Security Freeze: Peace Of Mind And Protection For Your Credit Reports

Since I started this blog in July 2007, I've learned a lot about identity theft. I had to after IBM exposed my sensitive personal data. First, I placed a 90-day Fraud Alert on my credit reports. Then, I signed up for the free credit monitoring service IBM provided from Kroll. 90 days later, I renewed my Fraud Alerts.

So far, so good. No problems with identity fraud.

Given the ongoing risk, I wanted more protection for my credit reports than what the credit bureaus provide with their Fraud Alert tool. The fact is, the credit bureaus just append the alert to your credit report whenever they sell it to a potential creditor. A shady creditor could still issue new credit in my name to an identity criminal. So, I placed a Security Freeze (also called a "Credit Freeze") on my credit reports at the three national credit bureaus.

While the Fraud Alert tool is free, that didn't seem to be a good value for me given the risk. The free credit monitoring service IBM arranged with Kroll was only for one year, and it did not provide an automatic Fraud Alert renewal service. While I could have continued to renew my Fraud Alerts every 90 days, stronger protection was more important to me than a freebie.

I didn't want to pay a credit monitoring service (e.g., LifeLock) to renew my Fraud Alerts because this is an easy task any consumer can do by their self -- for free. I've done it and I know. More importantly, I wanted stronger protection for my credit reports. The Security Freeze option fills that need.

To place the Security Freeze, first I visited each credit bureau's web site and printed their Security Freeze instructions page. All three credit bureaus have similar instructions. You have to provide them with documentation verifying, a) who you are, b) your current residential address, c) valid payment; and send a letter via snail mail (or overnight express) requesting the Security Freeze. You can't place a Security Freeze over the phone, via e-mail, nor via text messaging.

While all three national credit bureaus offer the Security Freeze option nationwide, the fees vary by state. According to Massachusetts law, each credit bureau can charge a Massachusetts resident a maximum of $5 to place, lift, and remove a security freeze. Each credit bureau's web site lists the fees for your state. If you are an identity theft victim (e.g, you can prove so by providing a copy of a filed police report), then the Security Freeze is usually free. In many states, the Security Freeze is free for residents 65 years of age or older.

Should IBM have paid for my Security Freeze fees? That's a discussion I'll save for another post. For me, the $15 total fees is a good investment for both protection and peace of mind. I'd like to thank my state's legislators and Governor Patrick for keeping the Security Freeze fee low for Massachusetts residents.

Next, I assembled my Security Freeze letters. Some credit bureaus require a photocopy of your Driver's License, and/or an insurance or bank statement. This was time consuming, but easy to do. The whole process took me about 4 hours.

At the post office, I mailed all letters via Certified Mail - Return Receipt. While this cost a little more, it is a smart investment because it minimized my worries. The Return Receipt notice informed me when each credit bureau received my Security Freeze letter. About 8 business days later, I received confirmation letters from the credit bureaus.

Each confirmation letter included an explanation of that credit bureau's Security Freeze process, additional instructions, and my personal PIN number. You'll need this PIN when communicating with the credit bureau to temporarily lift or remove your Security Freeze. I stored these confirmations in a secure location.

Will a Security Freeze prevent all types of identity theft and fraud? No. A Security Freeze is not a cure-all. I don't have any illusions about this. While a Security Freeze will prevent criminals from opening new credit and new financial accounts in your name, it won't stop criminals from committing a crime in your name, if your personal data has already been stolen or exposed -- like IBM exposed mine. Nor will a Security Freeze prevent criminals from breaking into my financial accounts. There are other things consumers must do like use rotating and stronger passwords, and set up e-mail or text messaging alerts for your financial accounts.

Blogging For Civil Liberties Workshop at the ACLU of Massachusetts Conference

On Saturday January 26, 2008, I attended the first ACLU Massachusetts conference on Reclaiming Our Civil Liberties. The conference was a real treat for me, since I'd only read about Daniel Ellsberg, the keynote speaker. It was great to hear him live and hear his experiences about the Pentagon Papers. (See also the National Security Archive at GWU.) Ellsberg also discussed his views on the Bush administration, U.S. foreign policy, the Iraq war, the "Blue Dog Coalition" (for perspectives, see C-Span, Common Dreams , and the New York Times), and the oath of government officials to the Constitution (and not a personal oath to the President). Much of today's policies of expansive Executive privilege by the Bush administration are rooted in VP Cheney's tenure in President Nixon's administration.

I attended the conference both as a member and as a panelist. There were over 400 attendees, by my rough count. I spoke at a workshop titled, "Blogging for Civil Liberties." Christopher Ott, the Communications Manager of the ACLU of Massachusetts, chaired the panel. The other panelist was Charles Blandy, Co-Founder and Co-Editor of BlueMassGroup.com.

