Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms? (Part 4)

Prior posts discussed offshore outsourcing about TransUnion and TrueCredit. Laurie has problems with TransUnion's credit monitoring service, TrueCredit, and support from its call center. Laurie is worried that if TransUnion (and TrueCredit) outsource their operations and her credit information, she won't have the same protections she would have otherwise -- since data security laws vary in other countries. I'd promised Laurie that I'd try to find some answers to her questions. So far, I've learned that both TransUnion and TrueCredit, its credit monitoring service, both offshore outsource.

To learn more about offshore outsourcing within the credit bureau industry, I reviewed the 10K document Equifax filed with the U.S. Securities and Exchange Commission. Equifax is publicly-traded while TransUnion is privately-held. The S.E.C. requires public companies to submit certain filing documents. Both collect consumers credit information, sell credit reports to potential lenders, and operate credit monitoring services. A publicly-traded company's 10K filing usually tells more about its operations than its Annual Report document.

A view of Equifax's operations would provide a perspective about TransUnion, since both companies perform similar activities. To stay competitive, TransUnion would attempt to maintain a similar cost structure to its competitors -- Experian and Equifax.

From the Equifax 10K document:

"Upon our acquisition of TALX Corporation, or TALX, on May 15, 2007, we became a leading provider of payroll-related and human resources business process outsourcing services in the United States of America, or U.S. We currently operate in three global regions: North America (U.S., Canada and Costa Rica), Europe (the United Kingdom, or U.K., the Republic of Ireland, Spain and Portugal) and Latin America (Brazil, Argentina, Chile, El Salvador, Honduras, Peru and Uruguay). Of the countries in which we operate, 73% of our revenue was generated in the U.S. during 2007."

Some interesting information about the business risks Equifax sees and how that risk relates to outsourcing activities:

"Our ability to provide reliable service largely depends on the efficient and uninterrupted operation of our computer network systems and data centers. Some of these systems have been outsourced to third-party providers. Any significant interruptions could severely harm our business and reputation and result in a loss of customers."

If you read further into the 10K document, Equifax lists its contractual obligations which include outsourcing expenses:

Payments Due By:	Total	Less Than 1 Year	1 To 3 Years	3 To 5 Years	Thereafter
Data processing, outsourcing agreements and other purchase obligations* ($millions)	$305.5	$88.5	$103.3	$90.2	$23.5
* These agreements primarily represent our minimum contractual obligations for services that we outsource associated with our computer data processing operations and related functions, and certain administrative functions. These agreements expire between 2008 and 2014.

The document also states:

"Data Processing, Outsourcing Services and Other Agreements. We have separate agreements with International Business Machines Corporation, or IBM, Acxiom, GenPact, TCS and others to outsource portions of our computer data processing operations, applications development, maintenance and related functions and to provide certain other administrative and operational services. The agreements expire between 2008 and 2013. The estimated aggregate minimum contractual obligation remaining under these agreements is approximately $305.0 million as of December 31, 2007, with no future year expected to exceed approximately $90.0 million... In certain circumstances (e.g., a change in control or for our convenience), we may terminate these data processing and outsourcing agreements, and, in doing so, certain of these agreements require us to pay a significant penalty."

I wonder exactly what's in "related functions and to provide certain other administrative and operational services." That sounds like call centers. Equifax's outsource agreement with IBM:

"Our data processing outsourcing agreement with IBM was renegotiated in 2003 for a ten-year term. Under this agreement (which covers our operations in North America, Europe, Brazil and Chile), we have outsourced our mainframe and midrange operations, help desk service and desktop support functions, and the operation of our voice and data networks. The scope of such services varies by location. During 2007, 2006 and 2005, we paid $115.0 million, $112.1 million and $120.8 million, respectively, for these services. The estimated future minimum contractual obligation at December 31, 2007 under this agreement is approximately $255.0 million, with no year expected to exceed approximately $55.0 million. We may terminate certain portions of this agreement without penalty in the event that IBM is in material breach of the terms of the agreement."

If my friend, Laurie, decides to switch credit monitoring services... drop TrueCredit and sign up for another credit monitoring service by Experian or Equifax, she can reasonably expect that they outsource also. Like TransUnion, Equifax also operates several credit monitoring services, with varying features.

The economic reasons for companies to outsource work are understandable: to manage costs and stay profitable in a competitive business environment. My point is this: should they? Is it wise to offshore outsource work involving sensitive financial data? Is it wise to do so if the company can't provide a high-quality call center operation?

I had to dig deep to find some information about the company's offshore outsourcing activities, since this data isn't readily available in the company's web site. Is it wise to do so without informing consumers? Is it wise to do so if consumers prefer otherwise?

The three national credit bureaus assume that the lowest-cost for credit information is best for consumers. Laurie's concerns suggest otherwise, that consumers want both protection and a reasonable price; not the absolute lowest price. A service with a low price and no data security isn't worth much. Consumers now realize that bad things happen: data breaches. There is always risk. And, one can reasonably expect bad things to happen with offshore outsourced credit information just like data breaches within the USA.

There has to be a balance between a company's need to manage costs, and consumers' need to trust the companies they do business with. Consumers now know today that companies suffer data breaches. Some consumers know first-hand the expense, hassle, and grief involved with restoring their information and credit after a criminal has hacked their financial accounts.

I'll bet that when given a choice, consumers prefer that their credit and financial data is kept within their country's borders, rather than being transmitted around the globe. Laurie's concerns reflect this. It all goes to the level of risk people are willing to accept. Experts have identified the data security risks of offshore outsourcing. The fewer places credit and financial data are transmitted, the less chances for bad things to happen. More importantly, it is unclear about exactly which country laws govern the protection of consumer credit and financial data. It is unclear which country laws govern the notification when the company (e.g., TransUnion, True Credit) suffers a data breach by an outsource call center vendor in another country.

That data breach in another country may never happen, but if and when it does, consumers have a right to know - promptly.

What do you think? Take our poll today or submit a comment below.

Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms? (Part 3)

Prior posts discussed offshore outsourcing and TransUnion. Laurie has problems with TransUnion's credit monitoring service, TrueCredit, and support from its call center. Laurie is worried that if TransUnion and TrueCredit outsource portions of their operations, she won't have the same protections she would have otherwise -- since data security laws vary in other countries. I'd promised Laurie that I'd try to find some answers to her questions.

