLock charges customers $10 per month for its service, which includes signing them up for the temporary alerts with the three credit bureaus every three months."

It's important to note that the credit bureaus are mandated by law to provide the fraud alerts for free to consumers. The credit bureaus also offer for-fee credit monitoring services like LifeLock's service. (See the listing in the right column.) So, Experian's claim that Lifelock charges what Experian is forced to do for free, seems weak since it seems to ignore Experian's credit monitoring services.

The other change proposed by LifeLock:

"Davis said he hopes consumers will pressure their legislators to introduce measures that impose tougher prison standards for people convicted of ID theft and related crimes and limit the use of personal information, among other changes."

The article doesn't explain what Davis means by, "tougher prison standards for people convicted of ID theft..." and by, "...limit the use of personal information." If LifeLock is truly promoting changes for the consumers' benefits, I hope that their proposal includes:

• Restitution by the criminals for identity-theft victims
• Emphasis and funding for law enforcement to pursue identity-theft criminals. (Unfortunately, in the latest FTC report 8% of identity theft victims tried to file a police report and it wasn't taken. That's 8% too much)
• Clearer, consistent legislation across states about what consumers' personal data companies can archive, how they must protect it, and what items must be purged by when
• Consistent "Shine The Light" notification laws across states (requiring retailers to disclose where consumers' personal data is shared)
• Consistent data breach notification laws across states
• Consistent anti-skimming laws across states
• Stronger legislation to protect whistle blowers, and stronger penalties for companies and individuals who abuse them
• Suggestions to to strengthen data security among small businesses

A LifeLock press release mentions the company's tour through several Southeastern states, but doesn't mention any of the above details. Rather, Experian and Lifelock seem to be fighting over who gets the money from consumers in the growing credit monitoring services marketplace. But there's more:

"Davis argues that Experian doesn't want to spend the time or money to help all the consumers seeking protection. "What Experian is counting on is if a consumer has to renew this every 90 days, they won't stick with it," Davis said by telephone from Florida on Monday afternoon."

The news report quoted Equifax spokesman David Rubinger as saying:

"We believe (a 90-day fraud alert) provides ample time for a consumer to determine if they've been a victim of identity theft, and of course it can be renewed in a matter of minutes if they still need more time," Rubinger said.

Hmmmm. I definitely disagree with Rubinger's statement.

I started writing this blog after IBM exposed my personal data in February 2007. As I researched the identity theft issues, I found that current business practices heavily favor companies making money by trading consumers' personal data, while consumers bore an unfair portion of the risks after a data breach.

So far, nothing negative has appeared yet on my credit reports from IBM's data breach. For all I know, the identity thieves could still be trying to break the encryption on IBM's data tapes. Rubinger seems to suggest that after 90 days identity thieves would give up trying to crack the encryption on IBM's data tapes. That assumption sounds totally ridiculous to me. From everything I've read, identity thieves are persistent, so it seems wise to assume a continual threat and act accordingly. Plus, the value of consumers' personal data has a long life.

IBM still hasn't caught the perpetrators and still employs the same delivery service which lost their data tapes over a year ago. Like many other consumers, I placed consecutive Fraud Alerts on my credit reports when I first learned of the IBM data breach. Experian and LifeLock can fight all they want about Fraud Alerts. To me, the stronger tool for consumers is the Security Freeze tool.

But, a Security Freeze won't protect consumers against all types of identity fraud. As a nation, we seem to be in our infancy regarding effective identity theft legislation that balances the needs of both consumers and companies.

Experian Sues LifeLock

Last week, things really heated up in the credit monitoring and identity theft industry. Forbes magazine reported that Experian, one of the three major credit bureaus, had filed a lawsuit in California against LifeLock. According to the news report, Experian accused:

"... LifeLock of placing bogus 90-day fraud alerts on hundreds of thousands of credit files maintained by Experian. In the complaint, Experian says it has suffered "millions of dollars" in damages from being forced to process large numbers of initial fraud alerts and mail mandatory notices to customers."

What? Bogus fraud alerts? An increasingly large number of fraud alerts should not be a surprise to anyone in the identity theft/fraud business, given the steady number of corporate data breaches. 2007 was a record year with corporate data breaches. Depending upon the source you use (e.g., Attrition, the Identity Theft Resource Center, or Privacy Rights Clearing house), the number of records lost or stolen in 2007 ranged from 49 to over 100 million. Any source you pick documents an increase in data breaches in 2007 over 2006.

