Class Action Settlement For Users Of Identity Protection Services With Discover Financial Services

Last week, I received a notice from Discover Financial Services about a class-action settlement offer for consumers who used one a Discover identity protection service:

"If you were enrolled in or billed for Discover Payment Protection, AccountGuard, Identity Theft Protection, Profile Protect, Wallet Protection, The Register and/or Credit Score Tracker between January 21, 2004 and November 9, 2011, this notice describes your rights in connection with a settlement of a lawsuit and your potential recovery."

The settlement combines class-action lawsuits in several states which claimed that Discover Financial Services used improper marketing, enrollment, and pricing practices:

• Walker v. Discover Financial Services et al (N.D. III Case No. 10-cv-06994-JWD)
• Callahan v. Discover Financial Services et al (N.D. III Case No. 1:10-cv-07181-JWD)
• Alexander v. Discover Financial Services et al (D.S.C. Case No. 7:10-cv-02754-HMH)
• Sack v. DFS Services LLC et al (W.D. Tenn. Case No. 2:10-cv-02906-JPM)
• Boyce v. DFS Services LLC (E.D. Pa. Case No. 2:11-cv-00265-LDD)
• Conroy v. Discover Financial Services et al (C.D. Cal. Case No. 2:10-cv-5260-MMM-E)
• Triplett v. Discover Financial Services, Inc. et al (S.D. Fla. Case No. 1:11-cv-20519-AJ)
• Carter v. Discover Financial Services, Inc. et al (E.D. Pa. Case No. 2:11-cv-01656-BMS)

Discover has agreed to set up a settlement $10.5 million fund. If you want to learn more, read the settlement offer details, file a claim, or exclude yourself from this settlement, visit the WalkerSettlement.com website, or contact the Settlement Administrator:

Settlement Administrator
Walker Settlement
P.O. Box 8023
Faribault, MN 55021-9423
Phone: (866) 944-5034

Claims must be filed by June 6, 2012. Exclusion requests and settlement objections must be received by March 23, 2012.

In April 2008, I discussed in this blog my experiences with the Discover Identity Theft Protection service. In September 2011, Javelin Strategy & Research rated Discover's identity fraud resolution services highly in its Seventh Annual Card Issuer's Safety Scorecard. The study evaluated the top 23 card issuers according to three categories: identity fraud prevention, detection and resolution.

The press releases section at the Discover website did not mention the Walker Settlement.

Sony Used Obsolete Data Security Software; Debix Offered

On Friday, eWeek reported that the massive Sony Playstation Network data breach could have been avoided if Sony had used basic online data security measures:

"Sony failed to use firewalls to protect its networks and was using obsolete Web applications, which made the company’s sites inviting targets for hackers, a Purdue University professor testified May 4 to a Congressional committee..."

Consumer Reports reported much of the same:

"In congressional testimony this morning, Dr. Gene Spafford of Purdue University said that Sony was using outdated software on its servers—and knew about it months in advance of the recent security breaches..."

Between the two Sony PSN and SOE breaches, about 102 million consumers worldwide have been affected. Sony has arranged for 12 months of complimentary credit monitoring service via Debix for breach victims in the United States. Sony is currently notifying breach victims of the June 18 deadline to enroll in the Debix AllClear ID Plus program. Sony has not disclosed the number of breach victims in the United States, nor what credit monitoring service will be offered to breach victims outside the United States.

This past week, Congress held hearings about the Sony and Epsilon data breaches. In a letter from Sony to the U.S. Congress, the company stated that it had experienced a Distributed Denial of Service (DDoS) attack before the data breaches. Sony claimed that this DDoS attack and the sopistication of the data breach made breach detection difficult to spot. When I read this, it sounded like Sony could not walk and chew gum at the same time. I expect much more from a multi-billion dollar corporation.

A response from Congressional Representative Mary Bono Mack (Republican - California), Chairman of the House Subcommittee on Commerce, Manufacturing and Trade, included this:

"Like their customers, both Sony and Epsilon are victims, too. But they also must shoulder some of the blame for these stunning thefts, which shake the confidence of everyone who types in a credit card number and hits enter. E-commerce is a vital and growing part of our economy... these latest cyber attacks, they serve as a reminder – as well as a wake-up call – that all companies have a responsibility to protect personal information and to promptly notify consumers when that information has been put at risk..."

I view Mack's statement as too mild when the scope and severity of the breaches demand a stronger response. Mack could have emphasized more than just the need for fast breach notification of consumers. Consumers didn't cause this breach. While fast notificaton helps consumers somewhat, the best solution -- breach prevention -- lies with the corporation.

Massive breaches like Sony's will continue as long as companies act fast, loose, and sloppy with data security of consumers' sensitive personal data. Massive breaches like this will continue as long as the costs to upgrade data security outweigh the costs of any penalties. There have to be penalties for companies that repeatedly experience data breaches, and/or use obsolete data security software and methods.

It appears that in Sony's case, the company's sloppy data security made it easy for criminals to steal sensitive consumer information. 12 months of free credit monitoring is not enough, because the threat of criminals using stolen identity and bank data doesn't magically stop after 12 months. 5 or 10 years of complimentary credit monitoring service would be better. And, the cost of providing breach victims with free credit monitoring services is small compared to other post-breach expenses.

When companies offer a short, 12-month period of free credit monitoring, that effectively transfers the burden -- time and money -- to consumers from month 13 on. Even though consumers didn't cause this breach, consumers end up spending time and money long-term to monitor and protect their accounts long after the free credit monitoring period has ended.

What do you think?

Nearly 1 Million Lifelock Customers To Receive Checks From The FTC

Well, this press release says it all. Last Thursday, the U.S. Federal Trade Commission (FTC) announced in a press release that it is mailing refund checks to victims of Lifelock's allegedly false marketing claims:

"In March 2010, FTC Chairman Jon Leibowitz announced that LifeLock had agreed to pay $11 million to the FTC and $1 million to a group of 35 state attorneys general to settle charges that the company used false claims to promote its identity theft protection services, which it widely advertised by displaying the company’s CEO’s Social Security number on the side of a truck. The FTC charged that LifeLock provided less protection against identity theft than promised and made claims about its own data security that were not true. Consumers who signed up for LifeLock’s services based on those false claims will now be receiving refund checks."

Celebrities including Rush Limbaugh and Montel Williams promoted Lifelock's services. Consumer Reports reviewed Lifelock's services. In 2008, Experian sued Lifelock about the placement of Fraud Alerts, and in 2009 a California District court ruled in Experian's favor.

About 957,928 consumers will receive checks for $10.87 each. This will be the entire and only distribution to eligible consumers. If you have questions about eligibility, contact the administrator toll-free at 1-888-288-0783, or visit www.ftc.gov/refunds.

A Review of Bank of America PrivacySource

A couple weeks ago, I received a letter from Bank of America via postal mail:

"Records Request
Please Review Important information Below
Please Reply Within: 14 Days"

"THIS NOTICE IS REQUIRED BY LAW
You have the right to a free credit report from AnnualCreditreport.com or 877-322-8228, the ONLY authorized source under federal law."

