The 2009 Data Breach Hall Of Shame

This month, Network World magazine released its list of the 2009 Data Breach Hall of Shame. This list includes companies and government agencies that really effed up... they didn't protect consumers' sensitive personal information as they should have. All of these breaches were preventable. Here's who made the list:

1. Transportation Security Administration (TSA) after it accidentally posted on a public Web site a manual that contained complete details on its airport screening procedures,
2. Heartland Payment Systems after it allowed hackers to steal about 130 million credit and debit cards over several months while the company was being certified as PCI compliant for security,
3. Health Net after it lost a hard drive with unencrypted personal, financial, and medical information of 1.5 million consumers and after it waited for six months before notifying government authorities and its breach victims,
4. U.S. Government Printing Office after it posted on a publicly accessible web site a document with details on U.S. civilian nuclear sites marked as "Highly Confidential Safeguards Sensitive,"
5. RockYou Inc after a hacker stole over 32 million consumers' passwords and sign-in credentials that were stored in plain text without any encryption or protection

I agree with Network World. The companies and agencies on this list deserved to be on this list. Their executives were sound asleep when they should have been awake and actively protecting the sensitive information they were entrusted with. In honor of these executives, I'd like to present them with the Data Breach Analysis Flow below, which was first published in this blog in September 2007:

Health Net May Have Violated Consumer Notification Laws After Its Data Breach

From the Boston Examiner:

"On Friday Attorney General Terry Goddard called on Health Net, a Connecticut-based insurance company, to immediately notify its Arizona policyholders whose personal, medical and financial information was either lost or stolen in a data breach that occurred six months ago. He said further that his Office will open an investigation to determine whether a state law requiring prompt notification was violated. Health Net notified the Arizona Department of Insurance on Wednesday that a hard drive containing personal data on some 316,000 present and former Arizona policyholders has been missing since May from the company's headquarters in Shelton, Conn. The company has yet to contact the affected policyholders about the breach, however, saying it plans to send letters to them soon."

Soon? The company already waited six months after the breach to notify State of Connecticut officials. To learn more, read this prior blog post.

How To Check Your Insurance Company's Complaint Record

Everyone has horror stories about insurance companies, whether its auto insurance, health insurance, homeowners, or property insurance. There's a good article at Kiplinger.com that has documented the leading ways insurance companies "mug" or abuse their customers:

"... the top complaint had to do with claims payments -- claims-handling delays (19.1%), followed by denial of claims (17.9%) and unsatisfactory settlement offers (15.0%). You should be concerned if a company you're considering has a lot of complaints in these areas. The next category of complaints revolves around underwriting -- the insurer's process of accepting or rejecting applicants and setting rates. Premium and rating accounted for 4.8% of the complaints, and policy cancellation for 4.2%. The type of insurance policyholders had the most complaints about was accident and health insurance (37.7%), followed closely by auto insurance (33.7%). There were fewer complaints about homeowners insurance (12.71%) and life insurance and annuities (10.4%)."

Maybe you are looking for a new insurance company, or just curious about your current provider. To check an insurance company's complaint record, visit the Consumer Information Source Web site produced by the National Association of Insurance Commissioners (NAIC). Then:

"Type in the name of the company, the state where you live and the type of insurance. (Under "statement type" and "business type," click on "property/casualty" for home and auto insurance or "life, accident and health.") The site then provides the insurer's national complaint statistics. Focus on the complaint ratio, which shows the ratio of the company's U.S. market share of complaints to the company's U.S. market share of premiums for a specific policy type... If the national median complaint ratio is 1.00 and the ratio for the company you're considering is 2.00, for example, that should be a red flag. Also look at the complaint trend report to see whether the company's complaints have been increasing or decreasing over time. If the insurer's complaint ratio is high, check its record at your state insurance department and find out whether any enforcement actions have been taken against the insurer."

To find your state government's insurance department, browse this NAIC Web page with a map of insurance commissioners by state. Both links are great resources, whether you are happy with your current insurance company or looking for a new one.

ChoicePoint Settles With The FTC About Its Data Breaches and Security Lapses

I'd written previously about my less than consumer friendly experiences with ChoiceTrust, a service from ChoicePoint, Inc.. Recently, the U.S. Federal Trace Commission (FTC) announced a settlement by ChoicePoint, Inc. after the company's past data breaches and data security lapses:

"In April 2008, ChoicePoint (now a subsidiary of Reed Elsevier, Inc.) turned off a key electronic security tool used to monitor access to one of its databases, and for four months failed to detect that the security tool was off, according to the FTC. During that period, an unknown person conducted unauthorized searches of a ChoicePoint database containing sensitive consumer information, including Social Security numbers. The searches continued for 30 days. After discovering the breach, the company brought the matter to the FTC’s attention. The FTC alleged that if the security software tool had been working, ChoicePoint likely would have detected the intrusions much earlier and minimized the extent of the breach. The FTC also alleged that ChoicePoint’s conduct violated a 2006 court order mandating that the company institute a comprehensive information security program reasonably designed to protect consumers’ sensitive personal information."

Gee, that's extremely poor management. First, the company fails to implement every security feature it had already established. Second, its actions violated a previous court order about data security. How arrogant can a company act?

ChoicePoint's settlement included actions to:

"... strengthened data security requirements to settle Federal Trade Commission charges that the company failed to implement a comprehensive information security program protecting consumers’ sensitive information... This failure left the door open to a data breach in 2008 that compromised the personal information of 13,750 people and put them at risk of identify theft. ChoicePoint has now agreed to a modified court order that expands its data security assessment and reporting duties and requires the company to pay $275,000."

Was this fine sufficiently large enough? In my opinion, no.

Will ChoicePoint do the right thing and maintain adequate protections for the consumer data it stores and sells? Will it comply with applicable Red Flag rules by the FTC in 2010? Time will tell. I'm not holding my breath.