A wider search found information about TransUnion's participation in industry events for outsourcing professionals. The International Association of Outsourcing Professionals published information about a June 2007 event:

"Performance Monitoring Goals and Requirements for BPO Operations (Call Centers)
Brad Rubin, Director of Operations for TransUnion Interactive (formerly TrueCredit)

• Overview of the business requirements for using tools to monitor the overall performance of BPO Call Center Operations
• Discussion of the functionality needed and the types of tools that were examined to achieve TransUnion’s goals.

Brad Rubin is responsible for managing all BPO operations where he has transformed the service operations into a global multi-site operation. Prior to TransUnion, Brad was with Accenture in San Francisco.

So, it appears that TransUnion, parent company, and TrueCredit both perform offshore outsourcing. This is the first time I have ever heard of a credit monitoring service that performs offshore outsourcing. According to a 2006 Janeeva, Inc. press release:

"Janeeva, Inc., the industry leader in ORM (Outsourcing Relationship Management) software, today announced that TrueCredit, a division of TransUnion and a provider of credit management services, has implemented Janeeva Assurance™ software to manage multiple outsourced vendor relationships. True Credit is experiencing rapid growth, and customer care via their call centers is critical to their success. With multiple offshore call center locations comes increased complexity that Janeeva helps manage."

So, TrueCredit has contracts with several outsourcing firms. According to a November 2006 entry at Outsourcing Magazine (OM):

"About Blogger Brad Rubin: Brad Rubin is currently the Director of Operations for TrueCredit, a wholly-owned subsidiary of TransUnion, LLC. While at TrueCredit, Mr. Rubin has been responsible for managing all business process outsourcing (BPO) operations. He has successfully transitioned the TrueCredit service delivery platform into a global, multi-site operation. In addition to his work at TrueCredit, Mr. Rubin is an active speaker within the outsourcing community. In 2006, he participated in the Outsourcing Relationship Management Forum at the University of Michigan and the Telecommunications Risk Management Association (TRMA), Summer Conference. In 2007, he will be presenting a case study entitled Managing Multi-Vendor Environments with Relationship Management Software at the International Association of Outsourcing Professionals (IAOP), World Summit."

The OM site provides Mr. Rubin's e-mail address and his blog address: www.sourcingprofessional.com. I scanned several posts in Mr. Rubin's blog. He mentioned TransUnion's offshore outsourcing activities with vendors in Manila (Philippines), Central America, and New Delhi (India). According to Mr. Rubin's blog, TransUnion is considering new offshore outsourcing arrangements in Cebu (Philippines) and Guatemala. While I haven't read all of the posts in Mr. Rubin's blog, so far I haven't seen any posts about data security or data breach notification.

Now, my friend Laurie knows that both TransUnion and TrueCredit perform offshore outsourcing. We now have idea of some of the country locations. We don't know yet which outsourcing firms. Maybe Mr. Rubin can help Laurie resolve her problems with TrueCredit's customer service department. Maybe Mr. Rubin can explain the scope of TrueCredit's offshore outsourcing activities. Maybe Mr. Rubin can explain the data security processes TransUnion takes to ensure the protection of Laurie's and others' credit information. Maybe Mr. Rubin can provide a list of the specific offshore outsourcing locations and firms.

Last weekend, I wrote to Mr. Rubin asking for answers to the questions above. In my e-mail message to Mr. Rubin, I shared Laurie's message and concerns. So far, I haven't received a response from him, or from anyone at TransUnion. If he responds, I will post his reply in the I've Been Mugged blog.

The economic reasons for companies to outsource work are understandable: to manage costs and stay profitable in a competitive business environment. That's one reason why I titled these posts, "Is It Wise...?" and didn't title it "Is It Profitable...?" Of course, outsourcing and offshore outsourcing are profitable. That's why companies do it.

My point is this: should they? Is it wise to offshore outsource work involving sensitive financial data? Is it wise to do so without informing consumers? Is it wise to do so if consumers prefer otherwise? Is it wise to do so if the company can't provide a high-quality call center operation?

There has to be a balance between a company's need to manage costs, and consumers' need to trust the companies they do business with. Consumers intuitively sense that there's less risk to their sensitive data if companies keep it within their country borders. Some experts have identified the data security risks of offshore outsourcing.

I'll bet that when given a choice, consumers prefer that their credit and financial data is kept within their country's borders, rather than being transmitted around the globe. It all goes to risk. The fewer places credit and financial data are transmitted, the less chances for lost or stolen data. More importantly, it is unclear about exactly which country laws govern the protection of consumer credit and financial data. It is unclear which country laws govern the notification when the company (e.g., TransUnion, True Credit) suffers a data breach by an outsource call center vendor in another country.

That data breach in another country may never happen, but if and when it does, consumers have a right to know - promptly.

More about this next week.

Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms? (Part 2)

Yesterday's post discussed the problems Laurie is having with her TransUnion credit monitoring service, and the related questions about legal protections when credit companies perform offshore outsourcing. I'd promised Laurie that I'd try to find some answers to her questions.

Meanwhile, Laurie contacted me again:

"I continue to call TransUnion (TrueCredit) and I leave messages for somebody in a managerial position to contact me but I never get a domestic employee. When I ask the phone associates where they are located they tell me they are prohibited from telling me. It's a vicious cycle because there's no mailing address and the potential for online help abuse is the same as telephone support. This is sensitive information I'm disclosing and all my alarms are going off like bells and buzzers."

Yesterday's post covered news reports from 2003 and 2004 about the credit bureaus' offshore outsourcing activities. In 2003, the bureaus promised more openness about their outsourcing plans, but the call center representatives' answer above does not show any openness.

So, I decided to look more closely at TransUnion, since that company was the source of Laurie's difficulties. Like most companies, TransUnion publishes its Corporate Privacy Policy on its main Web site. This seemed like a good starting point, since this document usually discloses what the company does with any sensitive consumer data collected within the site:

"Please carefully read our privacy policy to understand how we will treat the information you provide while visiting this web site or the web sites of most of our domestic subsidiaries and affiliates ("Web Site")... This privacy policy applies to TransUnion and its domestic subsidiaries and affiliates, except for TransUnion Consumer Solutions and TrueLink, Inc., who maintain their own privacy policies."

Note the emphasis on domestic subsidiaries. That refers to TransUnion divisions, companies, or business units within the USA. It implies that divisions, companies, or business units elsewhere are not subject to this Privacy Policy, a different Privacy Policy, or none at all. That should be unsettling to consumers. Why? TransUnion's approach to privacy policies forces users to wade through several documents that aren't that easy to read nor find. TransUnion has operations in 25 countries on 5 continents. So far, no explicit mentions about outsourcing in this TransUnion Privacy Policy.