"Complimentary Credit report and Credit Score -- Your signature is required to try the Bank of America PrivacySource(®) at no cost for 30 days so you can receive delivery of your Compiled Credit Portfolio. your benefits will include the following:
1. Your Complimentary Triple-Bureau Credit Report
2. Your Complimentary Triple-Bureau Credit Score
3. Daily Monitoring notifications"

I had not heard of the PrivacySource service before. I had heard of the PrivacyAssist credit monitoring service from BofA, and reviewed it in this blog. Inside the BofA PrivacySource envelope was a single sheet of paper with this offer and a return envelope. I read the entire offer letter looking for a website address. When I receive an offer like this, I expect the offer letter to provide a website address so I can learn more. Surprisingly, the offer letter didn't mention a website: neither a BofA website nor a PrivacySource website. Not good.

I then performed a few Google searches for PrivacySource which turned up this BofA page. I followed the PrivacySource link at the page bottom, and then entered my state on the next page. The problem: the BofA site redirected to a Privacy Assist page which didn't mention anything about PrivacySource. This was confusing and frustrating. Maybe PrivacySource is replacing BofA's PrivacyAssist credit monitoring service. Or maybe PrivacySource isn't available in my state. The BofA website didn't say. Not good.

After some more searching, I found a page at the CreditReportCamp.com site which mentioned the website address for Privacy Source: PrivacySource.Bankofamerica.com. It should not be this hard to find a website address. Whoever built the BofA PrivacySource website failed miserably at SEO. BofA should have listed the website address in the offer letter. And, the BofA website should have linked me directly to it.

But, back to the offer letter. Part of the way down the page, the letter included some important information:

"By signing this form you are authorzing a debit from your Bank of America checking account to the amount of $12.99 per month for a membership in the Bank of America PrivacySource (®) service unless you cancel within the 30_Day Trial Offer period.

That told me a lot. PrivacySource is a credit monitoring service. The offer was similar to offers I've seen before from FreeScore.com and the major credit reporting agencies, except there were two freebies: a "Triple-Bureau Credit Report" and a "Triple-Bureau Credit Score." That sounded nice.

Like most people, I like free things. But, what is a Triple-Bureau Credit Report, and what does it look like? Is it a summary, or does it provide the same details as a credit report from Experian, Equifax, or TransUnion? The offer letter didn't say. Nor did it include an example report. It's hard to evaluate an offer when the service doesn't provide an example report. Not good.

I also wanted to know what a "Triple-Bureau Credit Score" is. Is it the same as a FICO credit score? Or is it a VantageScore? There are several different brands of credit scores available, and I want to know what I am buying. The offer letter didn't say. Nor did it provide a sample score. Not good.

Near the bottom of the offer letter, there was this important information in tiny type:

"By signing this form, you authorize bank of America to share your Social Security Number with Trilegiant, the service provider of the Bank of America PrivacySource service, and authorize Trilegiant and its credit information providers, which may include First Advantage Credco and FAMS, to obtain and monitor your credit files and information from the credit reporting agencies..."

Well, that said a lot. Trilegiant operates the credit monitoring service for BofA under the brand name PrivacySource. I know a little about Trilegiant as I wrote briefly about it previously in this blog. And, Trilegiant was involved in 2008 in at least one class-action lawsuit, which the company settled for $25 million:

"Trilegiant, a subsidiary of Cendant Corp., has also been the target of actions by attorneys general in California, Connecticut and Florida. In 2006, it settled charges brought by 16 states alleging that Trilegiant and Chase Bank had deceived consumers into paying for membership programs."

This is the best vendor BofA could find for its credit monitoring service? More troubling are the recent consumer complaints about Trilegiant.

But let's get back to the BofA PrivacySource offer letter. The language of this authorization troubles me... particularly the "may include" phrase. It essentially says that BofA through Trilegiant will share my sensitive personal information with other companies and doesn't name all of companies, only a couple of possibilities. That is partial and insufficient disclosure to me. Not good.

And, who is First Advantage Credco? And FAMS? I did a little searching and found this First Advantage Credco profile on LinkedIn.com. The company's official website is credco.com, and it appears to be in the midst of a name change to CoreLogic. CoreLogic Credco appears to collect and data mine consumer information, with perhaps an attempt to enter the credit report marketplace.

I have not been able to determine who FAMS is. If you know, please share a description and website link in the comments section below.

About the PrivacySource website, to its credit the site does provide sample credit reports and credit scores. I compared the reports to actual credit reports I already have from Experian, Equifax, and TransUnion. The PrivacySource credit reports look like summaries. To adequately manage my finances, I need the real thing -- not summaries.

Consumers who visit the PrivacySource website should read the service's Terms and Conditions. This is important to understand what you get for $12.99 per month. You get a credit monitoring service and no credit resolution services. If you are the victim of identity theft and fraud, you'll need both services-- you'll need resolution service to help you communicate with various companies, lenders, and government agencies to fix your credit and all affected financial records.

PrivacySource uses CreditXpert Credit Scores (TM) from CreditXpert.com. Consumers should be aware that this is a different credit score brand. It is not the same as FICO from the Fair Isaac Corporation. The My ID Alert service from Capital One also uses CreditXpert Credit Scores.

If you have the time, you might compare PrivacySource and PrivacyGuard.com, Trilegiant's credit monitoring service. I didn't bother comparing the two sites because I'd already made up my mind about PrivacySource. First impressions are important. The PrivacySource offer letter was underwhelming and the site was difficult to find.

Is BofA PrivacySource for you? Only you can make that decision. It's not for me. Why? First, the letter didn't contain enough information for me to to make a decision, and it didn't include the service website. Second, the difficulty I encountered with finding the PrivacySource website gave me the impression that if the company can't do that well, the actual service is probably problematic, too.

Third, the sample credit reports seemed like summaries and not the full detail. Fourth, I prefer a comprehensive service that includes both credit monitoring and resolution services. Fifth, there are more comprehensive services that also help with medical identity theft and fraud.

If you already signed up for PrivacySource, please share your experience below. I've Been Mugged readers would love to hear your experiences, good and bad. If you have experiences with FAMS and/or First Advantage Credco, we'd like to hear about that too.

Identity Protection Advice For Consumers When On Vacation

Intersections, the provider of Identity Guard and several credit monitor services for big banks, and the Identity Theft Assistance Center (ITAC) advise consumers to take several precautions to protect their identity information, bank, and financial accounts when traveling on vacation. To guard against home burglary:

"... before you leave: Have your mail collected or held at the Post Office, ideally have someone visit and turn lights on and off, and do not leave financial documents lying in plain view."

While traveling on vacation:

"If you need to access your email from cyber cafe or other establishment, limit your access, avoid entering any passwords to your personal financial accounts, and be sure to log off when you are finished with your session."

Advice I would add to this: use Private Browsing or clear the cache and browser history when you are finished. Perhaps, more importantly while traveling:

"Try to avoid "tweeting" or blogging about your travel plans or talking about them on social networking sites like Twitter, Facebook and MySpace. Thieves may use this information to target empty homes.