The workshop went smoothly. About 35 people attended this workshop. Charles spoke first and reviewed many of the well-known sites political blogs (such as Daily Kos and TPMmuckraker) consumers can use to learn about civil liberties and to participate in the blogosphere. My talk focused more narrowly on Ive Been Mugged as an example of citizen journalism, consumers' rights about identity protection, and notification laws after a corporate data breach. About 30 people attended this workshop and at least 400 attended the conference.

If you missed the conference, you can listen to the "Blogging For Civil Liberties" podcast (52 minutes, MP3 file, 23 MBytes). You can list to the podcast on any MP3 player, including the iPod. I'd like to thank Christopher Ott and the Massachusetts ACLU for making the podcast available. Thanks to Marilyn Humphries for the photograph.

[Note to readers: Sorry for the delay publishing this post. I would have published it sooner, but the podcast was only recently available.]

Data Breach At Harvard University

Several news sources have reported a data breach at Harvard University. From ABC News:

"... at least one hacker launched an attack on a computer server at Harvard University, potentially viewing the personal information of up to 10,000 graduate students and applicants to the Graduate School of Arts and Sciences and posting some of the information on the Web. Harvard officials began notifying thousands of students and applicants this week... According to Harvard chief information officer Dan Moriarty, an attack was launched Feb. 16 on a server that contained summary information from applications for prospective students as well as the housing information of current students. About 6,600 of those applications included Social Security numbers. Some of the information on the server was copied and ultimately posted on The Pirate Bay, a well-known bit torrent Web site where people can download movies and music.

The Chronicle Of Higher Education reported:

"Harvard has sent notices to all affected people and is offering, at the university’s expense, to help them obtain credit reports, set up credit-monitoring services and fraud alerts, and take other steps to guard against identity thieves."

If that's all Harvard is offering, then Harvard's identity theft victims are getting much. First, free credit reports are already available online for consumers. Second, the credit bureaus already provide free Fraud Alerts for consumers. There is some value in free credit monitoring services, provided the services include flexible and timely alerts, access to credit reports throughout the year, two or more years of free services, and credit restoration services.

Since news stories don't provide much detail about the credit monitoring services offered, I checked the Harvard news release:

"In situations where applicants’ Social Security numbers or Harvard University ID numbers may have been accessed, the notifications provide contact information for free use of the services provided by Kroll Inc. At Harvard’s expense, Kroll is helping potentially affected persons obtain copies of their credit reports, set up credit-monitoring services and fraud alerts, and take other steps to protect themselves."

That is good news. Harvard is offering its identity theft victims credit restoration services from Kroll. the restoration service helps identity theft victims clean up accounts that have been taken over or new accounts established by criminals. The monitoring services helps identity theft victims check their credit repors frequently to discover abuse as soon as possible. I hope that all of harvard's identity theft victims take advantage of both services.

While 10,000 records is a sizable data breach, other colleges and universities have had far larger data breaches:

• George Mason University: January 2005: 32,000 records
• University of California at Berkeley: March 2005: 98,400
• Boston College: March 2005: 120,000
• Tufts University: April 2005: 106,000
• University of Hawaii: June 2005: 150,000
• University of Connecticut: June 2005: 72,000
• University of Utah: August 2005: 100,000
• University of Colorado: August 2005: 49,000
• Kent State University: September 2005: 100,000
• Metropolitan State College (Denver): March 2006: 93,000
• Georgetown University: March 2006: 41,000
• University of Texas McCombs School of Business: April 2006: 197,000
• Ohio State University: April 2006: 300,000
• Western Illinois University: June 2006: 180,000
• University of Tennessee: July 2006: 36,000
• University of California at Los Angeles: December 2006: 800,000
• University of Idaho: January 2007: 70,000
• East Carolina University: February 2007: 65,000
• Community College of Southern Nevada: May 2007: 197,000
• University of Colorado at Boulder: May 2007: 45,000
• Georgetown University: January 2008: 38,000

There are many more smaller data breaches at colleges and universities. Some schools don't announce the number of total records exposed. In my opinion, academia as a whole still does a poor job with data security. It'll be interesting to see if the number of records exposed in Harvard's data breach remains at 10,000 or goes up.

[Editor's note: in the interest of full disclosure, from 1992 to 1997 I worked in Baker Library at the Harvard Business School as a business analyst researching business and economics topics.]

A New Kind Of Identity Theft?

Last Friday, the CBS television affiliate (WBZ-TV) in Boston ran a news story about, "A New Form of Identity Theft." Apparently, an identity thief targeted and stole money from several women with the same name:

"The identity thief was posing as Lisa White. White never even owned a credit card until someone stole her identity and opened up 17 accounts using her Social Security and drivers license numbers. Now comes Lisa White, of Monson. She too is a victim of identity theft and is trying to cancel some $13,000 of debt someone spent on store accounts using her Social Security and license numbers... Then there's Lisa White from Somerset, who is also stuck with a pile of mystery credit cards. A thief stole her identity and wracked up about $35,000 of dept that she had nothing to do with."