I'd love to be able to pull my C.L.U.E. insurance reports and records from Choicetrust, but we consumers don't have that option. Due to ChoicePoint's cozy relationship with the government, the company enjoys a near-oligopoly status regarding C.L.U.E. insurance reports. This is a good example of a "free market" sham. Same for the credit-reporting agencies.

At some point, this crap has to end.

How To Confirm That Your Bank Is FDIC Insured

Great advice for consumers from The Consumerist blog. First, some background:

"... FDIC insurance covers banks and NCUA insurance covers credit unions. Not all credit unions are insured by the NCUA, the ones that aren't often have insurance from American Share Insurance (ASI)..."

Here's the important information:

"The best and only way you can confirm that a bank is FDIC insured is by using the FDIC's Bank Find tool. The search will tell you whether or not the bank is in the database but it's not very robust because it does a broad match search. If you search for ING, as in ING Direct, you'll get every bank with 'ing' in its name which is is pretty much every single bank with the word "Savings" in it. An alternative is if you go to the site and find the FDIC certificate number. On the FDIC Bank Find page, click on "More Search Options" and you can enter the certificate number."

For consumers who use credit unions:

"The NCUA has a similar Find a Credit Union search that lets you find the credit union you're interested in. Again, the search is broad match so it might be easier to get the Charter Number of the credit union and entering it directly... Finally there's ASI and you can search for credit unions insured by ASI at their credit union search. FDIC and NCUA are effectively backed by the full faith and credit of the United States, ASI is not."

FTC Continues Toward Credit-Based Auto And Homeowner Insurance Rates

Just before the Christmas holiday, the FTC released this news release:

"The Federal Trade Commission has ordered nine insurance companies to produce information for a study on the use and effect of credit-based insurance scores on consumers of homeowners insurance... The orders require information from the nine largest private providers of homeowners insurance, which have roughly 60 percent of the homeowners insurance market in the U.S..."

The nine insurance companies required to turn over data to the FTC:

1. State Farm Mutual Automobile Insurance Company,
2. The Allstate Corporation,
3. Fire Insurance Exchange,
4. Nationwide Mutual Insurance Company,
5. The Travelers Companies, Inc.,
6. United Services Automobile Association,
7. Liberty Mutual Holding Company, Inc.,
8. The Chubb Corporation, and
9. American Family Mutual Insurance Company.

The companies have until April 24, 2009 to respond to the FTC's data request, which will be used for the FTC's final rules and guidelines.

In June 2008, I wrote about the the FTC's intent to study of the use and effect of credit-based insurance scores on the availability and affordability of automobile and homeowners insurance, and the open comment period for consumers to voice their concerns and objections. I wrote about this because it has everything to do with how companies make money from your sensitive personal data; and how that sensitive personal data is used, archived, and shared between government and industry. According to the latest FTC press release:

"In May 2008, the Commission authorized the use of compulsory process in the homeowners insurance study (http://www.ftc.gov/opa/2008/05/comprofyi.shtm) and posted for public comment a draft model order to obtain data for the study. Based upon comments received, the FTC developed final orders that maximize its research capability while minimizing any unnecessary burden on insurers participating in the study."

Should you be concerned? If this project continues, your auto and homeowners insurance will be based mostly on your credit worthiness rather than on your driving and accident record. Does this make sense? It's another example of the "tilt in the playing field" towards the needs of companies and away from the needs of consumers.

Credit-based insurance rates also mean that consumers must spend more time and money inspecting their credit reports at the three major credit bureaus, because inaccurate credit report information could lead to higher insurance rates. Seems to me like your auto insurance should be based on our driving record; and your homeowner's insurance based on your claim history.

Would You Trade Privacy For Auto Insurance Discounts?

Last week, I mailed to my insurance agent a form for the low-mileage discount. My wife and i drive less than 5,000 miles monthly yearly since I use mass-transit to commute to work. The form required me to disclose the car's odometer and to provide an explanation why we expect to drive less than previously.

I was comfortable with the form my insurance agent required. Then, I saw the MSNBC video below. The new proposed methods by insurance companies would required consumers to disclose far more than your mileage. a GPS device can track (and send to the recipient) your mileage plus everywhere you drive to. A smart recipient could compute your highway speed and issue speeding tickets accordingly. that's a lot of data to provide just for an insurance discount this year, which the insurance company could eliminate next year.

Plus, a data breach at an insurance company would expose far more data to identity thieves and criminals. Data breaches happen at insurance companies:*

• April 2006: Progressive Casualty Insurance
• April 2006: Aetna: 38,000 records exposed
• June 2006: AIG: 930,000 records exposed
• June 2006: Allstate: 2,700 records exposed
• July 2006; Sentry Insurance, 112,270 records exposed
• December 2006: Aetna, Nationwide, and Wellpoint via a vendor: 172,000 records exposed
• October 2007; West Virginia Public Employees Insurance Agency: 200,000 records
• March 2008: Sterling Insurance & Associates: undisclosed
• May 2008: BB&T Insurance: undisclosed
• June 2008: Texas Insurance Claims Service: unknown
• September 2008: State Farm: 137 records exposed

Would you trade privacy for an auto insurance discount? Watch the following:

*Source: Privacy Rights Clearinghouse, Chronology of Data Breaches

Suze Orman And the FDIC Partner To Help Consumers With Determining Bank Account Insurance Status

With the recent bankruptcies of financial firms, some banks, and the general uncertainty with the mortgage and credit crises, consumers are understandably nervous about the status of the bank accounts. This blog has previously discussed tips to help consumers.