I prefer to post messages after I have returned home. You make believe that all of your friends are trustworthy, but remember that a thieves may impersonate one of your friends online after hacking an email account. My favorite tip whether you are traveling or not:

"If browsing the Internet with a wireless connection, do not assume public "hot spots" are secure. Ensure you are using encryption to scramble communications over a network."

Identity criminals and hackers target hotels because their customers are a rich source of credit card information. Wyndham Hotels had three breaches during the past year. Intersections and ITAC advise consumers while traveling on vacation:

"If you're staying at a hotel or motel and receive a call from the reception desk asking that you confirm a credit card number, tell them you'll provide the information at the front desk instead. The call could easily be a random one from outside the hotel."

Prior posts have discussed whether or not it is better or safer to shop with credit cards versus debit cards. I shop only with my credit cards: at home and while traveling. Intersections and ITAC advise consumers while traveling on vacation:

"Bring as few credit cards as possible and ideally carry just one with you and keep a backup card in the hotel safe. Bring a copy of the emergency contact numbers for your credit cards and bank accounts in case they're lost or stolen. It is recommended that travelers do not use their debit cards while on vacation to further protect their checking accounts.... Use cash or travelers checks wherever possible to minimize the risk of credit card fraud or overcharging (this can also help avoid costly exchange fees if you're traveling abroad)."

To learn more about Intersections, read these credit monitoring service reviews:

• My ID Alert (Capital One)
• Privacy Assist (Bank of America)

My ID Alert From Capital One (Product Review)

A few days ago, a representative from Capital One Bank, where I have a credit card account, called me at home about identity theft. The representative was polite and asked if I knew much about the increasing risks of identity theft. Her solution was to sign me up to My ID Alert, a credit monitoring services offered jointly by Capital One Bank and Intersections, Inc..

I listened to her pitch and thanked her for the call. I asked if My ID Alert included medical identity theft coverage. She said it didn't and she didn't know much about that. I mentioned that this was important to me since I am interested in a comprehensive identity protection service that includes credit monitoring, public records monitoring, and medical identity theft protections.

Plus, I was not about to sign up for any credit monitoring service over the phone without, a) understanding what specific services are included in the monthly fee, and b) reviewing the contract terms and conditions. Since writing this blog, I have learned that the important stuff is always listed in the contract terms of a credit monitoring service. If it's not in that document, then it's not provided.

I visited the My ID Alert website to learn more. I had encountered Intersections previously in 2007 when reviewing the Bank of America's Privacy Assist credit monitoring service. A review of My ID Alert would be a good follow-up to see if Capital One negotiated an improved service with new features. The My ID Alert main page:

The site was well organized and easy to read. Consumers can quickly find the major features of the service. For $12.99 monthly, subscribers get:

• Unlimited access to valuable credit tools and your credit score
• Daily monitoring of your credit files at all 3 credit bureaus
• Up to $50,000 identity theft insurance with no deductible and at no extra cost

It was easy for me to find and read the website Privacy Policy. It explained that the site uses HTTP browser cookies, but it didn't mention whether or not it uses Flash Cookies. The website probably uses Flash Cookies (a/k/a Local Shared Objects) since it mentions that it works with unnamed third parties.

It was tricky to find the contract terms. First, click the "Enroll Now" button on the home page. On the "Order Form: Step 1" page, there are two links you'll want to use. The first link, "more info," is next to ID Alert and it provides access to summary information in a pop-up window:

The second and more important link, "Print and Review Terms of Use," is further down the page and provides access to the contract terms:

Both links should be more accessible to users, ideally on the home page, the FAQ page, and the Privacy Policy page. The contract terms contain critical information consumers need to evaluate the service. It shouldn't be this hard to find important information.

It is important to note that Capital One already sells a credit monitoring service by Intersections: CreditInform Premier. The My ID Alert website didn't mention this, nor did it provide a comparison. So, I developed this brief comparison:

Item	CreditInform Premier	My ID Alert
Unlimited access to credit tools and credit score	Yes	Yes
Quarterly Notification / credit updates	Yes	Yes
Insurance	$20,000	$50,000
Notify Express. Includes: Inquiries to your credit files New accounts opened New public records Address changes Changes to public records Changes to account information	Yes. Based on Experian credit report only	No
Credit Score ( From CreditXpert, Inc. which is not a FICO score)	Yes	Yes
Monthly fee	$8.99	$12.99

Then, I read the contract terms more closes and noted some important language about the credit score provided (links added for improved readability):

"Any credit score provided as part of the Service is provided by CreditXpert products. The information used by CreditXpert products is derived from one or more credit reports produced by the major credit reporting agencies, also called credit bureaus... CreditXpert Credit Scores(TM) are provided to help users better understand how lenders evaluate consumer credit reports. Lenders may use a different score to evaluate a person's creditworthiness... Also, CreditXpert Inc. is not connected in any way to Fair Isaac Corporation; the CreditXpert Credit Score is not a so-called FICO(®) score. CreditXpert Inc. does not represent that CreditXpert Credit Scores are identical or similar to any specific credit scores produced by any other company."

I have not heard of CreditXpert before. And, like most consumers I thought that FICO was the only source of credit scores. This is an important disclosure since potential lenders may treat different brands of credit scores differently.

I have not done an analysis of the difference between a credit score from FICO versus CreditXpert. Perhaps a reader has and will add a comment below. So, I can't state what the impact might be on a consumer's credit worthiness. Consumers wanting to purchase a FICO-brand credit score may want to look elsewhere. The website didn't present any testimonials from My ID Alert customers, a helpful feature that could have addressed concerns about the credit score source.

One indicator I use to judge a company responsiveness to consumers' needs is whether or not the service has built pages on social networking sites like Facebook, Twitter, and Youtube. These are often a rich source of customer opinions and consumer testimonials, if the service does not have a blog site.

I searched and didn't find a My ID Alert page on Facebook, Twitter, or Youtube. This makes me wonder how serious executives at Capital One and Intersections are about reaching consumers. You have to fish where the fish are.

I also browsed the My ID Alert service looking for evidence it offers real-time alerts via e-mail or text messaging. To help me monitor my financial accounts, my bank offers this where I set the threshold amount to trigger an e-mail alert 24/7. The sooner I can discover fraudulent activity, the less money I am likely to lose. So, I look for this in a credit monitoring service. I couldn't find any evidence in the My ID Alert website about whether it offers real-time alerts. So, I assume no.

Should you sign up for My ID Alert? To me, it is a starter credit monitoring service... it is an option for a person who is just learning about identity theft and wants basic coverage. Each consumer's situation is slightly different, so it is always wise to shop around. For example, parents may seek a service that covers several family members. I've reviewed several credit monitoring service in this blog.

As I mentioned above, I seek an identity protection service that is comprehensive... that includes credit monitoring, public records monitoring, and medical identity theft protections. I want the convenience of subscribing to a single service... one-stop shopping.

The MY ID Alert service doesn't fit my identity protection needs. And, its price seems high. Yes, you get more insurance but you don't get the Notify Express feature Capital One offers in CreditInform Premier. And, the service Capital One negotiated with Intersections didn't seem much different from Bank of America's offering when I last reviewed it.

What do you think? If you use or have used My ID Alert, please share your experiences. We'd love to hear them.