Next, I checked the Privacy Policy at TrueCredit, TransUnion's credit monitoring service, since Laurie is a subscriber. The TrueCredit Privacy Policy is more detailed and more comprehensive. It contains details about several subjects: what data the company archives, what happens when users opt-in to e-mail updates, how its web site works with the user's Web browser, the company's approach to online advertising, what situations TransUnion shares data with contractors, and so forth.

I'd like to give TransUnion and TrueCredit at least one "attaboy" for sharing this amount of detail in the TrueCredit Privacy Policy. However, this document didn't mention outsourcing either.

I also checked the Public Policies pages within the TransUnion site. No mentions of outsourcing there, either. Sadly, this site section was very thin regarding content. The little bit of copy on three pages could have easily been presented on a single page. Whatever promises TransUnion made in 2003 about more openness about its outsourcing activities, weren't being fulfilled in 2008.

Next, I looked for TransUnion's Annual Report and 10K filings; documents by publicly owned companies within the USA. TransUnion is privately held, so it is not required to provide these filings which the U.S. Securities & Exchange Commission requires of publicly-traded companies. Hence, it is more difficult to obtain detailed information about a privately-owned company... and any offshore outsourcing activities it might be engaged in.

Difficult, but not impossible. More about this tomorrow.

Where's The Value: Credit Monitoring Or Credit Restoration? (Poll Results)

Last year, American Banker interviewed me and representatives from Kroll and IBM for an article about the obligation companies have to assist ID-theft victims after a corporate data breach. IBM and Kroll representatives argued that ID-theft victims benefit more with credit restoration services: the processes and work to fix or clear the fraudulent records and accounts created by identity thieves. I argued that ID-theft victims would benefit more from credit monitoring services.

To explore this subject further, I ran a poll on this blog to see what I've Been Mugged readers value more: credit monitoring services or credit restoration services. The approach by companies should focus on the greatest need consumers have (and not what some corporate executive believes is best to minimize their company's post-breach costs). Since I began this blog, I've talked with dozens of consumers, both in-person and via e-mail. Most people seem to need the basic services first: monitoring their credit information, an understanding of the basic threats/scams, and ways to protect their data.

I know my poll does not contain a rigorous scientific design. Participants weren't chosen at random, but included readers of the I've Been Mugged blog who decided to take the poll.

The poll question: What is the most important feature of a credit monitoring service?

The results:

Question	%	Votes
Continuous monitoring of your data	45%	22
Credit restoration services	39%	19
Non-financial crime monitoring	2%	1
Credit score and credit analysis tools	6%	3
I don't know	8%	4
I don't care	0%	0
Total	100%	49

I'm impressed that 4 people were honest enough to admit that they didn't know what feature in a credit monitoring service was most important to them. I think that this statistic highlights an important need in the marketplace. It suggests that roughly 8% of consumers don't know or aren't sure what to look for in a credit monitoring service.

Knowing what to look for is important since after a data breach ID-theft victims must decide whether or not to accept their employer's (or former employer's) credit monitoring service offer. Even if the offer includes free services, it may not of value. Knowing what to look for is important for any consumer trying to decide which credit monitoring service to register with.

If you missed this poll, don't worry. There's another poll running on our ID-theft Polls page.

During the next few weeks I will share my reviews of the various credit monitoring services. You should judge for yourself, as your personal data and identity protection needs may be very different than mine. Like the ads say, your mileage may vary. So, shop around and shop wisely.

Monthly Update From The Suze Orman Identity Theft Kit (TrustedID)

When you sign up for a credit monitoring service, most provide a monthly report via e-mail about the status of your credit information and files. A coworker of mine signed up several months ago for the Suze Orman Identity Theft Kit. My coworker shared the latest report she received via e-mail:

The report is simple and easy to understand. The message make it clear and easy what the consumer should do next, if there is a problem. My coworker seems to be very happy with the service she receives from Suze Orman. If you have a different credit monitoring service, you can compare the monthly message you receive from your service with the message above.

ID-Theft Protection May Not Provide The Protection You Need

I'd like to thank my friend Michael in Oakland for alerting me to this article. Dow Jones MarketWatch reported the following about the current state of credit monitoring and credit resolution services for consumers:

"Plenty of products promise to help consumers avoid identity theft, but none of them is foolproof. If a product claims to prevent identity theft, that should raise red flags for consumers, said Linda Foley, founder of the Identity Theft Resource Center in San Diego. "You can't protect a person from identity theft. It's impossible. All we can do is minimize our risk." And, while these products can reduce your likelihood of becoming a victim, many employ methods that consumers can use on their own, for free."

Finally, somebody is telling it like it is. After IBM exposed my sensitive personal data, I took that as an opportunity to learn about data breaches and the current identity theft marketplace. Since then, I've looked at many of the credit monitoring services for consumers which are available from banks, independent companies, and the credit bureaus. I've reached the same conclusion as the ITRC: there's some protection to reduce a consumer's risks.

The MarketWatch article also discussed the new Security Freeze tool, which is available nationwide from the national credit bureaus:

"Consumers can freeze their reports by calling each of the three agencies. It generally costs $10 to place a freeze ($30 to freeze all three major reports) and $10 to lift each freeze (these costs are sometimes waived.) For more details, visit FinancialPrivacyNow.org. Or, you can pay for a product that includes a credit freeze, such as offered by TrustedID and others."

Well, that's mostly accurate. The fees vary by state. In my state, Massachusetts law limits the Security Freeze fees to $5.00 at each credit bureau; and Security Freezes are free for ID-theft victims (who can prove this with a copy of a filed police report). While a Security Freeze provides consumers with stronger protection than a Fraud Alert, there clearly are limits.

First, the Security Freeze tool from credit bureaus does not cover C.L.U.E. insurance reports.  Consumers must do business separately with Choicepoint, a major provider of C.L.U.E. reports. Choicepoint offers Security Freezes in only about eight states: CO, DC, DE, ME, MT, NH, NJ, and NC. Naturally, you'd expect Choicepoint to offer a nationwide Security Freeze like the credit bureaus, but they don't. Consumer-focused doesn't appear to be a priority for Choicepoint. Second:

"Freezes don't stop thieves tapping existing credit or bank accounts, nor do they address other identity theft, such as when a thief provides your name as his identity when pulled over for a traffic violation."

The use of stolen identities during a crime is a huge problem which the identity protection industry hasn't solved. When criminals use stolen identification during a crime, it's that ID-theft victim who suffers, not just the criminal when (and if) caught. The victim may be jailed temporarily while identification mistakes are resolved, fined, or both.