Earlier this month, financial expert Suze Orman and the FDIC launched a web site to help consumers determine if their bank accounts are protected by FDIC insurance: www.myfdicinsurance.gov

According to the FDIC web site:

"EDIE the Estimator can calculate your FDIC insurance coverage for each FDIC-insured bank where you have deposit accounts. EDIE lets you know in a printable report for each bank whether your deposits are within or exceed coverage limits."

When using the EIE tool, it was satisfying to read the following privacy information:

"... EDIE the Estimator does not require any confidential or personally identifiable information, nor does it store information after you complete a specific user session. Moreover, users can enter an owner's name by using their real name (Joe Smith), their relationship in the family group (Husband), or numerically (Owner1). The names of beneficiaries (if applicable) can be similarly entered. In addition, as an extra measure of safety, the system is programmed so no account group information for the session is transferred over the Internet."

So, for maximum protection and privacy, enter "Bank #1" for your financial institution and your generic family position (e.g., husband, spouse, child #1, etc.).

Farmers Identity Shield (Product Review)

While watching late-night television recently, I saw an advertisement for Farmers Identity Theft Shield. Readers of this blog know that I'm looking for a replacement credit monitoring service after Discover changed its credit monitoring vendor. The Product and Service Reviews page in this blog lists all of the credit monitoring services I've reviewed so far. Today's post includes a review of Identity Shield from Farmers Insurance.

Farmer's service is coverage a consumer would add to an existing Farmers homeowners insurance policy. It isn't sold separately. The Farmers site does an average job of explaining their offering. The site does not provide a price, so it is difficult for consumers to determine if the Farmers offering is a good value for their money. Some key features of Farmers offering:

• Coverage of $28,500 expenses
• $1,500 indemnity
• Monitoring of credit files and publicly accessible records for fraudulent activity, for two people
• Annual identity report with details of the customer’s credit file and public records
• Professional on call to answer questions regarding identity safety concerns
• Assistance in replacing lost, stolen or damaged identification documents (birth certificate, passport, etc.)
• E-mail tips and news to help prevent identity theft
• Access to Farmers’ informative Web site www.FarmersIdentityShield.com

Actual ID-theft victims would also receive:

• Identity resolution services for the entire household
• 24/7 access to an advocate at Identity 911 to guide the victim through the identity recovery process
• Preparation of correspondence necessary to notify all relevant parties of the fraud (credit bureaus, financial institutions, etc.)
• Creation and maintenance of a case file of all phone calls, documents and results
• Assistance in placing fraud alerts and security freezes with credit bureaus

The focus of the site is to get a consumer to talk with a Farmer insurance agent. While that is a reasonable goal, the site is very weak on providing details. It could and should do both.

The site doesn't explain what the "$1,500 indemnity" means. The insurance coverage is a little more than available from other providers, but the site doesn't provide a link to the full text of the agreement so consumers can read the coverage details. As I discovered in prior product reviews, the important details about insurance coverage and expense reimbursement is covered in the detailed agreement, which the Farmers site doesn't provide.

The Farmers site does not list specifically which credit bureaus it monitors. The copy implies all three national credit bureaus, but I look for precise copy statements, not implications. the site does not explain the training and qualifications its phone-based professionals have, so the user cannot evaluate how beneficial this phone support might be. The site does not even link out to the sub-contractor, Identity 911. This is critical since Identity 911 would provide assistance to ID-theft victims.

I reviewed briefly the www.FarmersIdentityShield.com site and quickly noticed that much or most of its content is a copy of the Identity Theft Knowledge Center site run by Identity 911. I guess that Identity 911 allows its clients to reuse its news, tips, and informational content. While this may greatly help Farmers, it left me wondering how much Farmers Insurance really understands about identity theft. Farmers seemed to have hired a subcontractor to do all of the heavy lifting.

The site says that consumers get an "Annual Identity Report," but the site doesn't show an example report. So, consumers are unable to learn exactly what's in this report and how beneficial it might be (or not). Is it the full text of the consumer's credit reports at all three national credit bureaus? Or is it a Farmers-created summary? And, an annual report may not meet many consumers' identity protection needs. When an alert informs the user that there's a change to one of their credit reports, the consumer wants to see that report immediately... not wait for the annual identity report which could be months away.

Would I buy this product? No way. The site is skimpy on details. Many of the service features and descriptions are vague. No demos or online tutorials. The site does a very poor job of explaining and proving the service benefits and features.

The site didn't offer any explanations of why Farmers Identity Shield might be better than other credit monitoring services. The user is left to make their own comparisons and analysis. It seems that Farmers quickly cobbled together an offering, with the hope that poorly informed consumers would buy it without asking hard questions. Part of the services Farmers seems to charge for (e.g., placing Fraud Alerts and Security Freezes), I have already done and consumers can do for themselves for free. It is very easy and a fast 5-minute phone call for a consumer to place a Fraud Alert on their credit reports.

More importantly, the site fails to state the monthly fee for the service. How can consumers make a decision about a service when the site doesn't state the price?

During the upcoming weeks, I will review more credit monitoring services. You can access prior reviews at the Product and Service Reviews page, or via "Product Reviews" in the right-column tag cloud. To receive alerts about future reviews, click on either of the e-mail or RSS links in the right column.

Equifax "3-in-1" Credit Monitoring Service (Product Review)

After Discover changed its credit monitoring vendor, I started looking for a replacement service. Since the three national credit bureaus all offer credit monitoring services, I thought that I'd look at Equifax's offering. This blog contains posts with reviews of the Experian Triple Alert service and a comparison of several services from Experian.

I performed a simple Google search since I didn't know the name of Equifax's service. The first search result included a link to the Equifax home page, and that's where I went:

First impressions are everything. In the center column, several bullet points summarized the company's credit monitor service features. This was easy and quick to read. Next, the page presented a huge "Get Started' button. The problem: the page lacks links to important service details. To properly evaluate a service, consumers need:

• Examples of their credit report formats from all 3 national credit bureaus
• Examples of the e-mail notices
• Details about the ID-theft insurance
• Expanations of why Equifax's offering is superior to other credit monitoring services

The page didn't present links to any of this information. If the site has it, the presentation forces users to hunt for it.