AvMed Breach Affects 1.2 Million Florida Residents

A data breach in December 2009 at AvMed Health Plans included the theft of the Social Security numbers, names, addresses, birth dates, and health records of both current and former AvMed subscribers. Two laptop computers containing the records were stolen from the company's Gainesville office in December.

360,000 breach victims were notified in February and on June 3 the company announced that it is notifying an additional 860,000 breach victims. AvMed is offering breach victims two years of free credit monitoring service with the Debix Identity Protection Network. Breach victims requiring more information can visit the AvMed website contact Debix at 1-877-441-3004 (TTY: 877-442-8633). Breach victims that want the Debix coverage must register.

Breach victims should visit the Florida Attorney General' website for more information about identity theft and steps to take if their medical or personal information is used fraudulently by criminals. The Florida AG advises victims of fraud to:

1. Report the incident to the fraud department of the three major credit bureaus
2. Contact the fraud department of each of your creditors
3. Contact your bank or financial institution
4. Report the incident to law enforcement

Breach victims can get a free copy of their credit reports from the three credit bureaus at AnnualCreditReport.com. Since this breach involves medical information, breach victims should obtain a copy of their medical records from their AvMed physician and review it for fraudulent entries.

After a data breach with 1.5 million records stolen, in 2009 Health Net selected Debix as the complimentary credit monitoring service for its breach victims.

Is the health care industry doing a good job at protecting patients' medical information? I think not. Data breaches at health care companies are more common than many consumers and patients realize.

According to the Privacy Rights Clearinghouse, recent health care breaches:

• June 2010: Safe Harbor Med Santa Cruz, California)
• May 2010: Aetna (South Windsor, Connecticut)
• May 2010: Loma Linda University Medical Center (Loma Linda, California)
• May 2010: New Mexico Medicaid (Santa Fe, New Mexico)
• May 2010: Millennium Medical Management Resources (Westmont, Illinois)
• April 2010: St. Jude Heritage Medical Group (Orange, California)
• April 2010: The Medical Center (Bowling Green, Kentucky)
• April 2010: Hutcheson Medical Center and one other medical facility (Chattanooga, Tennessee)
• April 2010: DRC Physical Therapy Plus (Monticello, New York)
• April 2010: Affinity Health Plan (Bronx, New York)
• April 2010: Massachusetts Eye and Ear Infirmary (Boston, Massachusetts)
• April 2010: Brooke Army Medical Center (San Antonio, Texas)
• April 2010: St. Peter's Hospital (Albany, New York)
• April 2010: Virginia Beach Dept. of Social Services (Virginia Beach, Virginia)
• April 2010: ManorCare Health Services (Wheaton, Maryland)
• April 2010: St. Francis Hospital (Tulsa, Oklahoma)
• April 2010: Providence Hospital (Southfield, Michigan)
• April 2010: John Muir Physician Network (Walnut Creek, California)
• March 2010: Northwestern Medical Faculty Foundation (Chicago, Illinois)
• March 2010: University of Calgary Sunridge Medical Clinic (Calgary, California)
• March 2010: Atlanta Veterans Affairs Medical Center (Atlanta, Georgia)
• March 2010: UT Southwestern Medical Center (Dallas, Texas)
• March 2010: The Open Door Clinic of Greater Elgin (Elgin, Illinois)

Whenever I read about a large breach including laptop computers, I wonder why firms and their employees insist on storing so many records on a single computer. It raises the question about whether AvMed properly trained its employees with effective data security practices.

I read AvMed's February and June press releases. Neither press release mentioned whether or not the stolen information was encrypted. Breach victims have to assume the worst: nothing was encrypted. This makes one wonder why the company didn't encrypt sensitive information.

And while the company claims that the risk of identity fraud is low, the fact is that using the types of information stolen, criminals can assume breach victims' identities, apply for credit in breach victims' names, and apply for health care fraudulently using breach victims' medical information.

Poll: Readers' Attitudes About Offshore Outsourcing

Over the past few months, I ran an informal poll on this blog asking readers about their attitudes toward offshore outsourcing. While corporations are good at assembling resources and products from various geographic areas to deliver low-priced goods to consumers, a seldom discussed aspect is that corporations also transmit customers' sensitive information between offices and vendors in several countries.

Consumers are well aware of offshore outsourcing when they talk with a customer service representative who clearly has an accent and is located in another country. Many offshore outsourcing activities are hidden from consumers and customers when those activities are performed in back-office or support operations. I explored in a four-part blog series the issues with offshore outsourcing by the major credit reporting agencies. For example, when consumers submit via paper corrections to their credit reports, those corrections are often entered by staff or vendors located in other countries.

With all of this in mind, I asked I've been Mugged readers to select the statement which best describes their attitudes about offshore outsourcing and consumers' credit information. Here are there responses:

• 14% of respondents felt that companies should not perform offshore outsourcing under any circumstances
• An equal number (14%) felt that offshore outsourcing is okay generally, but shouldn't be used for financial and credit information
• The greatest number of respondents (36%) felt that companies should notify customers if they perform offshore outsourcing and customers should have a choice to opt-out
• Far fewer respondents (9%) felt that companies should notify customers if the company's offshore outsourcing includes customers' sensitive data
• 18% of respondents felt that U.S. Congress needs to do more about offshore outsourcing (e.g., legislation for oversight, auditing, data breach notification, etc.)
• 5% felt that credit monitoring services shouldn't perform offshore outsourcing
• 5% don't care whether companies perform offshore outsourcing or not

What to make of these results? First, this was an informal poll. So, it captured the opinions of only I've been Mugged blog readers. Readers of this blog are consumers who have been affected by identity theft, fraud with bank accounts, fraud with their credit reports, and/or data breach victims.

So, the readership of this blog is somewhat of a self-selecting group that has an interest and knowledge about privacy and their sensitive personal information. For the results to be applicable to the entire U.S. population, the survey participants should have included a random selection from the broader U.S. population.

Second, I believe these results are directional in that consumers want to be informed and want control over their sensitive personal information. It was not surprising to me that the greatest number of respondents (36%) felt that companies should both notify customers if they perform offshore outsourcing and provide their customers with an opt-out mechanism.

This indicates that consumers want to be notified and want control over who has access to their sensitive personal information. The company-customer relationship is built on trust. This sensitive customer information It is not for corporate executives to treat as if it is theirs alone.

Like it or not, companies will have to recognize and deal with this reality.

A Review Of FreeScore.com

I saw the ad below recently on late-night television. Perhaps you have seen it too:

I know Ben Stein more for his comedy than his economic commentaries. He's also in some funny cable TV service commercials with Shaq. So, I have nothing against Stein. Everyone has to make a living.

I don't know anything about Filbert, the squirrel in the ad. I have nothing against Filbert either.

At first view, the ad seemed harmless enough. It is wise for consumers to know their credit score, since many purchases depend upon having good credit. To learn more, I visited the FreeScore.com site.

That's when things really got squirrely.