Plus, this can happen in any country, since stolen identities are sold online worldwide. For example, look at the global trail of stolen credit cards numbers after the TJX/TJ Maxx data breach. Or, read about this ID-theft victim who was jailed after a criminal used his stolen identity during a crime. Consider this: the next time you travel abroad you could be detained by Customs in another country if a criminal has used your stolen identity during a crime in that country. I haven't read a news report (yet) about this, but the risk to consumers is real since stolen identities are traded online worldwide.

If you think that existing identity protection insurance and resolution services will help in these instances, think again:

"Identity-theft insurance helps cover the costs associated with the crime. Your homeowners or renters insurance, or your bank account, may include such insurance already, so check before purchasing. Consumer advocates say the value of such insurance is debatable, since financial losses are often not extensive and credit-card companies generally cover consumers' losses. Still, insurance could be useful if the policy covers debit-card losses and lost wages due to your time spent resolving the crime... As for victim resolution services, some nonprofit and state agencies will help for free, though the services companies sell may offer valuable convenience."

This situation will only improve when consumers pressure their elected officials to enact stronger laws about identity theft which hold companies accountable for data breaches, the punishment and sentencing of identity criminals, and legislation which covers new forms of identity theft such as skimming and house stealing. It will also require some coordination between countries.

If you are detained or jailed in a foreign country due to identity theft, I don't see any of the current ID-theft resolution services helping consumers. If you agree that this situation is scary and unacceptable, write to your elected officials today.

Discover Changes Its Credit Monitoring Service Vendor -- Is It An Improvement?

Since 2004, I have used the credit monitoring service offered by my Discover Card issuer. Recently, I received this notice with my monthly Discover bill:

"For Discover Identity Theft Protection members who receive membership materials through the Internet: This is to inform you that we are in the process of changing the service provider of the Discover Identity Theft Protection product. Effective on or after September 1, 2008, the provider of Identity Theft Protection will become ConsumerInfo.com, Inc. an Experian company. Experian is one of the three major U.S. credit reporting companies."

Well, that seems innocent enough. Discover is definitely free to switch service providers, especially if Experian gave them a better deal. Similarly, I am free to switch credit monitoring service s too, to get the best deal possible. Several years ago, Discover called its credit monitoring product ProfileProtect. I checked my documentation from 2005, which listed Intersections, Inc. of Chantilly Virginia as the credit report services administrator for Discover's program.

The printed paper notice from Discover also said:

"In an effort to ensure that your Identity Theft Protection membership continues without interruption, the following changes will occur:"

• "Our new provider of Identity Theft Protection will obtain and monitor your credit report(s) beginning June 1, 2008 to ensure that you receive your Quarterly Updates without interruption.
• During your membership, you elected to access your Identity Theft Protection services through the Internet. Effective on or after September 1, 2008, we will no longer be able to offer this product to you through the Internet. Please note you will receive all materials via First-Class, but you will no longer have access to the online Credit Analyzer.
• You will begin receiving your membership materials from our new provider on or after September 1, 2008.
• If for any reason you do not want your Identity Theft Protection membership to be serviced by our new provider, which will require that they obtain your credit report for continuous monitoring, please call Member Services at 1-866-329-5760."

This presents a problem. I signed up for Internet access for a couple reasons. One: Internet access provides greater security than updates via snail mail. Two: Internet access provides fast e-mail alerts about my credit reports. E-mail alerts alerts are important because the sooner a consumer discovers abuse on a financial account, the sooner you can take action and the less money you are likely to lose.

Three: it seems that Discover and Experian are unable to agree to provide me with uninterrupted service via the Internet. This vendor change smells more like a hand-off than a true swapping of vendors. I expect uninterrupted service given the money I am paying monthly. Four: Experian already makes money by selling my credit reports, so I am reluctant to give them more money. The combination of credit reports and a credit monitoring service in a single company is something I don't find attractive, while Experian tries to restrict independent credit monitoring service companies.

Five: Experian operates several consumer credit monitoring services besides ConsumerInfo.com. Experian operates FamilySecure.com, which offers several features not found in ConsumerInfo.com. This makes me wonder why this vendor swap included ConsumerInfo.com and not FamilySecure.com. Was it Discover's choice? Was it Experian's demand? Or was it based on cost?

A comparison on price: FamilySecure is $19.95 per month, ConsumerInfo is $11.95 per month, and I have been paying $9.99 a month for Discover's existing credit monitoring service. Discover's notice didn't saying anything about price, so I assume the monthly price remains the same. But that isn't a good value for me, because I'd be paying the same monthly amount for fewer services. In plain English, that's a price increase. And I lose access to online updates, online features, and the Credit Analyzer.

I wonder what brainiac at Discover Financial Services negotiated this agreement with Experian.

Regardless, I had planned this Spring to evaluate my credit monitoring services, since my year of free credit monitoring services with Kroll (thanks to IBM) ends in June. My ultimate choice for a credit monitoring service is not based on price alone, but on value: the balance of features, benefits, and price. Discover's vendor change just added another item to my existing list of reasons to evaluate the available credit monitoring services.

Consumer Reports On LifeLock

Many consumers consider Consumer Reports a trustworthy source of independent product and service information, in order to make smart purchases. As a child, I remember watching my parents read Consumer Reports' product testing results before buying a car and expensive household appliances. I currently subscribe to Consumer Reports' On Health publication.

Last month, Consumer Reports reviewed LifeLock, a credit monitoring service:

"LifeLock spent $5 million on TV and radio ads nationally in the first half of this year and claims to have 300,000 subscribers. It has been endorsed by actor Fred Thompson (before he officially became a presidential candidate) and radio personalities Rush Limbaugh, Sean Hannity, and Paul Harvey. But as Harvey might say, now here’s the rest of the story."

What LifeLock does to protect your sensitive personal data and credit reports:

"For $10 a month or $110 a year, LifeLock instructs the top three credit-reporting agencies — Equifax, Experian, and TransUnion — to place fraud alerts on your credit reports and renews them every 90 days. The service also tells the three bureaus that you opt out of receiving preapproved credit offers and asks the Direct Marketing Association (DMA) to remove your name from mailing lists. Of course, you can do those things yourself free. And fraud alerts are no guarantee against ID theft. Some lenders don’t see them and allow crooks to open accounts in other people’s names anyway."

