Consequences of the Heartland Data Breach (Part Two)

In Part One of this story, we met Janet after fraudsters had attempted to submit charges to her Visa credit card. Janet's story continues with some unexpected twists, which we all can learn from.

After Visa -- and not her credit union -- had notified Janet of some fraudulent charges, Janet followed my advice and notified Visa in writing (e.g., a letter via Postal Mail with a Return Receipt) that the charges were indeed bogus. Visa removed the bogus charges.

Janet was curious why her credit union had not notified her about the fraudulent credit card charges, since the credit union issued her Visa credit card. Her credit union indicated that her situation was not a result of the Heartland Payment Systems data breach, since her credit card number wasn't on the list of compromised card numbers the credit union received.

This seemed odd to me since Visa's arrangement with Heartland is well documented in the news media. Thinking that here situation was resolved, Janet was surprised to receive via postal mail a letter from Experian notifying her of an attempted address-change request. Somebody was attempting to change Janet's address on her Experian credit report. This was a troubling surprise for several reasons:

• Janet had not submitted an address to change to Experian or to any other credit reporting agencies
• Janet has a Security Freeze on her credit reports at the three major credit reporting agencies (e.g., Equifax, Experian, and TransUnion) to prevent unauthorized access. An attempted address change by a fraudster is clearly an unauthorized access.
• In its letter, Experian also said that it had sent a notice of this attempted address change to both the new address and to Janet's current address

Janet is puzzled why Experian would send a letter to the new address when she alread has in place a Security Freeze prventing access to her Experian credit report. Next, Janet did what anyone would do: she called Experian's customer service number to talk with a representative. Janet did not want to just send a letter to Experian. She wanted faster action, since identity thieves were trying to access her sensitive personal data.

Sadly, Janet has been unable to talk with a human representative at Experian. When calling the Customer Serivce number, she gets stuck in an endless series of menus to phone messages, with no way to talk to a human customer service representative. Same results with Experian's web site.

Janet followed my advice and filed a police report with local law enforcement. After filing the report, the detective involved has also been unable to contact a human representative at Experian.

Janet asked me what she should do next, since she is leaving for vacation for 10 days. I said that while she is on vacation, I will try to contact the President or CEO of Experian to see what type of response I could get for her. Janet is also contacting her local Congressional Representative.

Janet should be able to talk with a human representative from Experian, especially during a time when identity thieves are attempting to access her Experian credit reports. Janet's experience so far seems to indicate a customer service melt-down at Experian.

This story is far from over. If you want to learn what happens, sign up for either e-mail or RSS updates from I've Been Mugged. As I learn more, I will post it in this blog.

Equifax Pays $65K To The State Of Indiana For Violating Security Freeze Law

During the run-up to the holidays, I almost missed this news item. It received coverage by news organizations in the State of Indiana, but lesser coverage elsewhere. According to the ConsumerAffairs.com site:

"Equifax Information Services has agreed to pay $65,000 to resolve allegations that the company failed to comply with Indiana's security/credit freeze law.... Attorney General Steve Carter obtained a consent judgment after charging that the credit agency failed to place security freezes and failed to issue freeze confirmations and unique personal identification numbers to Indiana consumers within the timeframes as defined by state law."

Basically, Equifax did not admit any guilt, and paid the fine since it violated state law. Hence, the word "allegation" was used above.

In Indiana, credit-reporting agencies are supposed to place a credit-report freeze within 5 business days of receiving a consumer's letter. According to Carter's allegations, Equifax didn't do that fast enough for 19 consumers, including a two-month delay for one consumer. In Indiana, credit reporting agencies are also required to notify consumers within 10 business days that their credit reports have been frozen. According to Carter, Equifax failed to do that for 24 consumers, and it took 6 months to notify one consumer.

It's good to see a state's attorney general looking out for the needs of consumers by monitoring compliance to Security Freeze laws. Most state have Security Freeze laws, and I wonder how many other states are monitoring compliance:

"It is believed that the Indiana Attorney General's Office is the first to enforce the consumer credit freeze statute against one of the three national credit-reporting agencies."