My first impression: the company produced a consumer unfriendly home page that lacks links to important service details.consumers need to properly evaluate the service. The "Get Started" button links directly to a service registration form page. The home page seems arrogant in its expectation that 4 bullet points are enough for consumers to make an informed purchase decision. No, that's not enough. Either Equifax doesn't understand this, or doesn't care.

This poor presentation is a strong indication to me that Equifax would likely be a difficult brand to interact with, if I registered for their credit monitoring service.

Normally, at this point I would move on to a competitor's web site, but I decided to give Equifax another chance. I clicked on the "View All Products" button which linked to:

This page was a little better. It provides links to the service detail page for each service. The presentation makes it difficult to compare offerings. Does the "3-in-1 Monitoring" service contain everything that the "Credit Watch Gold" service contains? The copy doesn't say so explicitly, so the consumer is left to guess or to read lots of copy. If a consumer doesn't know much about credit monitoring, this page is difficult to use. (I would later discover the site has a service comparison page, but the link to that comparison is buried on the service detail pages and not on this page where it should be.) I selected the "3-in-1 Monitoring" service link.

If I've learned one thing when evaluating credit monitoring services it's this: closely read the page content. There's a lot of explanatory copy on the 3-in-1 Monitoring service detail page. The service detail page lacks links to examples of the various service features. The service contains some basic features (e.g., monitoring of the consumer's credit reports at all 3 national credit bureaus, automated alerts, insurance, 24/7 access to customer service) and some nifty value-added features (e.g., customizable alerts, lock/unlock Security Freeze on your Equifax credit report). The $20,000 of insurance is more than what's available in the Experian Triple Alert service, but the Equifax site doesn't provide any links for users to read details, terms, and conditions about its insurance offering. As a wise person once said, "the devil is in the details."

This is important: the 3-in-1 Monitoring service summary on the All Products Page says, "... unlimited access to your Equifax Credit Report." This is important because only provide the full text of the consumer's Equifax credit report. If there's a problem with the consumer's Experian or TransUnion credit reports, this service provides minimal help. It only alerts you to any changes in those credit reports, and does not provide access to the full text of other branded credit reports.

This means the consumer is left on their own to retrieve their TransUnion and Experian credit reports from those services or another credit monitoring service provider. This could be time consuming; a potential inconvenience if the consumer is trying to determine and fix a credit report with errors, or damage done by an identity thief. Also, additional fees will probably apply to retrieve other branded credit reports.

Consumers need access to the full text of all three credit reports, not just one. Any service that describes itself as comprehensive really isn't comprehensive if it doesn't provide the full text of a consumer's credit reports from all three national credit reports.

Note: the "3-in-1 Monitoring" service page does not mention outsourcing and whether Equifax offshore outsources any of its operations. I know from prior research that all three national credit bureaus announced offshore outsourcing in 2003. (I haven't seen any evidence since to the contrary.) To stay competitive and to manage costs, credit bureaus currently offshore outsource portions of their credit reporting operations, and likely do the same for their credit monitoring services. I would expect a credit bureau like Equifax to mention its offshore outsourcing arrangements so consumers can make a truly informed purchase.

Is $20,000 in insurance enough? You have to decide that for your situation. It's hard to tell because the site doesn't provide a link to the contract or legal terms and conditions. I've Been Mugged readers should read my review of the Experian Triple Alert service to understand the insurance issues.

The bottom line: the Equifax 3-in-1 Monitoring service didn't look like a good deal to me. It claimed to be comprehensive, but isn't. It was a frustrating site to use, and my guess is the actual service isn't any better. Site pages lacked links to important service details and examples. While the service detail pages include a "Take a Tour" link to examples, this content was incomplete and didn't answer most of my concerns. Plus, the "Take a Tour" link was in a tiny font size and easy to miss.

Like the Experian site, the Equifax site was skimpy on explaining important details and benefits. The site didn't show me how its customized alert feature works. The site did a poor job of proving the benefits it claimed. The site didn't contain a copy explaining why it is better service than competitive services. I got the impression that the site pitched weak claims that would be easily believable by uninformed consumers.

Frankly, if the site pitching Equifax 's services to potential customers is this bad, then the actual service for customers probably is worse.

All of this left me with the impression that Equifax is: a) a difficult brand to do business with, and b) not very consumer focused. If I signed up for Equifax's 3-in-1 Monitoring service, it would probably be a frustrating experience. No thanks. I'll continue looking elsewhere for a credit monitoring service.

If you use the Equifax 3-in-1 Monitoring service, please share your experiences. Why did you sign up? What works well? What works poorly? How well do the alerts, credit resolution, and insurance reimbursement services work?

Experian Triple Alert Credit Monitoring Service (Product Review)

After Discover changed its credit monitoring vendor, I started looking for a replacement credit monitoring service. Since the three national credit bureaus all offer credit monitoring services, I thought that I'd start there. First up: Experian.

I'd heard that Experian’s service is called "Triple Alert,", but I wasn't certain. So I did a Google search to find the site. For me, one way to judge a product or service is determine how easy it is to find that service on the Internet. A well organized service (or company) makes it easy for consumers to find them via search engines like Google. The site should appear high up on the first results page and its Web site address (e.g., URL) should include the product or service name. I entered "Experian Triple Alert” in Google.com and received the following results page:

The results page included several Experian links in the left column:

• www.experiandirect.com
• www.experian.com/consumer/login.html
• www.experian.com/consumer/va_data_breach/index.html

None of the links mentioned "triple alert," but several competitors' links mentioned "triple alert." In the right column, one "Experian Triple Alert" link seemed to go to a site (e.g., Moving-Links.com/FreeReport) that wasn't an Experian site. So, I didn't click on that link. The second "Experian Tiple Alert" link in the right column had a question mark next to it, which my anti-virus software indicated was a risky or untested site to visit. So, I definitely wasn't going to click on that link.