If you are like me, then you've already done most of this on your own -- for free. I placed Fraud Alerts on my credit reports, and later renewed them. I have already opted out of pre-approved credit offers and telemarketing lists -- again, for free. Is there anything LifeLock provides that we consumers can't do ourselves? Perhaps it's their credit restoration services:

"... the company guarantees against all losses and expenses a client incurs up to $1 million. LifeLock’s guarantee will restore stolen funds to your bank accounts, get fraudulent credit accounts closed, pay lost wages, hire credit-repair firms, and do "whatever it takes to get your life back..."

While that sounds really appealing, Consumer Reports also wrote this:

"But the customer agreement doesn't actually bind LifeLock to much of what Davis promised us. It specifically says that the company will not reimburse "consequential damages, such as lost wages." [LifeLock CEO] Davis says customers should ignore the fine print: "The lost-wage clause is there because insurance commissioners wanted to be sure we’re not an insurance company. We’re not." The contract, meanwhile, is vague about reimbursing stolen money: "We will pay professionals to assist in restoring any such loss." The guarantee hinges on "the failure or defect in our service," which the contract defines as initiating requests with credit bureaus and the DMA. But Davis says the contract really means something else: "If the fraud alerts did not do what they were intended to do, then the service failed. I don’t just mean that my system didn’t send them correctly," he says.

If you are considering LifeLock to protect your identity, I strongly encourage you to read the entire Consumer Reports review of LifeLock first. Then decide if LifeLock is for you.

LifeLock Recommends Stronger Fraud Laws

An earlier post discussed the lawsuit Experian filed against LifeLock. It seems that LifeLock is fighting back. According to the Arizona Republic:

"LifeLock Inc.'s chief executive officer is taking the offensive by proposing sweeping changes to how the three major credit bureaus operate as the company prepares for a potentially bitter legal battle with Experian. Todd Davis, co-founder and CEO of Tempe-based LifeLock, kicked off a multi-state tour this weekend in which he is urging businesses and consumers to demand that their legislators do more to fight identity theft and fraud."

Davis wants Fraud Alerts extended from 90 days to at least one year. According to the news report:

"The fraud alerts are at the heart of a lawsuit that Experian filed against LifeLock almost two weeks ago in U.S. District Court for the Central District of California. LifeLock charges customers $10 per month for its service, which includes signing them up for the temporary alerts with the three credit bureaus every three months."

It's important to note that the credit bureaus are mandated by law to provide the fraud alerts for free to consumers. The credit bureaus also offer for-fee credit monitoring services like LifeLock's service. (See the listing in the right column.) So, Experian's claim that Lifelock charges what Experian is forced to do for free, seems weak since it seems to ignore Experian's credit monitoring services.

The other change proposed by LifeLock:

"Davis said he hopes consumers will pressure their legislators to introduce measures that impose tougher prison standards for people convicted of ID theft and related crimes and limit the use of personal information, among other changes."

The article doesn't explain what Davis means by, "tougher prison standards for people convicted of ID theft..." and by, "...limit the use of personal information." If LifeLock is truly promoting changes for the consumers' benefits, I hope that their proposal includes:

• Restitution by the criminals for identity-theft victims
• Emphasis and funding for law enforcement to pursue identity-theft criminals. (Unfortunately, in the latest FTC report 8% of identity theft victims tried to file a police report and it wasn't taken. That's 8% too much)
• Clearer, consistent legislation across states about what consumers' personal data companies can archive, how they must protect it, and what items must be purged by when
• Consistent "Shine The Light" notification laws across states (requiring retailers to disclose where consumers' personal data is shared)
• Consistent data breach notification laws across states
• Consistent anti-skimming laws across states
• Stronger legislation to protect whistle blowers, and stronger penalties for companies and individuals who abuse them
• Suggestions to to strengthen data security among small businesses

A LifeLock press release mentions the company's tour through several Southeastern states, but doesn't mention any of the above details. Rather, Experian and Lifelock seem to be fighting over who gets the money from consumers in the growing credit monitoring services marketplace. But there's more:

"Davis argues that Experian doesn't want to spend the time or money to help all the consumers seeking protection. "What Experian is counting on is if a consumer has to renew this every 90 days, they won't stick with it," Davis said by telephone from Florida on Monday afternoon."

The news report quoted Equifax spokesman David Rubinger as saying:

"We believe (a 90-day fraud alert) provides ample time for a consumer to determine if they've been a victim of identity theft, and of course it can be renewed in a matter of minutes if they still need more time," Rubinger said.

Hmmmm. I definitely disagree with Rubinger's statement.

I started writing this blog after IBM exposed my personal data in February 2007. As I researched the identity theft issues, I found that current business practices heavily favor companies making money by trading consumers' personal data, while consumers bore an unfair portion of the risks after a data breach.

So far, nothing negative has appeared yet on my credit reports from IBM's data breach. For all I know, the identity thieves could still be trying to break the encryption on IBM's data tapes. Rubinger seems to suggest that after 90 days identity thieves would give up trying to crack the encryption on IBM's data tapes. That assumption sounds totally ridiculous to me. From everything I've read, identity thieves are persistent, so it seems wise to assume a continual threat and act accordingly. Plus, the value of consumers' personal data has a long life.

IBM still hasn't caught the perpetrators and still employs the same delivery service which lost their data tapes over a year ago. Like many other consumers, I placed consecutive Fraud Alerts on my credit reports when I first learned of the IBM data breach. Experian and LifeLock can fight all they want about Fraud Alerts. To me, the stronger tool for consumers is the Security Freeze tool.

But, a Security Freeze won't protect consumers against all types of identity fraud. As a nation, we seem to be in our infancy regarding effective identity theft legislation that balances the needs of both consumers and companies.

Suze Orman Identity Theft Kit Debuts

Recently, I was talking with a coworker who had purchased the Suze Orman Identity Theft Kit. In January 2008, the TrustedID blog announced:

"Financial expert Suze Orman and TrustedID have launched Suze Orman’s Identity Theft kit, the first identity theft protection solution that protects the financial and personal information of all members of a household. Shortly after launching on QVC, the kit will be available online at www.suzeorman.com and TrustedID.comas well as through leading retailers nationwide."