Attorney General Carter summed up the situation well:

"This law was enacted to give consumers a layer of protection against identity theft and other forms of personal identity fraud... The freeze doesn't provide the protections it was designed to give our citizens when the required timeframes and other requirements of the law are not followed."

I have a freeze on my credit reports and I encourage consumers to do the same, especially if your sensitive personal data has been exposed during a corporate data breach. But note, a Security Freeze is not a cure-all. And, read this review if you are considering Equifax's "3-in-1" credit monitoring service.

With A Security Freeze In Place, Do Consumers Need A Credit Monitoring Service?

An I've Been Mugged reader, Kalyan, sent to me an e-mail message last week with the following question:

"If one gets his credit reports frozen at all three agencies (for $30), will credit monitoring work ? Will the monitoring service be able to get the changes in the reports? Is it some sort of an oxymoron to say "frozen credit report change monitoring", since there should be no changes to monitor!?"

This is a god question. Before answering it, I want to emphasize for readers that the cost of a Security Freeze varies by state. In Massachusetts, the cost is $5.00 for a consumer to lock down or "freeze" each credit report at the three national credit agencies. Consumers in only a handful of states can lock down their C.L.U.E. insurance reports at ChoicePoint's ChoiceTrust Web site. Choicepoint has ignored several inquiries about why it does not offer a Security Freeze for its reports nationwide.

Now, to answer Kalyan's question.

I have Security Freezes in place on my 3 credit reports, plus credit monitoring from Discover and from Kroll. My logic for having both Security Freezes and credit monitoring:

1. The Security Freezes are needed since IBM exposed my personal data through its data breach. My personal data could be nowhere or anywhere in the world. The Security Freeze gives me the most protection possible.
2. A Freeze is also needed because many credit monitoring services (like Discover's offering) don't monitor credit files from all three national credit bureaus. You would think that they would, but many don't
3. The risk of identity fraud doesn't just magically end after 1 or 2 years, just because most companies provide free credit monitoring services to data-breach victims for that period after a data breach. For me, I feel comfortable assuming the worst... since my data is out there, it could be abused at any time. ID-theft criminals are smart and persistent. While some of IBM's "lost" data tapes were encrypted, it may take time for the thieves to break the encryption.
4. The free credit monitoring IBM arranged through Kroll gives me very strong credit resolution protection, and fairly strong credit monitoring but doesn't provide access to the full text of my credit reports at the three credit bureaus. I'm inclined to keep Kroll since they seem to be the best at resolution services (something Discover's offering seems weak at)
5. Similarly, my Discover credit monitoring service provides features which Kroll's service doesn't, like access to the complete text of my credit reports. I will cancel my credit monitoring service with Discover when I find a suitable replacement.
6. Even with a Security Freeze in place, changes can occur with a consumer's credit reports. By law, many government agencies retain the right to access consumers' credit reports (e.g., law enforcement, courts, child support orders, etc.). I know this having read the text of the Massachusetts ID-theft law. (ID-theft laws vary by state.) Since identity thieves are smart and may manage to trick a valid government agency (e.g., dept of motor vehicles) to make a fraudulent change to my credit reports, I want to know about it. This seems wise also because the Security Freeze tool has key limitations or gaps, like when identity criminals use stolen identity data during a crime, or when criminals attempt medical identity fraud.

If my approach seems like a patchwork quilt of a solution, it is. I'd rather get everything from one service, but I haven't found one service (yet) that provides everything I'm looking for. Getting a credit monitoring services directly from one of the credit bureaus (e.g., Equifax, Experian, and TransUnion) may seem like a good idea, their services and Web sites are poorly designed, difficult to use, and the bureaus offshore outsource their customer support operations, which some consumers have had difficulty with.

What is your logic regarding Security Freezes and credit monitoring? Whether you use both, one, or neither I'd love to hear you decision logic.