The site is easy to read and easy to navigate. There are huge buttons on the home page to start the registration process to get those free credit scores. Consumers can get "free" credit scores from each of the three major credit reporting agencies: Equifax, Experian, and TransUnion:

The above page copy also inform users that they can get their credit reports when ordering their free credit scores. Further down the page (out of view when the page first loads) is as a huge button for consumers to click to view a sample report compiled with information from the three credit reporting agencies. A sample report is a good thing to view before registering. A more friendly page design would place that sample button further up the page so it is easier to see.

Now, I already know my credit score, so I didn't register for the FreeScore.com service. If you scroll to the bottom of the page, you will see tiny text that is easy to miss, especially if you clicked on any of the large buttons near the top of the page. So, I've repeated the tiny text here:

"FreeScore.com is not affiliated with the annual free credit report program. Under a new Federal law, you have the right to receive a copy of your credit report once every 12 months from each of the three nationwide consumer reporting companies. To request your free annual report under law, you must go to www.annualcreditreport.com.

Translation: while you can get credit reports at the FreeScore.com site, they aren't free. The credit scores are free but the credit reports have a monthly fee. The tiny text explains why there is a monthly fee:

"FreeScore provides you with the tools you need to access and monitor your financial/credit information through the program's credit reporting and monitoring benefits. FreeScore and its benefit providers are not credit repair service providers and do not receive fees for such services, nor are they credit clinics, credit repair or credit services organizations or businesses, as defined by federal and state law. Credit information provided by TransUnion Interactive, Inc."

Translation: the site is operated by TransUnion, one of the three major credit reporting agencies. FreeScore will help you monitor your credit scores and credit reports, but it won't help you fix them should something bad happen. You are on your own if you need to remove errors in your credit reports, or if you are already an identity-theft victim and thieves have made fraudulent purchases affecting your credit scores and reports.

So, if the credit reports at FreeScore aren't free, how much do they cost? In my opinion, a better design would have displayed the price along with the credit report offer on the home page. Instead, the consumer has to hunt for the price information, which appears on the FreeScore registration page below. The price is in small type in the right column under OFFER DETAILS:

I've repeated the tiny copy here so it is easier to read:

"Simply click "View Scores" on the next page to activate your FreeScore trial membership and claim your 3-in-1 Credit Profile and Triple Credit Score. After your 7-day FREE trial period it's just $19.95 per month for FreeScore. Remember, you can call FreeScore toll-free at 1-800-316-8824 within the first 7 days to cancel, and you will not be charged/debited."

Translation: you get free credit scores only during the seven (7) day trial period. After that, charges apply if you don't cancel your trial membership, which automatically signed up for a credit monitoring service costing almost $20 per month. The trial membership period is awfully short, too.

This offer by FreeScore.com reminded me a lot of the pitch by FreeCreditReport.com, a site that pitches free credit reports but enrolls consumers in a credit monitoring program with a monthly fee if you don't read the tiny text and cancel. Yesterday's post discussed the new Credit Report disclosure rules mandated by the FTC. The FreeScore.com site never pitches free credit reports, so I guess that TransUnion believes that they don't have to comply with the new disclosure rules since they aren't selling free credit reports at the site.

In my opinion, the FreeScore.com site is the same as the FreeCreditReport.com site. Both advertise X (e.g., get something for free) but really offer Y (credit monitoring for a monthly free) and place the important details in small print rather than say so upfront in easier to read type. Both sites use the auto-opt-in method: the user is enrolled in the credit monitoring service unless they cancel in time. To me, this is a sleezy marketing approach. The old "buyer beware" advice definitely applies here.

In my opinion, FreeScore.com is expensive since the price includes credit monitoring and not credit resolution services. And, the FreeScore monthly fee of $19.95 is higher than the FreeCreditReport.com monthly fee of $14.95. So, maybe the cost of those "free" credit scores is baked into the higher monthly credit monitoring fee.

Is FreeScore for you? That's a decision only you can make. You know your credit situation best. Having good credit is critical and monitoring your credit reports is wise to ensure their accuracy. If you are a victim of identity theft and fraud, then monitoring your credit reports for fraudulent purchases is critical, but getting credit resolution service is equally important.

My advice: shop around and always read the FINE PRINT at a Web site; especially sites offering freebies and/or credit monitoring services. Know the limitations of the credit monitoring service you are considering. Be an informed consumer.

FTC Changes Disclosure Rules For Sites Offering "Free" Credit Reports

In a press release late last month, the U.S. Federal Trade Commission (FTC) announced new disclosure rules that will go into effect on April 2 for Web sites offering "free" credit reports. The new rules aim to help consumers better understand Web sites offering "free" credit reports. The new FTC Credit Reports Rule effective April 2:

"... will require new prominent disclosures in advertisements for “free credit reports.” For example, any Web site offering free credit reports must include a disclosure, across the top of each page that mentions free credit reports, which states:

THIS NOTICE IS REQUIRED BY LAW. Read more at FTC.GOV. You have the right to a free credit report from AnnualCreditReport.com or 877-322-8228, the ONLY authorized source under federal law."

The Credit CARD Act of 2009 required the FTC to change the Credit Reports Rule by February 22, 2010 to prevent deceptive marketing of “free credit reports.” During the interim period from February 22 until April 2, the disclosure requirement is shorter, includes only text, and excludes links:

“Free credits reports are available under Federal law at: AnnualCreditReport.com.”

After April 2, the disclosure includes longer text (see above), a clickable button to "Take me to the authorized source" for free credit reports, and clickable links to both AnnualCreditReport.com and FTC.GOV. Prior to issuing the revised rules, the FTC sought and received feedback about the proposed rule change from consumers, consumer reporting agencies, consumer report resellers, business and trade organizations, state attorneys general, consumer advocates, law firms, members of Congress, and academics.

This is the best that the FTC could do? It doesn't seem to prevent deceptive advertising but, moderate it instead.

Is the interim disclosure enough? Obviously not. While it is a step in the right direction, it is a small step. It includes minimal text and no links.

Is the April 2 disclosure enough? This is two steps in the right direction, but still not enough. While it includes more text and links, one link is to the FTC home page. A better link destination would be the FTC site page about free credit reports and the AnnualCreditReport.com site.

A even better solution would be for the rule to prohibit companies from making what is essentially, in my opinion, a "bait and switch" offer. Then, these micro-managing rule changes would be unnecessary and not waste limited government resources. At FreeCreditreport.com, the "free" credit reports really aren't. The site currently contains the interim disclosure, as required by the FTC.

I am sure that the credit reporting agencies are happy with the FTC's new rule change because it allows business-as-usual with minimal changes. Experian doesn't have to pull all of its FreeCreditReport.com ads that appear on both Youtube and late-night television and cable.

Sadly, the new rules are a business-friendly solution that allows companies to continue presenting Web sites with similar "bait and switch" offers; only to replace "free credit reports" with other freebies to evade the new disclosure rules.

How? I'll discuss one example tomorrow.

Lifelock Settles With the FTC: Company To Pay $12 Million

The U.S. Federal Trade Commission (FTC) reported:

"LifeLock, Inc. has agreed to pay $11 million to the Federal Trade Commission and $1 million to a group of 35 state attorneys general to settle charges that the company used false claims to promote its identity theft protection services, which it widely advertised by displaying the CEO’s Social Security number on the side of a truck. In one of the largest FTC-state coordinated settlements on record, LifeLock and its principals will be barred from making deceptive claims and required to take more stringent measures to safeguard the personal information they collect from customers. “While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it,” said FTC Chairman Jon Leibowitz."