It seems to me that an increasing number of consumers are starting to read and follow the advice available in industry products and services. One of the first steps after a data breach or identity theft event is for the consumer to place a Fraud Alert on their credit reports. This was one of the first steps I took after my data was "lost" (probably stolen) during the February 2007 IBM data breach incident, along with the sensitive data of thousands of current and former IBM employees. Some consumers are willing to pay for convenience; to pay for a service to help them protect their sensitive personal data.

The Forbes news story goes on to report:

"Experian claims that LifeLock keeps its clients' files in a perpetual state of alert by repeatedly "crying wolf" on behalf of its clients. Its suit questions whether LifeLock has the legal right to request the 90-day alerts, which it maintains are meant to be placed only by individuals who have a reasonable suspicion that fraudulent activity has occurred."

Perpetual state of alert? Come on, Experian. That seems to be a far overstatement of the situation.

When a company suffers a data breach and loses the sensitive personal data of employees, former employees, and/or customers the risk of identity theft and fraud doesn't disappear in a few months. The risk doesn't dissolve when the company issues a press release claiming, "there's no evidence that the data was stolen."

The consumers' sensitive data is out there... period... permanently. So, we consumers are forced to continually monitor our accounts and our credit reports for theft, abuse, or unauthorized access... permanently. We consumers are learning to better protect our sensitive personal data. Establishing repeated fraud alerts is one tool; a first step.

The Forbes article also reports:

"In the suit, Experian also charges that LifeLock has used false and misleading advertising to entice consumers into buying its protection, and is exploiting the system by acting as a middleman for services that the credit companies are required to provide to consumers for free, including annual credit reports, removal from mailing lists and fraud alerts."

That may be. I am not a subscriber to LifeLock since I have done by myself the identity-theft deterrence steps LifeLock charges a fee for. I must admit that LifeLock's advertising is everywhere... on radio, television, print ads, and around the web at social bookmarking sites. LifeLock seems to be doing a better job of promoting their service than Experian does of promoting its Family Secure credit monitoring service.

In his blog The Dunning Letter, Jack Dunnning wrote this about Experian:

"Back in August of 2005, the Federal Trade Commission settled a case with Experian Consumer Direct, a subsidiary of the credit bureau, for deception in advertising “free credit reports” by failing to add the customer would be automatically signed up for credit monitoring services costing $79.95 each year. The FTC ordered Experian to give up $950,000 of its “ill-gotten gains."

Regarding deceptive advertising, Experian's history is not squeaky clean either.

I wonder if Experian sees the handwriting on the wall. As more consumers "lock down" their credit reports with Security Freezes, it becomes harder for credit bureaus like Experian to make the same profit amounts by selling only credit reports to potential lenders and creditors. Consumer credit reports with Security Freezes on them are credit reports Experian (and the other two credit bureaus) can't sell to potential lenders.

Combine this with the trend by more consumers to opt out of pre-approved credit offers, and the market for credit reports has to be negatively affected. So, to make the same profit amounts, Experian probably recognizes that it has to expand into new markets for more revenues. One of those new markets is the growing credit monitoring services market.

Fortunately for consumers, there are many choices today for a credit monitoring service. A consumer can monitor their credit report on their own, or subscribe to a credit monitoring service. These services are available from banks, credit card companies, credit bureaus, and independent companies... like LifeLock.

The wide range of choices is good for consumers, but is probably viewed negatively by Experian. The credit monitoring services market is filled with competitors offering a variety of services because the rise of identity theft has changed the marketplace. Consumers are slowly becoming educated about the scams, threats, and the value of theft-deterrence solutions. And companies have rushed to meet that need.

Consumers have also begun to realize that they want more control over who has access to their credit reports. The Security Freeze tool is a key tool for consumers to exercise control over their credit reports. The Security Freeze tool seems far stronger and more secure than the Fraud Alert tool. Starting with California in 2003, many states passed laws giving consumers the right to this Security Freeze tool. By the end of 2007, all three credit bureaus offered the Security Freeze tool nationwide, without waiting for states to pass more legislation.

So, the identity theft marketplace is changing at a fairly rapid pace. Previously, Experian competed against 2 other credit bureaus (e.g., Equifax and TransUnion) to sell consumers' credit reports. Now, Experian has a whole new set of competitors who offer credit monitoring services similar to Experian's credit monitoring service.