Security Freeze: Peace Of Mind And Protection For Your Credit Reports

Since I started this blog in July 2007, I've learned a lot about identity theft. I had to after IBM exposed my sensitive personal data. First, I placed a 90-day Fraud Alert on my credit reports. Then, I signed up for the free credit monitoring service IBM provided from Kroll. 90 days later, I renewed my Fraud Alerts.

So far, so good. No problems with identity fraud.

Given the ongoing risk, I wanted more protection for my credit reports than what the credit bureaus provide with their Fraud Alert tool. The fact is, the credit bureaus just append the alert to your credit report whenever they sell it to a potential creditor. A shady creditor could still issue new credit in my name to an identity criminal. So, I placed a Security Freeze (also called a "Credit Freeze") on my credit reports at the three national credit bureaus.

While the Fraud Alert tool is free, that didn't seem to be a good value for me given the risk. The free credit monitoring service IBM arranged with Kroll was only for one year, and it did not provide an automatic Fraud Alert renewal service. While I could have continued to renew my Fraud Alerts every 90 days, stronger protection was more important to me than a freebie.

I didn't want to pay a credit monitoring service (e.g., LifeLock) to renew my Fraud Alerts because this is an easy task any consumer can do by their self -- for free. I've done it and I know. More importantly, I wanted stronger protection for my credit reports. The Security Freeze option fills that need.

To place the Security Freeze, first I visited each credit bureau's web site and printed their Security Freeze instructions page. All three credit bureaus have similar instructions. You have to provide them with documentation verifying, a) who you are, b) your current residential address, c) valid payment; and send a letter via snail mail (or overnight express) requesting the Security Freeze. You can't place a Security Freeze over the phone, via e-mail, nor via text messaging.

While all three national credit bureaus offer the Security Freeze option nationwide, the fees vary by state. According to Massachusetts law, each credit bureau can charge a Massachusetts resident a maximum of $5 to place, lift, and remove a security freeze. Each credit bureau's web site lists the fees for your state. If you are an identity theft victim (e.g, you can prove so by providing a copy of a filed police report), then the Security Freeze is usually free. In many states, the Security Freeze is free for residents 65 years of age or older.

Should IBM have paid for my Security Freeze fees? That's a discussion I'll save for another post. For me, the $15 total fees is a good investment for both protection and peace of mind. I'd like to thank my state's legislators and Governor Patrick for keeping the Security Freeze fee low for Massachusetts residents.

Next, I assembled my Security Freeze letters. Some credit bureaus require a photocopy of your Driver's License, and/or an insurance or bank statement. This was time consuming, but easy to do. The whole process took me about 4 hours.

At the post office, I mailed all letters via Certified Mail - Return Receipt. While this cost a little more, it is a smart investment because it minimized my worries. The Return Receipt notice informed me when each credit bureau received my Security Freeze letter. About 8 business days later, I received confirmation letters from the credit bureaus.

Each confirmation letter included an explanation of that credit bureau's Security Freeze process, additional instructions, and my personal PIN number. You'll need this PIN when communicating with the credit bureau to temporarily lift or remove your Security Freeze. I stored these confirmations in a secure location.

Will a Security Freeze prevent all types of identity theft and fraud? No. A Security Freeze is not a cure-all. I don't have any illusions about this. While a Security Freeze will prevent criminals from opening new credit and new financial accounts in your name, it won't stop criminals from committing a crime in your name, if your personal data has already been stolen or exposed -- like IBM exposed mine. Nor will a Security Freeze prevent criminals from breaking into my financial accounts. There are other things consumers must do like use rotating and stronger passwords, and set up e-mail or text messaging alerts for your financial accounts.

Fraud Alert or Credit Freeze: What's The Difference?