The "Experian VA Data Breach" link didn't seem relevant. I was hoping that the results page would include something easily identifiable like "www.triplealert.com" or "www.experian.com/triple alert." My first impression was that Experian wasn't going to make my experience with their brand easy. I clicked on the "www.experiandirect.com" link and see if it would take me where I wanted to go. It brought me to:

The page include a Triple Alert so I felt better; that I’d had arrived at the right site. I thought that the page would present only the Triple Alert service from Experian. Instead, the page was cluttered with several Experian service options. The page presented the Triple Alert service for $4.95 per month, a single credit report plus credit score option for $15, a three credit report plus my credit score option for $24.95, and an online credit report option for $10. Are all of these options Triple Alert services, or only the first option?

The options hyping “online credit report in seconds” and “get your credit report and credit score instantly” seemed silly. Most services on the internet are fast and instant. That's why consumers use the Internet. The copy didn't explain if or why Experian's options are faster than others. Plus, I can see the page thoroughly confusing users who are unfamiliar with credit bureaus and the credit report/score process. The site lacks adviser mechanisms to guide unfamiliar consumers to the appropriate option.

For my needs, I seek a comprehensive credit monitoring service... far more than just a one-time peek at my credit score or my Experian credit report. I need access to the full text of my credit reports from all three national credit bureaus. I also need e-mail or text messaging alerts about the status or changes to my credit reports, credit resolution support and insurance, criminal fraud monitoring, identity fraud assistance when traveling outside the USA, my credit score, credit assistance tools, access to phone support, and easy options to add a Fraud Alert or Security Freeze. The copy on this page did not address all or most of these needs. The closest option seemed to be the Triple Alert option. For my needs, I want both monthly e-mail alerts and customizeable e-mail and text messaging alerts, options many banks and credit card issuers already provide. Why? The sooner you learn about fraudulent charges, the less money you'll lose.

I needed to understand exactly what Triple Alert will and won’t do with its credit resolution services. (Thanks to IBM’s data breach, my personal data has already been exposed.) I selected the “View sample alert” link to learn more about the basic credit reporting features. The sample alert page looked very similar to what I currently receive via my Discover credit monitoring service.

The feature mentioned on the home page: "e-mail alerts to key changes in any of my 3 credit reports” is nice, but the page copy didn't explain how the alerts work: how often, any customization options, and e-mail or text messaging options. Regarding credit monitoring services, I do not look for the cheapest service. I look for the service with the most value and effectiveness. Value is what I get for the monthly fee. Effectiveness includes addressing my needs: protection, alerts/warnings features, customization features, resolution services, adequate insurance and guarantee coverages, support, and reliability.

Next, I clicked on the “10,000 Triple Alert Guarantee” link to learn more about that feature. I expected the guarantee page to explain simply the guarantee and its benefits. Instead, the page presented a word-dense legal agreement in hard-to-read lawyer-speak. I was getting the distinct impression that Experian is a difficult brand to do business with. The guarantee page stated:

“If you (hereinafter "you") become a victim of Identity Theft (as defined below) while enrolled in and using the Triple Alert product, ConsumerInfo.com, Inc. (hereinafter "we", "our" or "us") will reimburse you for certain Identity Theft Expenses (as described in Section 3, below) up to $10,000, subject to the terms and conditions of this Guarantee. "Identity Theft" means that your name, address, Social Security number, bank, or credit card account number, or other personally identifying information was used without your knowledge or approval to commit fraud or other crimes. The maximum amount that we will pay you is $10,000 for Identity Theft Expenses as a direct result of an Identity Theft.”

Why does the copy mention ConsumerInfo.com? I didn't ask for that site. Did I arrive at the wrong site? What is ConsumerInfo.com? Is it a better credit monitoring service? This was confusing and it caused more questions than it answered. Further down the page, it included a description of the types of expenses are covered:

“(a) Stolen Funds: Funds directly stolen from you that are related to any account that is included on your Experian credit report…”
“(b) Legal Expenses: Reasonable and necessary attorney fees or court costs associated with defending any suit brought against you by merchants, financial institutions or other credit grantors or their collection agencies, or the removal of any criminal or civil judgment wrongly entered against you.”
"(c) Lost Wages: Actual United States wages or salary you lose as a direct result of time off work taken by you to report an Identity Theft;”
“(d) Miscellaneous: Loan applications fees, long distance telephone costs, mailing and postage costs, costs of having affidavits or other documents notarized; and”
"(e) Private Investigators: Any fees or costs associated with the use of any investigative agencies or private investigators. You must receive our advanced written consent to your choice of private investigators, and we reserve the right to select such private investigators.”

Note: the Triple Alert site pages do not mention outsourcing and whether Experian offshore outsources any of its operations. I know from prior research that all three national credit bureaus announced offshore outsourcing in 2003. To stay competitive and to manage costs, credit bureaus currently offshore outsource portions of their credit reporting operations, and likely do the same for their credit monitoring services. I would expect a credit bureau like Experian to mention its offshore outsourcing arrangements so consumers can make an informed purchase.

To summarize in plain English: if a bank account is on my Experian credit report and that account has money stolen from it, I would get reimbursed up to $10,000 less reimbursements for other valid expenses. If that bank account wasn't on my Experian credit report, then it isn't covered. That doesn't seem right.

The $10,000 of insurance didn't seem like much. It's pretty easy to have a $5,000 to $7,000 limit on one credit card, and much more in a savings account and mortgage. Attorney fees could easily eat up a large portion of the $10,000 guarantee.