Lifelock began marketing its service in 2006. Radio entertainer Rush Limbaugh promoted the service. In 2008, the credit reporting agency Experian sued Lifelock. During the same year, consumers in several states sued Lifelock about the quality of its service.

The FTC news release also added:

"The FTC’s complaint charged that the fraud alerts that LifeLock placed on customers’ credit files protected only against certain forms of identity theft and gave them no protection against the misuse of existing accounts, the most common type of identity theft. It also allegedly provided no protection against medical identity theft or employment identity theft, in which thieves use personal information to get medical care or apply for jobs. And even for types of identity theft for which fraud alerts are most effective, they do not provide absolute protection."

From time to time, friends and coworkers ask me what I think of Lifelock's service. I usually direct them to the product review by the folks at Consumers Reports. And I encourage them to closely review the Lifelock terms of the service, so they know what they are paying for. I also encourage them to read this blog so they can learn what they can do themselves -- like fraud alerts -- for free.

Ripoffs For Consumers to Avoid

This blog is all about what to do if you have been "mugged" or abused by a company or identity criminal, and what to do to avoid getting "mugged." Recently, CNNMoney published a list of, "America's Biggest Ripoffs." Thanks to my friend and I've Been Mugged reader, Bill, for the link.

I knew that text messaging and hotel mini-bars would definitely be on the list. I was happy to see this item also on the list of ripoffs:

"There's nothing free about forking over $179 a year for information at Freecreditreport.com. Instead you can go to AnnualCreditReport.com, which is run by the Federal Trade Commission, and get a truly free report once a year from each of the credit agencies: Equifax, Experian and TransUnion. Freecreditreport.com's catchy ditties can get stuck in your head for days -- but subscribing to the service will haunt your credit card bill for a year. When you sign up, you're asked for your credit card number. Then the site automatically enrolls you in its "Triple Advantage credit monitoring," which pledges to continuously track your credit status for $14.99 per month."

A warning: if you decide to use FreeCreditReport.com, read the fine print and contract terms closely, first. You do have seven (7) days within the trail period to cancel the credit monitoring service. I strongly urge you to browse the entire list of ripoffs.

What do you think? Should FreeCreditReport.com be on the list of ripoffs?

ID Watchdog and InComm To Jointly Produce New Identity Theft Products For Consumers

I found this video interesting:

After watching the video, I visited the ID Watchdog web site to learn more about their service. My first interaction with the site was a positive one. I found it easy to read and easy to understand the identity protection services it provides. ID Watchdog seems to be moving towards the comprehensive detection I look for in a service, since it monitors a dozen different databases that store consumers' sensitive personal data. ID Watchdog has a data-sharing agreement with Acxiom.

My experiences with other identity protection services hasn't been so positive. You can access reviews of other identity protection services on the Reviews page in this blog.

I hadn't heard of InComm before. They seem to make and distribute cards that have stored value... like the gift cards you'd buy in a big-box retail store chain or grocery store chain. I am sure that this blog will cover during the coming months reviews of products by InComm and ID Watchdog.

Credit Smart Consumers

Lifelock And The Credit Monitoring Industry Struggle To Protect Consumers

This past weekend, Todd Davis, Lifelock's Chairman and CEO, announced in a video message the company's intention to release new services during the coming weeks. This was prompted by a court ruled in May 2009 in favor of Experian to stop companies like Lifelock from setting Fraud Alerts on behalf of its customers. Lifelock had appealed the decision.

In February 2008, I've Been Mugged reported the Experian v. Lifelock lawsuit. The fight between Experian and Lifelock was like two five-year-old kids arguing over who gets the last brownie on the kitchen table while there is a fire burning in the living room. There are bigger issues. Fraud Alerts are a relatively weak tool, since it doesn't force lenders to contact consumers. Credit monitoring service that include a Fraud Alert tool still do not stop:

• Criminal identity theft: when a criminal uses another person's identity during a crime
• Medical identity theft and fraud: when a person uses another person's identity to gain free medical care, and wrecks the victim's access to health care they rightfully paid for
• Data breaches and fraud at outsourcing vendors and at offshore outsourcing vendors
• Poor data security practices by companies and employees
• Insider identity theft and fraud

To be clear, I am no fan of Lifelock. Much of what the company charges for, consumers can (and should) do for themselves for free. In April of 2008 Consumer Reports gave Lifelock a less than stellar review.

However, on one point Davis and I agree. This court ruling is a setback for consumers. It limits choice in the marketplace at a time when data breaches and identity theft have increased. The ruling means that consumers must go directly to Experian (and other credit reporting agencies) to establish a Fraud Alert.

It will be interesting to hear during the coming weeks about Lifelock's new services. Hopefully, the company has done its homework and developed a set of truly innovative and more comprehensive identity protection tools.

It is in consumers' best interest for a comprehensive identity protection service. Why? Many consumers I've talked with have no idea what to do about identity after their sensitive personal data has been stolen. Many consumers need all the help they can get. Few know the difference between credit monitoring and credit restoration. Few understand the limitations (e.g., see the bullet list above) with credit monitoring services. Then, it's a rush to learn what to do to protect themselves, and establish some preliminary protections.

It is sad that the identity protection industry so fragmented and disorganized.

There's a gap in the marketplace and a truly comprehensive identity protection service would go a long way towards helping consumers. The credit reporting agencies don't offer a comprehensive service; they focus narrowly on monitoring (usually their own) credit reports, and providing credit scores. Regional credit reporting agencies are essentially ignored, along with insurance reporting services like ChoiceTrust.

All of these regional credit reporting and insurance companies' reports are high-value targets by identity criminals. The credit monitoring services by independent companies are somewhat better than the credit reporting agencies' service, but that is not a high bar to leap. As I wrote in May 2009:

Since I started this blog, I have searched for a truly comprehensive identity protection service, which should include:

• Unlimited access to the full text of all of my credit reports from both the major credit reporting agencies and from the smaller, regional credit reporting agencies (e.g., Innovis)
• Unlimited access to the full text of all of my C.L.U.E. insurance reports
• Unlimited access to the full text of all of my sensitive personal medical information
• Monitoring of my identity across social networking sites
• Instant e-mail, text messaging, Twitter, or RSS alerts about status changes to any of the above
• Tools and calculators to help me evaluate these reports
• The ability for to customize alerts based on my individual needs
• Options to add Fraud Alerts to any or all of the above reports
• Options to add Security Freezes to any or all of the above reports
• Criminal fraud monitoring (if my identity is used by thieves during a crime)
• Identity fraud assistance when traveling outside the USA
• Identity resolution services and insurance for all of the above reports
• 24/7, and easy access to a real person in customer service via phone
• Arrangements with employers so that after a data breach, I get reimbursed for my monthly fee for this service, rather than receive an offer for another credit monitoring service I don't need

Consumers can't get all of the above. To get large portions of it, you'd have to cobble together at least five or six different services. The Experian v. Lifelock court ruling adds to the problem, since Fraud Alerts will now be available only at the major credit reporting agencies.