While discussing identity theft with a business acquaintance, the topic came up about how best to protect our identities. The person mentioned that they had a Credit Freeze in place, but that it was only good for 90 days. This was a clue to me that the person had a Fraud Alert in place and not a Credit Freeze. A comparison of the two options:

	Fraud / Security Alert	Credit / Security Freeze
Definition	A special message attached to a consumer's credit file that indicates the individual may be a victim of identity theft. The alert may require potential lenders to contact the consumer via phone before issuing credit.	A feature for national credit reports where all companies and potential lenders (except where exempted by law) cannot access a consumer's credit report without the consumer's permission.
Advantages	1. Free for consumers 2. Alert durations available for 90 days or 7 years. Military personnel: Active-Duty Alert (12 months) 3. After adding an alert at one credit bureau, the other 2 credit bureaus automatically add an alert	1. Generally, free only for identity theft victims (IL, NM, and RI: free for all residents 65+) 2. Stops identity thieves from opening new accounts or getting credit, loans, or mortgages in your name 3. Stops credit bureaus from distributing your credit report 4. Consumer can lift or remove the freeze when needed for potential lenders (PIN number provided)
Disadvantages	1. Credit bureaus still distribute your credit report 2. Identity thieves can apply for credit or loans and approval may still "sneak through"	1. If you are not an identity theft victim, fees apply to add, lift, or remove a freeze at each credit bureau 2. You must add, lift, and remove a freeze separately at each credit bureau 3. To apply for credit, you must temporarily lift the freeze on your credit reports. This may cause a delay getting credit approval 4. Banks and companies that provide consumer data to the credit bureau will not be allowed to update the name, address, SS#, and birth-date data on your credit reports
Availability	Nationwide	Nationwide, including Puerto Rico, Guam and the U.S. Virgin Islands
Other	1. Adults only	1. Adults only 2. Temporary freeze lift: 3 days minimum and 30 days maximum

Want to learn more? You should be aware of certain identity-theft situations where neither a Security Freeze nor a Fraud Alert will prevent. Also, the Security Freeze laws in many states do not cover consumers' C.L.U.E. insurance reports. You still should shred snail-mail and paper documents with sensitive personal data. And, for maximum protection you should also take advantage of the opt-out resources.

Placing A Freeze (Or Lock) on Your Credit Files

In August 2007, the Massachusetts Governor signed a new law allowing Massachusetts residents to lock or place a "Security Freeze" on their credit reports with the three national credit bureaus. Residents can visit the Massachusetts Office of Consumer Affairs web site for instructions about how to add, lift, or remove a Security Freeze on their credit reports. Residents in other states can proceed directly to the three national credit bureaus for instructions:

• Equifax Security Freeze
• Experian Security Freeze
• TransUnion Security Freeze

The fees to add, lift, or remove a Security Freeze vary by state and by the consumer's status. For identity-theft victims, the fees are waived. For others, the fees apply and vary by state. For example: the add/remove/lift fees in Massachusetts for identity theft victims are waived, while the fees for others are a $5.00 each. In some states, the add/remove/lift fees are as high as $10.00 or $20.00 each.

Freezing Your Credit Report is Not a Cure-All

Last week's Wall Street Journal published an article titled, "More People Are Freezing Credit Reports:"

"Spooked by the possibility of identity theft, increasing numbers of people are taking a radical approach to thwart criminals: They are putting their credit reports on permanent freeze.... An estimated 50,000 to 70,000 people have so far signed up for credit freezes, according to the Consumer Data Industry Association, a trade group that includes the three credit bureaus."

According to its web site, the Consumer Data Industry Association is:

"an international trade association, founded in 1906, that represents consumer information companies that provide fraud prevention and risk management products, credit and mortgage reports, tenant and employment screening services, check fraud and verification services, and collection services."

While it's good to see more consumers taking an active interest in protecting their identity and personal data, the prevailing consumer attitude about identity theft seems to be:

"Michael Dana, a Dallas police detective, chose to freeze his credit reports after a Texas law took effect last month that made freezes available to all residents. Mr. Dana says he received several notices from financial institutions and the government saying that some of his personal information may have been compromised."

"Scott Marberblatt of Swampscott, Mass., says he uses several credit-monitoring services to alert him to potential identity theft. But the 46-year-old small-business owner says he plans to drop some of these services, thereby saving "a decent amount of money," and instead freeze his credit after the option becomes available at all three bureaus next month."