Let’s assume for the moment that the $10,000 guarantee amount is enough coverage. There’s more to consider. The reimbursements are subject to more conditions. To get reimbursed, a consumer must also meet all of the following items:

1. Review your credit reports in a timely manner and report fraudulent items
2. File a police report within 10 days after first learning of identity theft or fraud (or after Experian notification)
3. Contact Experian’s Fraud Resolution Department within 10 days after first learning of identity theft or fraud (or after Experian notification)
4. Place a Fraud Alert with all 3 credit bureaus within 10 days after first learning of identity theft or fraud (or after Experian notification)
5. Work with Experian’s Fraud Resolution Department to pursue any and all sources of reimbursement and submit any receipts and documentation. I must assign Experian rights (Power of Attorney?) to work on my behalf for reimbursements. And I must give back to Experian any reimbursements if I receive funds from another source (e.g., bank, credit card issuers, other insurance, etc.)
6. Honestly inform Experian or pay back any reimbursements to them if they find that I misrepresented something

Obviously, any consumer uncomfortable with these 6 conditions should not sign an agreement with Experian Triple Alert. More importantly, $10,000 guarantee doesn’t provide much coverage. It seems easy to exceed that amount. Think of it this way: when you insure your home, you insure all of it, not part of it. The same applies to credit monitoring insurance or guarantees. If an identity thief steals all of my bank and financial accounts, I want insurance that covers everything. Not part of it. Moreover, residents of New York can't get coverage with Experian Triple Alert.

Note: I checked the Triple Alert Privacy Policy page. Experian Triple Alert participates in behavioral advertising programs:

The National Advertising Initiative (NAI) has developed an opt-out tool with the express purpose of allowing consumers to "opt-out" of the targeted advertising delivered by its member networks. You can visit the NAI opt-out page and opt-out of this cookie tracking. Please visit: www.networkadvertising.org/optout_nonppii.asp for more information."
"Partner sharing Opt-out Options: If a business partner refers you to our Site, you may choose not to have your information shared with that partner by opting-out directly on your order form."

Consumers should be aware of this, since the site (and any Triple Alert partners) monitor customers' Internet use and serve up (supposedly) targeted, relevant ads.

So, the Experian Triple Alert service didn't look like a good deal to me. It looked like a poor value. It wasn't particularly easy to find. It doesn’t meet all or even most of my needs. The web site was skimpy on explaining important details and benefits. When the site provided explanations, it was often difficult to read, hard to find, and confusing. And, the service doesn't offer customizable e-mail/text messaging alerts to warn me as soon as possible of possible fraud. That's a state-of-the-art feature many banks and credit card issuers already provide their customers. Frankly, if the site pitching Experian Triple Alert to potential customers is this bad, then the actual service for customers probably is worse.

The Experian Triple Alert site did not prove to me any of the benefits it claimed, nor that Experian Triple Alert is a quality service worth signing up for. The site didn't convince me that it is better than other credit monitoring services available. The site seemed to pitch weak claims while trying to lure uninformed consumers.

All of this left me with the impression that Experian is a difficult brand to do business with. If I signed up for Experian Triple Alert, it would probably be a frustrating experience. No thanks. I prefer to look elsewhere for a credit monitoring service.

If you use the Experian Triple Alert service, please share your experiences. Why did you sign up? What works well? What works poorly? How well do the alerts, resolution, and reimbursement services help?

FTC Seeks Consumers' Comments On Proposed System To Develop Credit-Based Homeowner Insurance Rates

I often write about the U.S. Federal Trade Commission (FTC), since its activities directly affects us (and our wallets or purses). Prior posts covered the FTC's annual analysis of identity theft and its proposed rules for behavioral advertising, which could affect your Internet usage and privacy. Currently, Congress has required the FTC to study ways to base homeowners insurance rates on credit-based insurance scores.

Yes, you read that correctly. The FTC is studying ways to base your homeowner insurance rates on your financial and credit information. This study was mandated by Section 6(b) of the FTC Act and Section 215 of the Fair and Accurate Credit Transactions Act (FACTA). I've Been Mugged readers know that insurance companies already based property insurance rates on C.L.U.E. reports, that compile consumers' auto and homeowners insurance claim histories.

In 2007, the FTC studied ways to for credit-based auto insurance rates. Some key findings from that July 2007 auto insurance study:

1. Scores effectively predict the number of claims consumers file and the total cost of those claims. Their use is likely to make the price of insurance better match the risk of loss that consumers pose. Thus, on average, as a result of the use of scores, higher-risk consumers pay higher premiums and lower-risk consumers pay lower premiums.

2. Use of scores may result in benefits for consumers. For example, scores permit insurers to evaluate risk with greater accuracy, which may make them more willing to offer insurance to higher-risk consumers for whom they otherwise would not be able to determine an appropriate premium. Scores also may allow insurers to grant and price coverage more efficiently, producing cost savings that could result in lower premiums. Little empirical data was submitted or available to the FTC that would allow the agency to quantify the magnitude of these benefits.

3. Scores are distributed differently among racial and ethnic groups, and these differences are likely to have an effect on the premiums that these groups pay, on average.

4. As a proxy for race and ethnicity in statistical models of insurance, scores have a 1.1 percent and 0.7 percent effect for African-Americans and Hispanics, respectively. This means that most of their predictive power is not as a substitute for membership in racial or ethnic groups. In addition, scores effectively predict risk of claims within racial and ethnic groups.

5. The Commission could not develop an alternative scoring model that would continue to predict risk effectively, yet decrease the differences in scores among racial and ethnic groups.

From the auto insurance study, finding #1 above seems more focused on "risk" rather than "actual claims," which suggests that insurance companies can base auto rates on what they think your risk is, not your actual risk based on claims. Plus, there are a lot of "maybe's" in #2 above. This seems to be a big win for industry and not much of a benefit for consumers.