It shouldn't be this hard for consumers. Maybe Lifelock has tackled this problem with their new services. We shall see during the coming weeks, and I've Been Mugged will report on it.

Experian Informs Maryland Consumers Of Data Breach

I write frequently about the major credit reporting agencies since they collect and archive the most sensitive personal and financial data about consumers. Given that, this is a data breach that shouldn't have happened.

In many states, companies are required by state law to report data breaches. Maryland is one of the few states that publishes these breach letters online so that its residence can easily confirm any breach notification letters received (and make sure that the letters aren't phishing attempts). The June 26, 2009 breach notification letter from Laura Mundy, Vice President of Regulatory Compliance at Experian:

"In accordance with state law, I wish to inform you that Experian, one of the nationwide credit reporting agencies intends to notify twenty Maryland residents about unauthorized access to their personal information. The residents will be notified by US mail this week and will be provided credit monitoring services. A copy of the written notification is enclosed.

Experian, one of the nationwide credit reporting agencies identified that consumer information was recently accessed online after methods to authenticate their identity were completed successfully by unknown individuals. The consumer information consists of information typically found in a consumer credit report. Such information includes the consumer's name and address and one or more of the following: Social Security Number or date of birth. Experian is actively working with law enforcement to investigate this matter."

In my opinion, never has so many words said so little. This letter says the absolute bare minimum about the breach -- when it happened, why it happened, and what Experian is doing to prevent a similar incident in the future. A breach notification letter's contents should not vary whether the breach affected 20, 200 or 2 million consumers.

Experian's breach notification letter did a good job of directing consumers to www.experian.com/fraud if they have questions, and to partner.consumerinfo.com/deluxe to learn more about the post-breach credit monitoring service offered. The letter should have also:

• Explained why the free credit monitoring services offer is only for one year and not longer, since the risk to the consumer is longer
• Provided a description of any credit resolution services included in the credit monitoring services offer
• Offered to cover the cost of consumers' Security Freeze fees to protect their credit reports
• Offered to reimburse consumers for the annual cost of free credit monitoring period if the consumer already has a credit monitoring service in place. Otherwise, these consumers get nothing from Experian.
• What Experian is doing so a breach like this doesn't happen again

Slumping Economy Makes It Harder For Consumers To Recover From ID-Theft

A new Nationwide Insurance survey found that:

"... nearly half of respondents said that if their identity were stolen today, they did not know if they had enough money in reserve to weather the recovery process. The new survey also found that 10% of identity theft victims polled missed payments due to the crime. Of those victims, four out of five say the theft caused serious repercussions – including lower credit scores, utilities shut off, bankruptcy, vehicle repossession, home foreclosure or even jail time."

The survey included telephone interviews of 400 adults, including 200 ID-theft victims, and was conducted from December 12-17, 2008 by MRSI. Additional findings:

"... identity theft victims tend to be Caucasian, female, ages 35-54, college-educated, married, and employed full time. Additionally, people who are separated or divorced, and those making $75,000 or more a year are more likely to fall prey to identity theft than the general population."

How consumers respond to identity theft:

"... 52% of respondents said they would tackle the recovery process from identity theft on their own... Nationwide’s previous polls found that identity theft victims spent an average of 81 hours trying to resolve their case and one in four cases were unresolved after a year of trying..."

Wow! That statistic is higher than I thought. There's so much time and work involved in fixing damage from identity theft, that I'd definitely use a credit restoration service. Sure, there are some things consumers can do on their own (e.g., fraud alerts, Security Freezes, opt-out of pre-aproved credit offers), but a trustworthy credit restoration service can definitely help. With higher unemployment rates, now is not the time to miss work and jeopardize your job while trying to resolve the financial account and credit report damage done by identity thieves and fraud.

Interested individuals can read more at the Nationwide Insurance site.

Consequences of the Heartland Data Breach

About a week ago, my friend Janet (not her real name) received a phone call from Visa about suspect charges on Janet's Visa credit card through her credit union. Janet asked me not to disclose the name of her credit union, but it is a well-known higher education credit union located in the Northeast.

Janet asked me what she should do next. Her story has implications for many consumers.

Visa was proactive with contacting Janet about several small charges. Visa wanted to know if the charges were valid. Together, the five charges were less than $50 total, but Visa explained to Janet that often identity thieves and fraudsters submit small charges first. The identity thieves hope that the charges go paid and unnoticed, since many consumers don't check their monthly credit card statement. The real damage is done later when large, fraudulent charges are submitted.

Janet informed Visa that the charge were indeed bogus. Visa closed her credit card account and opened a replacement account. Visa also said that they were going to send Janet an affidavit to sign, indicating that the charges were were indeed fraudulent, which Janet must sign and return to Visa.

My advice to Janet:

1. Keep breathing. Yes, identity theft is scary but her situation is manageable. It definitely seemed that fraudster had obtained her credit card number, if not more sensitive personal data.
2. Definitely sign the form and return it to Visa via Certified postal snail-mail with a return receipt requested. That way she'd have a written record of when Visa received her signed form.
3. Keep a copy of the signed form for her records.
4. File a police report with her local police department, and attach a copy of the affidavit if needed.
5. Definitely accept the new credit card account Visa had arranged
6. Check her credit reports for any bogus entries. (Janet had already placed a Security Freeze on her credit reports years previously, when this became available in Massachusetts.)
7. Inform her credit card issuers of her upcoming travel abroad, so they know that credit card purchases in certain countries within certain dates will be valid charges; and do not suspend or close her credit card accounts
8. File a complaint with the U.S. Federal Trade Commission, since the FTC tracks fraud and relies upon consumers to notify it
9. Check her monthly credit card statement closely for bogus charges. Janet said that she already did this regularly and would continue doing so.

Then, I asked Janet if her credit union or Visa had mentioned the Heartland Payment Systems vendor. Like most consumers, Janet hadn't heard of Heartland since Heartland isn't a vendor consumers usually do business with. Janet, like most consumers, is familiar with the credit card companies and banks.

I briefly explained to Janet the Heartland data breach, how hundreds of thousands of credit card numbers were exposed/stolen, and how Heartland isn't sure exactly how many credit/debit card accounts were exposed/stolen. A January 2009 Washington Post story mentioned that the Heartland breach may be the largest breach ever for the number of accounts stolen. Janet said that she'd ask Visa about it the next time she talked with them on the phone.