While this attitude is understandable, it is important to realized the limitations of a Credit Report Freeze (also called a Security Freeze in many states). Freezing your credit report is not a cure-all or "silver bullet" against all types of identity theft. While freezing your credit report will protect you against new account fraud (e.g., where an identity thief takes out a loan or a mortgage in your name), it won't protect you against:

• Identity fraud during a crime: where the criminal presents your identity to police instead of theirs (Note: criminals can use your stolen personal data this way in any country, not just in the USA)
• Identity fraud: where an identity thief tries to access your existing financial and bank accounts by pretending to be you (e.g., calling the banks customer service number to change your online passwords)
• Medical fraud: where an identity thief assumes your identity to get medical care they otherwise aren't entitled to
• Insurance fraud: C.L.U.E. insurance reports with your personal data are still freely sold by firms like Choicepoint
• Identity fraud: where an identity thief tries to steal your snail-mail sending a change of address form to the post office, since many consumers receive pre-screened credit offers via snail-mail (opt-out today!)
• Identity fraud from dumpster divers: you still have to shred documents with your sensitive data before disposing paper in the trash or recycle bins
• Your employer, prior employer, or retail firm has poor data security which results in a data breach that exposes more of your personal data to identity thieves, beyond what has already been exposed
• You shop at a retailer, who has hired a subcontractor for offshore outsourcing, and that subcontractor has a data breach which exposes your personal data in that country

Want to learn more? Click on any of the above links.

AARP And Identity Theft

When I was in my mid 40's, I joined AARP. At that time, I needed to learn a lot about elder care since my mother had died and my dad was seriously ill. (He died in 2002.) I figured that reading the print version of the AARP Magazine was the best way to learn the language of retirement (e.g., Medicare, Medicaid, etc.), and to learn about the issues related to elder care.

the magazine has some really interesting and inspirational articles, like the recent interview of the actor Morgan Freeman. During the years, I've subscribed to AARP's various e-mail newsletters and RSS feeds. The AARP web site recently published a good article about identity theft, titled Block Your Credit Reports to Prevent ID Theft.

If you are unfamiliar with the subject of identity theft, or if you want simple clear descriptions (like the difference between a Fraud Alert and a Security Freeze), then this is a good starter article. The article includes sample letters for users to request a Fraud Alert from one of the three national credit bureaus. The article should have included toll-free phone numbers for the three credit bureaus, but didn't.

As I mentioned, this is a good starter article. While the article doesn't tell you everything, it provides the basics in an easily readable format, so a consumer can place a Security Freeze on their credit report.

Equifax and Experian Follow TransUnion With Nationwide Credit Report Freeze

This is great news for consumers and it was expected. According to the Atlanta-Journal Constitution newspaper:

Under pressure from a big competitor and consumer activists, Atlanta-based Equifax said Friday it will let consumers nationwide "freeze" their credit reports to deter identity theft.

Equifax's service will be available at the end of October. Experian is planning an announcement to offer a comparable service within the same time-frame. Want to learn more? Read these prior posts about TransUnion, the Fraud Alert tool, Massachusetts' new identity-theft law, and insurance reports from Choice Trust.

While this is good news for consumers, the $10 fee to lift, remove, or add a credit report freeze is too high. Massachusetts' new identity-theft law sets a limit at $5, similar to several other states. And ChoicePoint is silent on providing a comparable service for C.L.U.E. reports.

Credit Bureau Announces Nationwide Security Freeze

This is huge news... great news! The national credit bureau, TransUnion, announced in a press release on September 18, 2007:

"... effective October 15, 2007, it will offer the credit reporting industry's first complete file freeze solution. While consumer access to placing a file freeze continues to be driven at the state level, some state-enacted laws are not yet effective and other states have not enacted such laws. With its announcement today, TransUnion becomes the first credit reporting company committed to providing U.S. consumers in all 50 states and the District of Columbia with the ability to freeze their credit files, should they feel that step is  warranted."

This is great news because in helps everyone. It helps identity-theft victims stop thieves from doing further damage to their credit, and it helps everyone else prevent themselves from becoming an identity-theft victim.