I checked www.suzeorman.com and consumers can purchase the kit online. At the site, click on "Identity Theft Kit" in the left column navigation area. According to the site, the kit contains the following:

• Two People Protection
• Medical Record Protection
• Anti-Spyware Software
• Lost Wallet Protection
• Address Scanning
• Enhanced Junk Mail Reduction
• Credit Card No. Scanning
• Annual Credit Reports
• Bank Account No. Scanning
• $1 Million Service Warranty
• Child Identity Theft Protection
• Fraud Flag Placement
• Elderly Parent Identity Theft Protection

At first glance, the service seems to have a lot of value. It definitely seems worth consideration for consumers who have no identity protection in place today. However, I found the web site content very thin. The site did not explain many of the kits features. So, it's hard to tell exactly what is offered for "Medical Record Protection," "Address Scanning," "Bank Account Number Scanning," and the "$1 Million Service Warranty." Unfortunately, the QVC page didn't supply any more detail either. Maybe the actual television pitches explains these features, but I rarely watch QVC.

There are about 46 user-submit product reviews at the QVC page. You may find some of these helpful. Most of the reviews are positive, but the negative ones seem to be where consumers encountered technical problems installing the kit software and returned the product. Some of the reviewers noted that the kit does not cover department store charge cards.

For me, the kit provides services I already have from other credit monitoring services. Regarding Fraud Alerts, I added those to my credit reports on my own. I already have anti-spyware software for my home computer from McAfee. To reduce spam and junk mail, I have already signed up at several free opt-out resources for consumers.

Later this Spring, I plan to post a detailed comparison of several of the leading identity protection solutions for consumers. The comparison will definitely include Orman's Identity Theft Kit. I've Been Mugged readers would love to hear the opinions or experiences anyone has had with the Suze Orman Identity Theft kit.

Credit Monitoring Service Arranged By Horizon BCBS of New Jersey Covers Minors

An I've Been Mugged reader sent me this notice from Horizon Blue Cross-Blues Shield of New Jersey. While there seems to be a corporate data breach every month involving laptop computers, this notice caught my attention because it is the first credit monitoring service I've seen after a corporate data breach which covers minors.

Recently, there have been several high-profile data breaches where the sensitive data of minors was stolen or exposed, along with the sensitive data of the adult employees, former employees, and/or customers. In  January 2008, InformationWeek magazine reported the data breach at Horizon BCBS of New Jersey involving yet another stolen laptop computer:

"Horizon Blue Cross Blue Shield of New Jersey has notified its members that an employee laptop computer containing personal information -- including Social Security numbers -- for about 300,000 individuals was stolen in early January... On its Web site, the company says a "security feature was initiated" on Jan. 28 that "destroys all the data on the stolen computer." Horizon Blue Cross Blue Shield of New Jersey says the personal information contained on the computer also included names and addresses of members, but no medical data."

Why do employees insist on placing such large amounts of sensitive data on laptops? This is not a good data security habit. I can't imagine what application requires 300,000 customer records on a single laptop. 30 records sounds reasonable. 300 records sounds like a stretch. 300,000 records is just ridiculous. It gives the impression that Horizon does not (and has not) train its employees on effective data security practices.

The good news here is that Horizon notified its members promptly, within 30 days. (Contrast that with IBM, which took over 2 months to notify me and others.) And parents can monitor their children's credit reports. Sadly, identity thieves abuse minors' sensitive personal data in the same ways as adults'.

However, like most other companies, Horizon offered its ID-theft victims, including minors, only one year of free credit monitoring service. Horizon arranged its credit monitoring service offer with the Family Secure service, operated by the Experian credit bureau.

While Horizon is free to arrange credit monitoring service with whichever provider it chooses, some may consider one year of free credit monitoring service an example of good corporate responsibility, I do not.

The risk period where identity thieves can abuse this personal information is far longer than one year. Regardless of what Horizon says in its data breach letter, the ID-theft victims have to plan for the worse and monitor their credit reports indefinitely... far longer than one year.

Horizon's ID-theft victims should also place a Security Freeze on their credit reports. (Not a Fraud Alert, but a Security Freeze. There is a huge difference.) With only one year of free credit monitoring, Horizon has shifted the risk and financial burdens from itself to its members.

That's an example of not being a responsible corporate citizen.

Treat Consumers Personal Data Like "Nuclear Fuel"

Since I started this blog in July 2007, I've consistently argued that the risk period for consumers is very long after their personal data has been exposed, especially after a corporate data breach. This includes breaches of birthdate and SS#, not credit card accounts. According to an article in the Guardian Unlimited:

"We should treat personal electronic data with the same care and respect as weapons-grade plutonium - it is dangerous, long-lasting and once it has leaked there's no getting it back."

While this description sounds extreme, I have to agree with it. When IBM lost my personal data in February 2007, the personal data of mine and all of the other identity-theft victims is just as valuable today as it was a year ago. Identity thieves can open accounts, get loans, or get government identification with it. This is why I also lobby for far longer periods than one or two years of free credit monitoring services from companies that have a data breach. The risk period is long.

In the article, Corey Doctorow write not just about the descriptive data (name, birthdate, SSN), but all of the usage data attached to it:

"Data is acquired at all times, everywhere. For example, you now must buy an Oyster Card if you wish to buy a monthly travelcard for London Underground, and you are required to complete a form giving your name, home address, phone number, email and so on in order to do so. This means that Transport for London is amassing a radioactive mountain of data plutonium, personal information whose limited value is far outstripped by the potential risks from retaining it... All these people could potentially be identified, located and contacted through the LU data. We may say we've nothing to hide, but all of us have private details we'd prefer not to see on the cover of tomorrow's paper."

You're probably wondering how long entities should be allowed to keep this personal data private. When should it be destroyed? Given the increasing capacity for digital storage, that seems to be a worthwhile conversation to have in the USA, too. Regarding privacy, Doctorow, argues:

"A century is probably a good start, though if it's the kind of information that our immediate descendants would prefer to be kept secret, 150 years is more like it. Call it two centuries, just to be on the safe side. If we are going to contain every heap of data plutonium for 200 years, that means that every single person who will ever be in a position to see, copy, handle, store, or manipulate that data will have to be vetted and trained every bit as carefully as the folks in the rubber suits down at the local fast-breeder reactor... And what's worse is that we, as a society, are asked to shoulder the cost of the long-term care of business and government's personal data stockpiles. When a database melts down, we absorb the crime, the personal misery, the chaos and terror. The best answer is to make businesses and governments responsible for the total cost of their data collection."

The last sentence above is key. Entities, corporations or government agencies, decide to store personal data for long periods of time because it benefits them -- financially or otherwise. If they are going to enjoy those benefits, then it's fair for them to also accept the risks and costs. And the cost includes credit monitoring for consumers after their data has been exposed during a data breach.

Free credit monitoring for one year is not acceptance of the cost, in my view. Not even close. 15 or 20 years of free credit monitoring is far closer to the goal.