If this insurance study seems odd to you, it should. One would expect insurance rates to be based on you claim history and not your finances. Companies seem intent on changing this traditional approach. If you are concerned, I strongly encourage you to submit a comment to the FTC. The deadline for submissions is June 18, 2008 -- 2 weeks from today. You can submit comments via postal mail to:
Federal Trade Commission
Office of the Secretary
Room H-135 (Annex C)
600 Pennsylvania Avenue, N.W.
Washington, DC 20580
Be sure to include “Credit-based Insurance Score – Homeowners Insurance – P044804” on both your letter and the envelope.

Lexis-Nexis Parent To Acquire ChoicePoint

BusinessWeek magazine and the Washington Post newspaper both reported the planned acquisition of ChoicePoint by Reed Elsevier, the parent holding company of Lexis-Nexis information services. According to BusinessWeek:

"Talk about a quick fix. Shares of ChoicePoint, which had been languishing near a 52-week low of $31.87, surged on Feb. 21 after the provider of insurance information and ID verification services said it had agreed to be acquired by Anglo-Dutch British information provider Reed Elsevier, owner of Lexis Nexis, for $3.5 billion in cash, or $50 a share..."

BusinessWeek also reported:

"The deal also marks an abrupt end to turnaround plans at the Georgia-based information provider. After experiencing years of rapid growth following its 1997 spin-off from Equifax, ChoicePoint’s stock price settled into a trading range, bouncing back and forth between the low 30s and mid-40s. The problem wasn’t ChoicePoint’s core product, a database of insurance claims which accounts for at over 50% of the company’s $982 million in revenues and 80% of its operating profits. Rather, starting in 2001, management tried to expand beyond ChoicePoint’s core business, funneling the cash from its insurance products into acquisitions, including i2, a software provider to law enforcement agencies. Most, however, have been failures."

Assuming the sales goes through, I hope Reed Elsevier's management can help ChoicePoint improve their customer service. Last year, I purchased my C.L.U.E. insurance reports from ChoicePoint's ChoiceTrust site, to check their accuracy. ChoicePoint never responded to any of my follow-up e-mail inquiries. Nadda. Zilch. That's no way to treat a customer.

If you don't know what a C.L.U.E. report is, and how its content can affect your property insurance rates, see either of these two posts:

• What Does Your C.L.U.E. Insurance Report Say About You?
• Nothing But Silence From Choicepoint

[Editor's note: regarding full disclosure, I worked in marketing management at Lexis-Nexis from 1984 - 1986, and I currently co-manage an e-mail group of former Lexis-Nexis employees.]

Nothing But Silence From Choicepoint

During the past few months, the three national credit bureaus announced new options for consumers to lock down or "freeze" their credit reports. This new option provides far stronger protections for consumers against identity theft, compared to the older Fraud Alert option.

Anyway, I was wondering when Choicepoint, the dominant provider of C.L.U.E. insurance reports through its Choicetrust site, would offer a similar nationwide Security Freeze option for its insurance reports. According to the Choicetrust site, the Security Freeze option for insurance reports is available in 12 states: Colorado, Delaware, Illinois, Maine, Massachusetts, Montana, Nevada, New Hampshire, New Jersey, North Carolina, Tennessee, and the District of Columbia.

I sent my first letter in September 2007. No answer. I sent a second letter last week. Still no answer.

My letter to Choicepoint:

"Hello. I am an independent journalist and I am also a customer of your C.L.U.E. reports. As you probably know, TransUnion and Equifax have announced a nationwide credit report freeze service available in October. They are not waiting for legislation in additional states. When will Choice Trust offer a similar, nationwide freeze service? As the dominant provider of C.L.U.E. reports, this is an opportunity for you to take a leadership position. I look forward to your reply."

I spent good money ordering my two insurance reports (e.g., auto and homeowners property) from Choicetrust. It does not seem to be good customer relations to ignore a customer.

While the Choicetrust site does provide the Security Freeze option for my state (Massachusetts), the site does not explain why for my state I can freeze my Employment and Tenant reports but not my C.L.U.E. insurance reports.

Moreover, identity thieves are not stupid. They will take the path of least resistance to steal consumers' sensitive data. If consumers' credit reports are locked down, of course they will try to access insurance and medical reports. So, it seems wise (for both Choicepoint and consumers) for the Choicetrust site to offer a nationwide Security Freeze option.

What do you think? If you have written to Choicepoint, share your letter and response you've received from Chicepoint. I've Been Mugged readers want to know.

What Does Your C.L.U.E. Insurance Report Say About You?

In an earlier blog entry, I briefly mentioned the C.L.U.E. report. Since then, I visited the Choice Trust site to view my C.L.U.E. report and learn more about it. I also wanted to evaluate the accuracy of my C.L.U.E. report. What is a C.L.U.E. report? According the Choice Trust site:

"The C.L.U.E.^® Personal Property report provides a five year history of losses associated with an individual and his/her personal property."

The letters C.L.U.E. mean "Comprehensive Loss Underwriting Exchange" report. Why the long name? Simpler is often better. So I am going to use "insurance report" and "C.L.U.E." interchangeably.

Your insurance report (that's "C.L.U.E. report" in insurance speak) is a file that insurance companies use to decide whether or not to offer property insurance to you and me, and at what rates. The report covers property insurance, not medical insurance. Insurance companies insert notes into your insurance report, which you can contest. By law, you are entitled to one free insurance report each year, just like you are entitled to one free credit report from each national credit bureau every year.