TransUnion's Security Freeze tool is free for identity-theft victims and it costs $10 for others to add, lift, or remove a Security Freeze. TransUnion offers the True Credit web site for consumers to sign up for the security service. For $14.95 per month, consumers also get:

• Unlimited access to their credit reports from all 3 national credit bureaus
• Unlimited access to their credit scores
• One-click access to lock or unlock your TransUnion credit report
• $25,000 of identity-theft insurance at no additional cost
• You can cancel the service anytime

The Security Freeze is a critical tool for consumers to protect their finances and fight identity theft. The Security Freeze tool is far stronger than the Fraud Alert tool. If the other two national credit bureaus -- and Choice Trust with their C.L.U.E. insurance reports -- are smart, they will provide the same tool soon. It needs to get done for complete protection for consumers.

New ID Theft Law in Massachusetts (Part 2)

Since IBM notified me about their data breach, I've paid more attention to Identity Theft legislation in Massachusetts, where I live and work. If you live in Massachusetts, then this new law affects you. If you live in another state, this is an opportunity to evaluate your state's identity theft laws.

Before Massachusetts' new ID-theft law becomes effective in November 2007, I wanted to understand the details and what to expect. Of course, I want to judge how well my state implements this new law.

So, I read both the Massachusetts House and Senate draft versions of the proposed law, plus the final version of the new law. This helped me understand the features and benefits of the new law (and which features didn't made it into the final version of the new law). Negotiations between state lawmakers, companies, and credit bureaus weren't covered much in the local news media, but I firmly believe that it affected the features in the new law.

If you want to read the new law, see the St.2007, c.82: Security Freezes and Notification of Data Breaches. The link is also listed in the right column under "Massachusetts Resources." The major features in Massachusetts' new identity theft law:

• Personal data to be protected: regardless of the format it is stored in, the personal data companies and state agencies must protect includes first name and last name or first initial and last name of a resident with the resident's SS#, driver's license number, state identification number, financial account data (e.g., debit or credit card number in combination with or without a security code, access code, or password)
• Data breach notification for consumers: companies and government agencies must notify as soon as possible affected Massachusetts residents whose personal data (e.g., SS#, driver's license number, etc.) have been lost or stolen. Notice is triggered by unauthorized access to the personal data, regardless of whether there is a likelihood of harm. It doesn't matter if the data is encrypted or not.
• Data breach notification: Companies and state agencies must also notify the Massachusetts Director of Consumer Affairs and the Attorney General. The notice must describe the nature of the data breach, the number of Massachusetts residents affected, and any steps taken relating to the data breach. The notice to consumers does not have to include these details
• New "Security Freeze" option: allows consumers to "lock" their credit reports to prevent identity thieves from fraudulently creating new accounts in their names. This option is free for ID-theft victims; up to $5 for others. Credit bureaus must provide a PIN within 5 days of the consumer's Security Freeze request. The PIN is used by the consumer to control access to their credit report. Credit bureaus must implement a Security Freeze within 3 days of the consumer's request; and lift (or remove) the freeze within the same number of days
• Disposal of records with personal data: the new law sets rules about the proper destruction of records by companies and government agencies
• Consumer access to police report: local police must provide ID-theft victims with a copy of their police report within 24 hours, even if the identity theft occurred elsewhere. This provision of the law takes effect February 3, 2008 and not in November 2007 with the rest of the law

This is great news and a huge step forward. Previously, data breach notification was not required. Now, it is. The Security Freeze provision offers better and stronger protection than the existing Fraud Alert tool from the credit bureaus. However, there are some limitations in the law:

• The new law does not specify exactly how quickly (e.g., number of days, weeks, or months) data breach notification must be sent. Notice must be sent in writing to each Massachusetts resident affected by a data breach. In my opinion, speed is important since identity thieves act quickly
• Possible loophole: "substitute notice." The law reads, "Notice shall include: (iii) substitute notice, if the person or agency required to provide notice demonstrates that the cost of providing written notice will exceed $250,000, or that the affected class of Massachusetts residents to be notified exceeds 500,000 residents, or that the person or agency does not have sufficient contact information to provide notice." Additionally, the company or government agency can notify ID-theft victims via e-mail, a posting on a web site, publication in broad news media, or via the state department of consumer affairs
• The "substitute notice" feature could be a problem for former employees and retirees. While consumers who are stockholders or have a retirement account with their former employer likely monitor the merger/acquisition/name changes of their former employer, others may not. Consumers who don't monitor the merger/acquisition/name change of a former employer may not recognize the substitute notice from the new company
• The new law doesn't state what the penalties are for credit bureaus that violate the Security Freeze features. Section 9 of the new law reads, "You may be entitled to collect compensation, in certain circumstances, if you are damaged by a person's negligent or intentional failure to comply with the credit reporting act." May be? To me, penalties are important should a credit bureau fail to implement a Security Freeze within the days specified, or discloses a consumer's credit report despite an in-place Security Freeze
• The new law doesn't state whether or not the Security Freeze feature applies to C.L.U.E. reports. The new law does mention "consumer reporting agency" which probably applies to ChoicePoint, the dominant C.L.U.E. reports provider
• Disposal of records feature: the penalty for violators seems very weak, in my opinion. the law reads, "Any person or agency who violates the provisions of this chapter shall be subject to a covol fine of not more than $100 per data subject affected, provided said fine shall not exceed $50,000 for each instance of improper disposal." $100? Geez! We need stronger laws here to encourage compliance, not weak laws to undermine compliance.
• The new law doesn't state whether the Massachusetts department of justice will post data breach notices online, like New Hampshire does

What do you think of the new law? How does it compare to your state's ID-theft law? Has your former employer provided substitute notice? I've Been Mugged readers want to know.

Next entry: data breaches and lawsuits

New ID Theft Law in Massachusetts

A prior blog entry discussed the pending identity theft legislation in Massachusetts. This month, our Massachusetts Governor signed a new identity theft law. According to the Boston Globe newspaper:

"Governor Deval Patrick signed legislation that requires businesses and government agencies to promptly notify consumers when private information such as Social Security and driver's license numbers have been lost or stolen. The law also allows residents to place a "security freeze" on their consumer credit reports to prevent identity thieves from fraudulently creating new accounts in their names. It also establishes rules for the disposal of old records containing personal information. Under those rules, state officials would be required to delete the first few digits of Social Security numbers when handling documents involving personal information if federal authorities don't require the full number. The law also requires companies and state agencies to destroy documents that contain personal information."

This is great news!!! While the new law won't stop all forms of ID theft and fraud, the Credit Freeze provision is far better and stronger protection than the existing Fraud Alert tool from the credit bureaus. I also like the portions of the law that clarify which personal data elements entities (e.g., companies and government agencies) can and cannot retain, and when state government entities should destroy documents with our personal data.

More good news... the new law mandates data breach notification by companies. According to an August 10, 2007 e-mail message I received from Janet S. Domenitz, Executive Director of MASSPIRG:

"The new law, which will go into effect in November, will address the crime of identity theft on several fronts. It will set standards for how consumer information is protected and disposed of by both businesses and government agencies. It will require companies that store this type of data to notify affected individuals if it is lost or stolen. And it allows consumers to proactively prevent identity thieves from opening credit in their name by blocking access to their credit reports through a 'security freeze.' "

I am still reviewing the draft legislation and the text of the new law, to understand the provisions that made it to the final version of the new law... especially:

• Penalties for corporate violators,
• Protections for ID-theft victims of data breaches by former employers,
• Details about the fees and administration of the new "security freeze" option,
• Promotional guidelines to inform consumers, and
• Guidelines for outsourcing and/or off-shoring personal data.

If you want to read the draft state senate and house bills, plus the new law (St.2007, c.82: Security Freezes and Notification of Data Breaches), there are links in the right column under "Massachusetts Resources."

Next entry: Mistaken for a car thief, ID theft victim jailed