Is the lawsuit only about false/deceptive advertising? Maybe. But it may also be about intimidating or limiting competition, given the rapidly changing identity theft/fraud marketplace. What do you think?

Woman Wins $2.7 Mill Verdict Against Equifax

According to a recent UPI press release:

"The Florida Circuit Court jury in Orlando said the Atlanta company must pay medical-transcription worker Angela Williams $219,000 in actual damages and $2.7 million in punitive damages for negligent violation of federal credit-reporting laws..."

Apparently, the jury agreed with the plantiff's argument that Equifax continually and repeatedly confused another person's credit information into Williams' credit report:

"At trial, her attorneys showed how Equifax repeatedly confused Williams with someone who had a similar name but whose credit file was rife with bad debt, the newspaper said. Williams disputed the errors numerous times, but Equifax kept passing along the false information, ruining her credit, she testified. After eight years of trying to resolve the issue, she sued the company in 2003."

UPI reported that this is the largest punitive-damages award ever against Equifax. This court verdict is a sad reminder that it is the individual consumer's responsibility to monitor the accuracy of their credit reports at the three national credit bureaus; and to notify the credit bureaus of any errors. Once notified, it is the credit bureaus' responsibility to fix the credit report.

To learn more, read the Orlando Sentinel article or the Credit Bureaus posts.

Freezing Your Credit Report is Not a Cure-All

Last week's Wall Street Journal published an article titled, "More People Are Freezing Credit Reports:"

"Spooked by the possibility of identity theft, increasing numbers of people are taking a radical approach to thwart criminals: They are putting their credit reports on permanent freeze.... An estimated 50,000 to 70,000 people have so far signed up for credit freezes, according to the Consumer Data Industry Association, a trade group that includes the three credit bureaus."

According to its web site, the Consumer Data Industry Association is:

"an international trade association, founded in 1906, that represents consumer information companies that provide fraud prevention and risk management products, credit and mortgage reports, tenant and employment screening services, check fraud and verification services, and collection services."

While it's good to see more consumers taking an active interest in protecting their identity and personal data, the prevailing consumer attitude about identity theft seems to be:

"Michael Dana, a Dallas police detective, chose to freeze his credit reports after a Texas law took effect last month that made freezes available to all residents. Mr. Dana says he received several notices from financial institutions and the government saying that some of his personal information may have been compromised."

"Scott Marberblatt of Swampscott, Mass., says he uses several credit-monitoring services to alert him to potential identity theft. But the 46-year-old small-business owner says he plans to drop some of these services, thereby saving "a decent amount of money," and instead freeze his credit after the option becomes available at all three bureaus next month."

While this attitude is understandable, it is important to realized the limitations of a Credit Report Freeze (also called a Security Freeze in many states). Freezing your credit report is not a cure-all or "silver bullet" against all types of identity theft. While freezing your credit report will protect you against new account fraud (e.g., where an identity thief takes out a loan or a mortgage in your name), it won't protect you against:

• Identity fraud during a crime: where the criminal presents your identity to police instead of theirs (Note: criminals can use your stolen personal data this way in any country, not just in the USA)
• Identity fraud: where an identity thief tries to access your existing financial and bank accounts by pretending to be you (e.g., calling the banks customer service number to change your online passwords)
• Medical fraud: where an identity thief assumes your identity to get medical care they otherwise aren't entitled to
• Insurance fraud: C.L.U.E. insurance reports with your personal data are still freely sold by firms like Choicepoint
• Identity fraud: where an identity thief tries to steal your snail-mail sending a change of address form to the post office, since many consumers receive pre-screened credit offers via snail-mail (opt-out today!)
• Identity fraud from dumpster divers: you still have to shred documents with your sensitive data before disposing paper in the trash or recycle bins
• Your employer, prior employer, or retail firm has poor data security which results in a data breach that exposes more of your personal data to identity thieves, beyond what has already been exposed
• You shop at a retailer, who has hired a subcontractor for offshore outsourcing, and that subcontractor has a data breach which exposes your personal data in that country

Want to learn more? Click on any of the above links.

Fraud Alert Renewal: Easy & Fast

During the last week of September, I called the Experian credit bureau to renew the Fraud Alert on my credit file for another 90 days. I called since Experian has an easy and quick phone system for consumers.