Twice Bitten: Acts of Stupidity Can Lead to Identity Theft

Chris Soghoian has an excellent post in his C/Net Surveillance State blog:

"A British TV presenter has learned the hard way that identity theft is serious, and in the process, become the joke of the moment for privacy bloggers. More importantly, this is the second time in just one year that such a thing has happened."

Soghoian wrote:

"Jeremy Clarkson, host of the BBC show Top Gear, recently wrote an article for the U.K.'s Sunday Times in which he ridiculed the uproar that had occurred after the British government admitted to losing two compact discs containing the personal information on 25 million people. To prove his point that there was no risk of financial fraud for those consumers, he published his bank account details, and instructions on how to locate his address."

Clarkson quickly changed his opinion of identity theft after an identity thief used Clarkson's data to create an automatic bank transfer to the Diabetes UK charity.

Recently, a friend in Oakland called to ask me about Lifelock. Soghoian has clearly "connected the dots," since he also wrote about Lifelock in the same post:

"Todd Davis is the CEO of LifeLock, a company that offers a mostly useless $10 per month identity theft protection service. In an effort to eat his own dogfood, and promote his company's service, Mr. Davis includes his social security number in all of the company's advertisements--see here. A full page ad in this week's USA Today had his SSN listed in big letters. Making a mockery of LifeLock's identity theft protections, a Texas man in 2006 was able to secure a $500 payday loan with Mr. Davis' social security number."

If you are considering Lifelock for a credit monitoring service, I also encourage you to read this Phoenix New Times article before making a decision.

Credit Monitoring vs. Credit Restoration: What's The Difference?

Recently, a friend asked me what the difference is between "credit monitoring" and "credit restoration." While writing this blog, I kept some notes which morphed into the comparison chart below:

	Credit Monitoring	Credit Restoration
Definition	The process of reviewing a consumer's credit reports and credit scores at the three national credit bureaus. May also includes alerts when a credit bureau provides the consumer's credit report to potential lenders.	A process of notifying law enforcement, credit bureaus, banks, lenders, state and local government agencies, federal agencies, and other companies about the theft of a consumer's identity and/or money; and the process of correcting the information in the victim's credit reports.
Advantages	1. Includes alerts via cellphone and/or via e-mail 2. Timely alerts minimize the amount of money stolen or damage done by identity thieves 3. Almost always provided for free for 1 or 2 years by companies that have had a data breach 4. Service usually includes the full text of your credit report from all 3 national credit bureaus 5. Service may include tips on how to improve your credit score and manage your credit	1. Professionals do the work a consumer may not have the time or knowledge to complete 2. The better services include both credit/financial and non-credit/criminal work 3. The better services do most or all of the restoration work as the victim's agent 4. May include an insurance policy to cover expenses and legal fees incurred 5. Sometimes provided for free for 1 year by companies that have had a data breach
Disadvantages	1. Monthly fees vary widely 2. Can be difficult to compare services 3. Many credit monitoring services don't include credit restoration services	1. Monthly fees vary widely 2. Can be difficult to compare services 3. Usually, insurance doesn't cover actual money lost or stolen 4. Often not included in many credit monitoring services
Availability	Provided by many banks, credit bureaus, and independent companies	Provided by some banks, but mostly by independent companies

Which is best? It really depends upon your personal situation. If you are unfamiliar with identity theft, then a comprehensive credit monitoring service probably is best. Several resources are listed in the right column under "Credit Monitoring Services." If you are a DIYer (Do It Yourself) who gets your free credit reports at www.annualcreditreport.com, then a credit restoration service may be best.

As things change, I will update the above chart.

Want to learn more? Read prior posts about credit-monitoring services. You probably will want to read about the Security Freeze and C.L.U.E. insurance report topics. I urge everyone to consider opt-out resources to reduce your identity theft risk.

In The News: Kroll, IBM, and I've Been Mugged

I've Been Mugged readers may remember that in August of 2007, I was interviewed by the American Banker publication for a news story about the credit monitoring service IBM had arranged with Kroll. While this article has been available at the American Banker web site for a fee, I just learned that it is available for free in the media section at Kroll's web site.

Wildfire Victims Targeted By Identity Thieves

As if the wildfire victims didn't have enough bad news. The Redlands Daily Facts reported:

"Redlands fraud investigators are warning of an increased risk of identity theft targeting victims of the recent wildfires. Following the Old Fire in 2003, Redlands police saw an increase in identity theft among those who had homes damaged or destroyed in the fires and those who were evacuated from their homes... looters often sift through damaged property or homes under evacuation orders, making off with bank and credit card statements, tax documents, and other financial information. The information is then used or sold to others to access victims' accounts or rack up thousands of dollars in debt charged to the victim."

According to the Earth Times on November 13, 2007:

"TrustedID, a leading provider of proactive identity theft protection solutions, today announced it will offer free identity theft protection services to families affected by the California wildfires to prevent identity theft while they recover and rebuild. During the month of November, residents can call TrustedID's special hotline to receive three months of free coverage under TrustedID's IDFreeze service, which offers the strongest proactive identity theft protection available today for families."

According to a news release at PR-USA:

"... AxcessPoints is offering a free year of service for its secure, online repository through Nov. 30, 2007. AxcessPoints is $9.95 per month. AxcessPoints, a highly secure online planning resource for organizing and retrieving critical personal, medical and financial information, said disaster victims often suffer a second tragedy following a catastrophe by failing to have key financial records and other critical data readily available to work with insurance companies, banks, utilities and other service providers."

Note: the I've Been Mugged blog does not endorse the above services. I do not have a business relationship with either company. Like any other services, consumers should research the company, its services, and shop around to compare services before making a purchase decision.

The Good, The Bad, and The Ugly: Credit Monitoring Offers

Last week, I received via surface mail a letter from Bank of America offering their credit monitoring service. The offer was slickly disguised as a quiz:

"Bank of America want you and your money to be safe. that's why we're inviting our valued customers to take the enclosed quiz."

Are they serious? No way a quiz is going to protect my personal data. A quiz can inform me, but not protect me. Of course I read the rest of the letter just to see exactly what this bank was pitching:

"Receive your Personal 3-in-1 Credit Report, 3 credit scores when you try the bank of America Privacy Assist Premier service for 30 days at no cost."