Why do I care about the accuracy of my insurance report? The Privacy Rights Clearinghouse provides a good list of the errors commonly found in insurance (C.L.U.E.) reports:

• "Inaccurate information can be included in the report."
• "The report may contain information about someone else or another property."
• "A report may use information other than claims data to rate you as a risk - even if the company doesn't pay a claim."
• "Your phone calls to inquire about a possible claim may be reported."
• "The loss may fall below your deductible and the claim is denied or you are advised not to submit a claim. Still, you can end up with a negative mark."
• "Even when repairs are made and the property is restored to the original condition, the CLUE report can include information about the claim."
• "The report can affect the premium you pay as well as whether you are insured at all."
• "Your history as a long-time customer with your prior company is not a factor of the CLUE report."

This is another example of how the U.S. financial system is heavily tilted towards companies making money by freely sharing consumers' insurance information, and tilted away from consumers. The burden is upon us consumers to prove that our C.L.U.E. report contains errors.

The good news for me is that my C.L.U.E. reports were accurate. They didn't show any claims (that's "losses" in insurance speak) since I haven't made any claims in the past 5 years. If you want to learn more, the Privacy Rights Clearinghouse has plenty of information about C.L.U.E. reports and your rights.

Astute readers will note that I wrote "my insurance reports." Yes, I had to review multiple reports. Choice Trust delivers automobile property claims (that's "losses" in insurance speak) in one report, and homeowner claims (claims about items you own, like your home or its contents) in a second report. I have no idea why Choice Trust didn't combine this information into a single, comprehensive report.

Before you visit the Choice Trust site, you should know that the ChoicePoint company, a data broker, operates the Choice Trust site. Data brokers make money by selling information... usually the personal information about consumers. Here's how the Choice Trust site describes ChoicePoint:

"Who is ChoicePoint? What do we do? We help you gain information about the people or companies with whom you do business, both professional and personal, to help you make smarter choices. Simply put, we help restore the element of trust that has been increasingly lost over time. At ChoicePoint, we do not sell your personal information to the curious. To use our services and gain access to our data, a person must have a "permissible purpose," which means he or she must have a valid reason - such as verifying credit information or previous employment - to do so. And in almost every case, the information is obtained with your consent. ChoicePoint data is also available to individuals who are looking for information on themselves to help ensure the information is accurate."

Restore the element of trust? You bet! Second, ChoicePoint has a data breach history:

"ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress: At Least 800 Cases of Identity Theft Arose From Company’s Data Breach" [FTC. January 2006]

"Alert: The ChoicePoint Data Security Breach: What It Means for You, and How to Find Out What ChoicePoint Knows about You" [Privacy Rights Clearinghouse]

"ChoicePoint's Data Breach Fine Sets Record: ID verification services vendor ChoicePoint's breach of personal financial data for more than 163,000 consumers will cost the company $15 million in fines to the Federal Trade Commission — including the largest civil penalty in FTC history." [eWeek. January 2006]

My point: there is risk when dealing with ChoicePoint. We consumers cannot opt-out of the C.L.U.E. report system. Now, about this news article:

Victims of ChoicePoint data breach didn’t take advantage of free offers: Panel of industry, government leaders discuss finding better ways to protect personal data and notify consumers [Network World. April 2007]

My take on this: most consumers don't know what data brokers are, nor what they do. Many people I've talked with don't understand the difference between a Fraud Alert and a Credit Freeze. Most people I've talked with haven't heard of ChoicePoint or the C.L.U.E. report. Maybe I just happened to pick people who weren't ID-theft victims of ChoicePoint's data breach.

Regardless, the whole topic of credit, insurance, and identity theft is complicated. And, ChoicePoint's data breach history is enough to make any reasonable consumer pause before using the Choice Trust site. More importantly, ChoicePoint's Choice Trust site is the site we consumers must use to access our insurance reports. There are smaller industry players, but ChoiceTrust dominates the market.

Since I work in web site design and usability, I'd like to share a few additional observations about my experience with the Choice Trust site:

• The site's home page is cluttered with lots of text. It forces you to read a lot, making the site difficult to use. Easily scannable pages is the standard for good web design today
• The site is difficult to use. You have to know what a C.L.U.E. report is, by name, to click on the correct link. Why couldn't the site use plain English instead?
• To view your report you first have to create an online account.The site forces you to enter a lot of personal information during the account creation steps. This is always troubling, especially if you are an ID-theft victim who has been burned with a data breach, you know the perils of disclosing too much personal data
• After creating your account, you can sign in to view your C.L.U.E. report. Like I mentioned above, there are 2 reports; one for property and a second for auto. This report design seems to focus on maximizing profits for ChoicePoint instead of providing an easy-to-use and user-friendly site.
• While viewing my reports, the site informed me that my free C.L.U.E. reports are available online only for 30 days. Why the limitation? After 30 days, i have to pay to see the same report I saw earlier for free. This marketing strategy does not create goodwill between me and Choice Trust. (Again, this design seems to focus on maximizing profits for ChoicePoint, rather than providing an easy-to-use and user-friendly site.)
• The site pages present the account navigation (e.g., My Account, My Reports) in a light-colored type which is easy to miss. The main site navigation (e.g., Personal Reports, Personal Insurance Reports) is in bold type which is easy to see, but it links to site sections I'm not interested in. I had to frequently use my browser's Back button. All of this was frustrating
• The "How To Read Your Report" page contained helpful content, but the site presented it in a separate page, not the same page with your actual C.L.U.E. report. I had to switch browser windows repeatedly... an irritant.
• Consumers in 11 states can "freeze" or lock their C.L.U.E. insurance reports. If you live in CO, DC, DE, IL, ME, MT, NC, NH, NJ, NV, or TN, then you are the lucky few. The site doesn't mention when this option might be available to residents in other states.

Have you used the Choice Trust site? If yes, what did you think of it? What did you think of your C.L.U.E. report? I've Been Mugged readers want to know.

Next entry: in the news