A few days later, Janet informed me that Visa confirmed that they use Heartland to process credit card transactions, and that this was probably a result of the Heartland breach. Janet's story has several implications for consumers:

• Check your credit card statements closely every month
• File a police report about the fraud with local law enforcement. If local law enforcement won't accept a police report, contact the elected officials in your state
• File a complaint with the FTC. The FTC analyzes the size and scope of identity theft and fraud
• Use a credit card issuer that proactively will warn you of possible bogus charges before your monthly statement arrives
• Know the sensitive personal data about yourself that you should protect
• If you suspect that identity thieves have collected more sensitive personal data than just your credit/debit card number, check your credit reports at the big-three credit reporting agencies for accuracy and for any bogus entries
• If you are the victim of fraud, consider placing a Fraud Alert or a Security Freeze on your credit reports at the big-three credit reporting agencies
• Know the difference between a Fraud Alert and a Security Freeze
• Know the risks of shopping with your debit card versus your credit card. Even better, use cash at retailers you believe may not practice good data security

What bothers me about Janet's story is:

• As of April 12, the Heartland breach site still does not disclose the number of consumers' credit/debit card accounts affected by its data breach. Either the company knows and refuses to say, or they don't know the number affected. If Heartland knows, then the number must be huge -- bigger than the TJX debacle
• Consumers like Janet are not being informed that their credit/debit accounts may have been affected (e.g., stolen) during the Heartland data breach. This seems to contradiction states' laws requiring consumer notification
• At its breach web site, Heartland encourages companies not to take any action about the Heartland breach since things will be fixed soon. Huh? Consumers have been affected. This "take no action" advice seems to also apply to communications to consumers. After all of the problems in the financial and banking industry during the past year, I would have thought that Heartland would understand the benefits of transparency about communications. Keeping secrets does damage, and consumers' trust is damaged or broken by secrets
• Janet's credit union doesn't seem to have provided much help, so far

To be fair, this week Janet plans to contact her credit union for more information and to see what they are doing about the fraud. Maybe Janet's credit union is following Heartland's advice.

If you have experienced fraud recently on your credit card or debit card account, I hope that you'll follow Janet's lead to protect yourself and your sensitive personal data. If you want to share your story below, it would be appreciated.

Consumers' Report Card on Data Breach Notification (Part Two)

Yesterday's post covered some of the high-level results from the "Consumers' Report Card on Data Breach Notification" study by the Ponemon Institute and ID Experts. Today, I explore the detailed findings because they highlight just how poor organizations' performance has been with breach responses:

67% of survey respondents indicated that they were notified by a personal letter addressed to them

I found this interesting because of what is happening with the other 33% of respondents. Companies and government agencies are notifying consumers with their account statement or bill, a phone call, e-mail, a phone call from a third party, at the company's web site, or with a general disclosure in the newspaper or television.

Do these organizations not understand that a data breach is a major event for consumers? I guess they don't understand, or don't care. It may save the organization money to notify consumers via phone or e-mail, but consumers are often wary. Most consumers have already experienced plenty of e-mail spam. When a consumer's sensitive personal data is lost or stolen, it deserves a personal letter addressed to the consumer so they know the situation is real and must be addressed quickly.

The study results indicated the type of organization that had the data breach:

"Financial institution or credit card company, 30%; retailer, 23%; government organization, 19%; online merchant, 10%; education institution, 9%; health care provider, 6%"

The survey respondents also reported -- as best they could -- the cause of the data breach:

"Don't know the cause, 50%; lost laptop or other portable device by the company, 19%; lost laptop or other portable device by a third-party, 15%; mishaps in the movement of paper information, 7%"

It is difficult for consumers to trust an organization that refuses to disclose details about its data breach. If organizations want to maintain consumers' trust, then transparency is the way. Do a better job of informing consumers about both the breach cause and the results of post-breach investigations. In my experience, IBM never disclosed the number of records lost/stolen. Nor did IBM disclose the results of its post-breach investigation. This tight-lipped approach may help a company maintain its stock price, but it doesn't help consumers' confidence or customer loyalty.

More results from the study:

"77% of survey respondents were either "concerned" or "very concerned about the loss or theft of their personal information"

This is good news in that consumers seem to understand the implications of a data breach. The bad news is that organizations' breach responses don't seem to resolve consumers' concerns. Survey respondents were concerned because:

"Possible theft of their identity, 52%; financial losses, 21%; need to transfer their business to another company, 12%; revelation of extremely confidential information, 6%; need to spend time correcting errors to their records, 6%"

Consumers were not satisfied with the organization's breach notification:

17% of survey respondents either "Strongly Agree" or "Agree" that the organization's communication provided useful information on simple things they could do to protect themselves from identity theft"

This meant that 83% -- most survey respondents -- found the organization's breach notification useless or unhelpful. Perhaps, the most important findings of the study is the action consumers did after receiving the breach notification:

"Contacted the company to learn more about the breach, 35%; discontinued their relationship with the company, 31%; did nothing, 26%; contacted the organization to purchase services to protect their personal information, 13%; made a formal complaint to the organization, 8%"

Consumers want to know details about the breach event, the post-breach investigation, and the free credit monitoring services arranged. Organizations must understand and respond to this. Otherwise, consumers will -- and should -- take their business elsewhere. And, perhaps we'll see some lawsuits when organizations' breach notifications don't meet states' breach notification laws.

Santa Fe Group And ID Experts Announce 'Bill of Rights' For ID-Theft Victims

Last week, the Santa Fe Group and ID Experts announced a 'Bill of Rights' for Identity theft victims. The document includes five basic rights to help consumers who are victims of identity theft and data breaches to protect and correct their personally identifiable information (PII) records:

1. Assessment of the nature and extent of the crime that removes the procedural “Catch-22s” when validating identity
2. Full restoration of victims’ identities to pre-theft status, including the ability to expunge records
3. Freedom from harassment from collection agencies, law enforcement and others
4. Prosecution of offenders and accountability for businesses that fail to reasonably secure personal information
5. Restitution that includes repayment for financial losses and expenses

For people who are unfamiliar with the issues, the white paper provides a background on the issues and trends about identity theft and identity restoration -- the challenges to consumers when fixing damage done by identity thieves. The white paper effort was led by the Identity Management Working Group of The Santa Fe Group Vendor Council chaired by Rick Kam, President of ID Experts. Kam noted:

“Despite new additions to the Fair and Accurate Credit Transaction Act of 2003 (FACT), such as free credit reports and the ability to place fraud alerts after identity theft, victims are still subject to inconsistent and unfair treatment from state and federal agencies, law enforcement and businesses. We created the Bill of Rights to empower victims by granting them the same rights as victims of other crimes.”

The Santa Fe Group is a consulting company to financial institutions and related infrastructure companies. ID Experts provides services to companies and to consumers covering identity restoration. Consumers and companies can download for free the Bill of Rights white paper, titled "Victims’ Rights: Fighting Identity Crime on the Front Lines" (364 K Bytes, Adobe PDF format; registration required).

This "Bill of Rights" is an excellent idea for several reasons. As Kam said above, consumers receive inconsistent treatment within and across States. First, most but not all States have laws defining what is personally identifiable information, and how companies and government agencies should protect that information. Second, most but not all States have laws requiring companies and government agencies to notify consumers after a data breach.

Third, most states do not define the content of what the components should be in a credit monitoring service offered in a company's post-breach response. This places consumers in a difficult situation thinking that their state has provided them with some protection, when in fact that protection is far weaker than they realize. Fourth, most consumers have no idea what to do to restore their identity information after damage by identity thieves.

Fifth, only a handful of states have laws protecting consumers against ID-theft involving RFID cards. There are so many ways identity thieves can steal consumers' sensitive data, that it makes sense to strengthen laws to help consumers fix the damage done by identity thieves. Sixth, only a couple states -- Maryland and New Hamsphire -- post online the breach notices received to help consumers verify breach notices.