During the phone call, Experian advised me that it would automatically notify the other 2 national credit bureaus, which would also place a Fraud Alert on my file at their services. The entire phone call took maybe 5 minutes max. About 3 days later, I received via surface mail from Experian a written confirmation of the transaction:

"We have added an initial Security Alert to your credit file as requested on your behalf by one or more of the nationwide consumer credit reporting companies. This message, which will expire after 90 days from 09/27/2007, alerts credit grantors to verify your identity in case someone is using your information without your consent. As an additional precaution, we have removed your name and address from pre-screened offer mailing lists for six months."

The next day after that, I received via surface mail confirmation from the TransUnion credit bureau of my Fraud Alert renewal. I placed the initial Fraud Alert on my credit report at all three national credit bureaus back in July, after IBM notified me of their data breach. If you want to place a Fraud Alert on your credit report, the TransUion site lists phone numbers for all three national credit bureaus.

I fully realize that limitations of the Fraud Alert tool. The national credit bureaus make money by selling consumers' credit reports to (hopefully responsible) creditor companies. The Fraud Alert tool doesn't stop the credit bureaus from selling my credit report to credit grantors. The credit bureaus simply append an alert notice to my report. If you want to learn more, the Experian site lists the reasons companies purchase consumers' credit reports. Since credit bureaus don't notify consumers when our credit report is distributed, I use my credit monitoring service for notification.

Now that 2 of the 3 national credit bureaus will offer the Security Freeze tool starting in November 2007, I look forward to using that tool to really lock down my credit report so that nobody has access to it, unless I authorize access. As each credit bureau releases details about its Security Freeze program, I will share my findings in this blog.

Will I let the Fraud Alert expire on my credit reports once I have the Security Freeze in place? I haven't decided yet about that.

Equifax and Experian Follow TransUnion With Nationwide Credit Report Freeze

This is great news for consumers and it was expected. According to the Atlanta-Journal Constitution newspaper:

Under pressure from a big competitor and consumer activists, Atlanta-based Equifax said Friday it will let consumers nationwide "freeze" their credit reports to deter identity theft.

Equifax's service will be available at the end of October. Experian is planning an announcement to offer a comparable service within the same time-frame. Want to learn more? Read these prior posts about TransUnion, the Fraud Alert tool, Massachusetts' new identity-theft law, and insurance reports from Choice Trust.

While this is good news for consumers, the $10 fee to lift, remove, or add a credit report freeze is too high. Massachusetts' new identity-theft law sets a limit at $5, similar to several other states. And ChoicePoint is silent on providing a comparable service for C.L.U.E. reports.

Credit Bureau Announces Nationwide Security Freeze

This is huge news... great news! The national credit bureau, TransUnion, announced in a press release on September 18, 2007:

"... effective October 15, 2007, it will offer the credit reporting industry's first complete file freeze solution. While consumer access to placing a file freeze continues to be driven at the state level, some state-enacted laws are not yet effective and other states have not enacted such laws. With its announcement today, TransUnion becomes the first credit reporting company committed to providing U.S. consumers in all 50 states and the District of Columbia with the ability to freeze their credit files, should they feel that step is  warranted."

This is great news because in helps everyone. It helps identity-theft victims stop thieves from doing further damage to their credit, and it helps everyone else prevent themselves from becoming an identity-theft victim.

TransUnion's Security Freeze tool is free for identity-theft victims and it costs $10 for others to add, lift, or remove a Security Freeze. TransUnion offers the True Credit web site for consumers to sign up for the security service. For $14.95 per month, consumers also get:

• Unlimited access to their credit reports from all 3 national credit bureaus
• Unlimited access to their credit scores
• One-click access to lock or unlock your TransUnion credit report
• $25,000 of identity-theft insurance at no additional cost
• You can cancel the service anytime

The Security Freeze is a critical tool for consumers to protect their finances and fight identity theft. The Security Freeze tool is far stronger than the Fraud Alert tool. If the other two national credit bureaus -- and Choice Trust with their C.L.U.E. insurance reports -- are smart, they will provide the same tool soon. It needs to get done for complete protection for consumers.