The police haven't caught the identity thief yet, but they do have the thief on video tape. reportedly, about ten people in Massachusetts with the same name have reported problems.

My guess: this isn't a new type of identity theft. Rather, the police haven't yet discovered the connection, which may be very subtle. If all of the victims use the same bank, the police aren't saying. If not that, then it may be an inside job at the Social Security Administration or another equivalent state agency, like the Registry of Motor Vehicles or the Massachusetts Department of Revenue. That would explain why the thief did not steal the victims' existing credit card numbers, but instead opened new lines of credit with the victims' social security numbers.

Placing A Freeze (Or Lock) on Your Credit Files

In August 2007, the Massachusetts Governor signed a new law allowing Massachusetts residents to lock or place a "Security Freeze" on their credit reports with the three national credit bureaus. Residents can visit the Massachusetts Office of Consumer Affairs web site for instructions about how to add, lift, or remove a Security Freeze on their credit reports. Residents in other states can proceed directly to the three national credit bureaus for instructions:

• Equifax Security Freeze
• Experian Security Freeze
• TransUnion Security Freeze

The fees to add, lift, or remove a Security Freeze vary by state and by the consumer's status. For identity-theft victims, the fees are waived. For others, the fees apply and vary by state. For example: the add/remove/lift fees in Massachusetts for identity theft victims are waived, while the fees for others are a $5.00 each. In some states, the add/remove/lift fees are as high as $10.00 or $20.00 each.

In the Blogosphere: Xconomy Reviews Blogtoberfest

A couple weeks ago, I met Wade Roush, one of the authors at the Xconomy blog. I met Wade at the Blogtoberfest event in Boston. If you are a blogger in the Eastern Massachusetts area, I suggest you read Wade's post about the Oktoberfest event and the bloggers he met. Wade's post also has a link to some photos.

In The Blogosphere: Chronicles of Dissent

A tip of the hat to the folks at Chronicles of Dissent blog for their coverage of my posts about correspondence with Attorney General Coakley's office about online breach notification. If you are a Massachusetts resident and you feel as I do, I hope that you'll contact Mass. Attorney General Coakley's office and tell them you want corporate breach notifications posted online.

Reply From Attorney General Coakley's Office

A few days ago, I sent an e-mail letter to Massachusetts Attorney General Martha Coakley's office. Yesterday, I received this e-mail reply:

From: Email Correspondence (AGO)

Thank you for contacting the office of Attorney General Martha Coakley. I have forwarded your e-mail along to the member of our staff who is handling this office’s compliance with the new breach notification laws which took effect on October 31, 2007. Although, there are currently no plans to post breach notifications online, due to your correspondence, this idea is currently being considered by our Consumer Protection Division. Thank you for taking the time to contact us. It is important that we hear from constituents about important issues such as this.

Sincerely,

Community Information and Education Division

It's nice to receive a quick reply. I'm glad that the state is considering the posting of breach notifications online. We'll see what they finally decide to do. If you are a Massachusetts resident, I hope that you'll write to them also, and tell them you want breach notifications published online.

Letter to Massachusetts Attorney General Coakley

As a consumer affected by a corporation's data breach and identity theft, I am quite excited about Massachusetts' new identity theft law which will be implemented during the next few months. On Sunday evening, I sent the following e-mail letter to Massachusetts Attorney General Martha Coakley:

To:   The Office of the Attorney General
        One Ashburton Place
        Boston, MA 02108

Dear Attorney General Coakley:

 

I am resident of Boston and I am writing to you about Massachusetts' new identity theft law (St 2007, c.82: Security Freezes and Notification of Data Breaches). I look forward to the implementation of this new law since I have been the victim of identity theft. Specifically, a prior employer lost my most sensitive personal data. So, as soon as the Security Freeze option is available in Massachusetts, i will sign up to better protect my identity and finances.

 

My letter to you today is about the notification part of the new state law, specifically the portions about "Breach Notification" and "Substitute Notification" by companies. When IBM Corporation lost my data in February 2007, the company finally notified me in May 2007. This delay was unacceptable to me since identity thieves could have done much damage during the interim. So, while IBM's written notification to me was helpful, speedy notification is also important to me since media coverage wasn't immediate.

Since then, I have researched identity theft. During my research, I have found that New Hampshire posts on its Department of Justice web site the breach notifications N.H. received from corporations.