It seems that the Privacy Assist service provides quarterly updates and the full text of 3 credit reports (e.g., TransUnion, Experian, and ), your credit score, and prompt notification (presumably via e-mail)
for about $12.99  a month. The fine print on the activation form mentioned the actual provider of the credit monitoring service is Intersections. The letter didn't provide a web site address for Intersections, so I looked them up online. Here's how Intersections describes itself:

"Intersections Inc. (NASDAQ: INTX) is a leading provider of branded and fully customized identity management solutions. By integrating its technology solutions with its comprehensive services, Intersections safeguards more than 5 million customers, who are primarily received through marketing partnerships and consumer-direct marketing of the companys IDENTITY GUARD brand."

According to a recent MarketWatch article about small cap stocks:

"One company Evans says has strong potential is Intersections Inc. which provides identity theft prevention, mitigation and resolution services to consumers with credit cards. The major card issuers, with the exception of American Express, use Intersections."

Also, the BofA letter presented a vague statement about identity theft insurance:

Up to $25,000 identity theft insurance at no additional charge to you (with no deductible).

I am really skeptical when I read statements or offers about "identity theft insurance." The statement really needs supporting detail, which the BofA letter doesn't provide. Some of the questions that come to my mind when evaluating an identity theft insurance offer:

• What are the deductible options?
• What is covered -- actual $$$ losses, expenses to restore credit, or both?
• What proof is required to receive payment on a claim?
• How fast are claims paid?
• Does the insurance cover losses within the USA or worldwide?
• Does the insurance cover identity fraud, where criminals use your personal data during a crime?
• Does the insurance cover identity fraud in the USA or worldwide?
• Does the insurance coverage extend to my estate?

Is Privacy Assist a worthy credit monitoring service?

Not for me. The pitch was lame. The letter seems focused on consumers who know little or nothing about identity theft, don't have a credit monitoring service, don't know their rights about access to free credit reports, and haven't been the victim of a data breach by an employer or prior employer. Plus, there are far better quizzes available online. (See my prior post about what makes a good identity-theft quiz.) This BofA offer contains pretty basic quiz questions:

• When was the last time you checked your credit report?
• Do you carry your social security card with you?
• Do you review financial statements and phone bills for authorized use?
• have you ever been denied credit for reasons unknown to you?
• Have you ever received a credit card you didn't apply for?
• Do you shred mail you've received for pre-approved credit?
• Have you ever been the victim of identity theft or credit card fraud?

What credit monitoring service offers have you received in the mail? What did you think of them? I've Been Mugged readers want to know.

IBM's Offer

A prior blog entry discussed how IBM had lost data tapes containing the personal data for thousands of current and former employees. What was IBM's offer for the affected employees? One year of free credit monitoring. While a Fraud Alert is free, consumers can pay anywhere from "$50 to $200 per year" for a credit monitoring service.
I really do appreciate IBM's offer of free credit monitoring service for one year. Credit monitoring is wise because the 2003 FTC Identity theft survey found that consumers who monitor their credit tend to lose less money to identity theft and spend less time and money fixing the problem. About.com has a page that clearly explains the benefits of a credit monitoring service. However, a credit monitoring service has its limitations.
First, credit monitoring is like any other service. Some consumers like it, some say the value isn't there, and others prefer stronger protection. A recent BBB and Javelin study found that credit monitoring services uncovered about 11% of fraud. A credit monitoring service won't protect you against all types of identity theft, just the scams where the thief applies for credit, a loan, or a product purchase where the company checks with one of the three national credit bureaus for your credit data. An example, a credit monitoring service won't protect you when an identity thief gives law enforcement your stolen identity during a traffic stop or a crime.

Second, while credit monitoring is strongly recommended, paying for a credit monitoring service isn't for everyone. The Identity Theft Resource Center advises the following after a data breach:

Place a fraud alert with each bureau (asking companies to contact you prior to issuing credit) and request your free copy of the credit report. It is free because your information was breached. If asked, you are a potential victim of id theft... Check your report carefully for any irregularity...Use the annual credit reports system to monitor your credit report over the next year. Stagger them out by ordering one every four months.

According to the Security Breach Guide at the Privacy Rights Clearinghouse site:

"Every consumer, whether or not a victim of identity theft, can receive one free credit report every 12 months from each of the three national credit bureaus. This is over and above the free credit report that you can request upon establishing a fraud alert. See the Resources at the end of this guide for information on how to order your free report. In addition, laws in several states give individuals other opportunities to obtain free credit reports."

So, you can order your free annual credit report from all three national credit bureaus at once, or stagger when you receive them over several months.

Third, if you already have credit monitoring, then another offer of free credit monitoring is really minimal or no help at all. When IBM notified me, I had already established a credit monitoring service through my Discover Card 4 or 5 years earlier. At worst, IBM's offer is no help because it duplicates an existing credit monitoring service. At best, IBM's offer is an opportunity for me to compare over time two credit monitoring services and cancel the poorer service at the end of the year. What I did learn is this: make sure that whatever credit monitoring service you use, a)provides real-time alerts about inquiries into your credit file; and b) monitors all three national credit bureau services. My service monitored one, but it provided a free upgrade to all three credit bureaus. Obviously, I happily upgraded.

Fourth, IBM's offer of free credit monitoring for one year could be seen as a slick effort to shift focus and responsibility from IBM to the consumer and his/her credit monitoring service. IBM still has a duty to protect the personal data for all current and former employees, to inform us of IBM's processes to protect our data (e.g., through various required  correspondence, IBM now has my current personal data), and to inform us of the results of its investigation about the data tape loss/theft. The credit monitoring service is not and should never be an excuse for any company to avoid responsibility for protecting the personal data it stores.

Fifth, IBM's offer of free credit monitoring for one year doesn't address the fact that the risk period of identity theft extends far beyond one year. IBM created this risk when their subcontractor lost (or stole) my personal data. Smart identity theft thieves can just sit on the data for 2 years or longer, and then use (or sell) the stolen data. Or it may take more than a year for the thief to sell the data and for a buyer to use the stolen personal data.

In my opinion, the length of the free credit monitoring service should match the risk period. IBM lost my personal data. There has to be a consequence when a company doesn't adequately protect personal data. If the free credit monitoring period doesn't match the risk period, then IBM has unfairly shifted the burden from themselves to the ID theft victim. In the instances where a victim already has a credit monitoring service, the company should reimburse the consumer for that risk period.

Moreover, IBM's offer is like giving me the sleeves from a vest. It does not solve the problem that led to the data tape loss/theft. It does not address IBM's internal process and policies, or lack of enforcement, which led up to an IBM contractor losing (or stealing) the employee data. It does not address IBM's responsibility to inform victims and to protect the personal data consumers have entrusted it with.

Next entry: protecting yourself