Fraud Alerts

After IBM informed me that IBM had lost data tapes with my personal data, one of the first things I did was contact the three credit bureaus in the USA. These thieves didn't have to do any dumpster-diving, or break into my snail-mail-box, or hack into IBM's computers, since the data tapes fell off the back of the truck.

A Credit Bureau is a company that compiles and distributes credit and personal information about consumers to creditors. This credit information may include payment habits, the number of (existing and prior) credit accounts, the balance for those accounts, and the length and place of employment. There are three credit bureaus in the USA: Equifax, Experian, and TransUnion. The Identity Theft Victims Guide lists the phone number, mailing address, and web site for all three credit bureaus.

Creditors are the companies that loan money or sell goods "on credit" to consumers. A variety of companies contact a credit bureau for the credit data of a consumer applicant. For example, when you apply for a loan (with a bank, auto company, or finance company) or apply for a wireless phone plan, that company (or bank) will contact a credit bureau to learn more about your habits with money. The company's goal is to learn enough to decide if you are a good credit risk or not. Consumers deemed a good credit risk receive the loan and pay less for the same goods; typically a lower interest rate. Consumers deemed a poor credit risk won't get the loan, or if they do will pay a higher interest rate.

One scam is when identity thieves pretend to be somebody else to apply for a loan, mortgage, or buy a large dollar-value item. The thief uses the identity victim's good credit and, of course, doesn't pay off the loan or pay for the product. Then, the creditor seeks the identity theft victim to pay for the loan or purchase that the victim never made. So, anything that makes it difficult (or impossible) for identity thieves to access credit information is a good thing.

One tool to make it difficult is a Fraud Alert. A Fraud Alert is a "flag" or indicator on a consumer's credit file that the individual may be a victim of identity theft. The Fraud Alert requires the creditor to contact the consumer via phone before issuing credit.

Consumers have a choice of a fraud alert for 90 days (my choice) or seven years. At the end of the period, the consumer can extend the alert by contacting the credit bureaus.

To place a Fraud Alert on your credit file, you simply contact any one or all three credit bureaus. (I left nothing to chance and contacted all three by phone.) Each credit bureau will inform the others of your Fraud Alert request. All credit bureaus will send a written confirmation of your Fraud Alert. The Equifax confirmation included this:

If you are a victim of fraud, the first step in protecting your credit information is to add a fraud alert to each of the credit files maintained by the three national credit reporting agencies. Adding a fraud alert may aid in the prevention of further fraudulent activity. We were successful in adding an alert to your Equifax credit file.

The TransUnion confirmation included this:

"We have received a request and added to your credit report an initial Fraud Alert. The alert will remain on your file for 90 days, as specified by the expiration at the end of the statement, and will be provided to anyone who receives a copy of your credit report. The alert will inform all credit grantors to take precautionary measures to verify the identity of the applicant before extending credit."

The confirmation also stated:

"As TransUnion is a credit-reporting agency, your credit report may be released to credit grantors who are active members of our agency. In order for the credit grantor to view the Initial Fraud Alert on your file, the credit grantor must first access your credit report."

As I read all three confirmations, I began to understand that the system is tilted to allow all three national credit bureaus to continue to distribute my credit file with my fraud alert appended. A careless credit bureau could still pass personal data to a thief pretending to be a valid creditor, and the identity thief could still take advantage of my (and your) good credit. This has happened to one data aggregator! See any news story about ChoicePoint at C/Net or PRC or InfoWorld or Consumer Affairs.

Definitely not a bullet-proof system. I felt a slightly better. Not great, but slightly better. A little protection, but not bullet-proof. I like bullet-proof.

This is one reason why I believe that the U.S. commerce system is tilted away from consumers and towards companies - to facilitate profit-making and lending credit. By sharing consumers' credit information, companies can make more money, but both the companies and the consumers incur risk. If I am going to participate in a system where I incur risk, I want rewards for my risk. Conversely, if companies want to benefit from sharing my personal data, then they'd better adequately protect my personal data. If they can't protect it, don't use my personal data and delete it!

If you feel this way (or not), I'd love to hear from you and why. In my opinion, the system needs to be balanced between companies and consumers, with stronger protections for consumers who typically have less resources than a corporation.

The TransUnion confirmation also stated:

"Under federal law, you are entitled to request a free copy of your credit report within the next 12 months."

This was good news at a time when I was receiving plenty of bad news. It's always good to get something for free... especially when you need it.

Next entry: IBM's offer