My question to your office is this: when will Massachusetts post online the breach notification letters it receives? The online posting of breach notifications by your office would be a huge benefit to consumers for several reasons:

1. Consumers can access a reputable, reliable site for the full content of breach notifications
2. Online postings can solve the speed concern other consumers like me have
3. In the situations defined by St. 2007, c.82, the online posting of breach notifications would also solve the requirement of "Substitute Notification."
4. The online posting of breach notifications by Massachusetts would be comparable to another New England state.
5. The online posting of breach notifications would be a positive signal that Massachusetts is serious about being a leadership state when it comes to identity theft

I look forward to hearing from your office soon. Thank you in advance for your attention to this and reply to my letter.

I sent this letter to the Mass. AG since the comparable office in New Hampshire posts breach notifications online. It is critical for consumers (e.g., customers, employees, and former employees) to receive prompt notification from companies which suffer a data breach. And, since Massachusetts' new law provides for "Substitute Notification" instead of a personal letter to each consumer, I want to know exactly how my state plans to provide "Substitute Notification."

I also sent copies of this letter to my federal and state representatives via the Congress.org web site. If you are a Massachusetts resident who feels as I do about identity theft, I encourage you to contact your state representatives.

New ID Theft Law in Massachusetts (Part 2)

Since IBM notified me about their data breach, I've paid more attention to Identity Theft legislation in Massachusetts, where I live and work. If you live in Massachusetts, then this new law affects you. If you live in another state, this is an opportunity to evaluate your state's identity theft laws.

Before Massachusetts' new ID-theft law becomes effective in November 2007, I wanted to understand the details and what to expect. Of course, I want to judge how well my state implements this new law.

So, I read both the Massachusetts House and Senate draft versions of the proposed law, plus the final version of the new law. This helped me understand the features and benefits of the new law (and which features didn't made it into the final version of the new law). Negotiations between state lawmakers, companies, and credit bureaus weren't covered much in the local news media, but I firmly believe that it affected the features in the new law.

If you want to read the new law, see the St.2007, c.82: Security Freezes and Notification of Data Breaches. The link is also listed in the right column under "Massachusetts Resources." The major features in Massachusetts' new identity theft law:

• Personal data to be protected: regardless of the format it is stored in, the personal data companies and state agencies must protect includes first name and last name or first initial and last name of a resident with the resident's SS#, driver's license number, state identification number, financial account data (e.g., debit or credit card number in combination with or without a security code, access code, or password)
• Data breach notification for consumers: companies and government agencies must notify as soon as possible affected Massachusetts residents whose personal data (e.g., SS#, driver's license number, etc.) have been lost or stolen. Notice is triggered by unauthorized access to the personal data, regardless of whether there is a likelihood of harm. It doesn't matter if the data is encrypted or not.
• Data breach notification: Companies and state agencies must also notify the Massachusetts Director of Consumer Affairs and the Attorney General. The notice must describe the nature of the data breach, the number of Massachusetts residents affected, and any steps taken relating to the data breach. The notice to consumers does not have to include these details
• New "Security Freeze" option: allows consumers to "lock" their credit reports to prevent identity thieves from fraudulently creating new accounts in their names. This option is free for ID-theft victims; up to $5 for others. Credit bureaus must provide a PIN within 5 days of the consumer's Security Freeze request. The PIN is used by the consumer to control access to their credit report. Credit bureaus must implement a Security Freeze within 3 days of the consumer's request; and lift (or remove) the freeze within the same number of days
• Disposal of records with personal data: the new law sets rules about the proper destruction of records by companies and government agencies
• Consumer access to police report: local police must provide ID-theft victims with a copy of their police report within 24 hours, even if the identity theft occurred elsewhere. This provision of the law takes effect February 3, 2008 and not in November 2007 with the rest of the law

This is great news and a huge step forward. Previously, data breach notification was not required. Now, it is. The Security Freeze provision offers better and stronger protection than the existing Fraud Alert tool from the credit bureaus. However, there are some limitations in the law:

• The new law does not specify exactly how quickly (e.g., number of days, weeks, or months) data breach notification must be sent. Notice must be sent in writing to each Massachusetts resident affected by a data breach. In my opinion, speed is important since identity thieves act quickly
• Possible loophole: "substitute notice." The law reads, "Notice shall include: (iii) substitute notice, if the person or agency required to provide notice demonstrates that the cost of providing written notice will exceed $250,000, or that the affected class of Massachusetts residents to be notified exceeds 500,000 residents, or that the person or agency does not have sufficient contact information to provide notice." Additionally, the company or government agency can notify ID-theft victims via e-mail, a posting on a web site, publication in broad news media, or via the state department of consumer affairs
• The "substitute notice" feature could be a problem for former employees and retirees. While consumers who are stockholders or have a retirement account with their former employer likely monitor the merger/acquisition/name changes of their former employer, others may not. Consumers who don't monitor the merger/acquisition/name change of a former employer may not recognize the substitute notice from the new company
• The new law doesn't state what the penalties are for credit bureaus that violate the Security Freeze features. Section 9 of the new law reads, "You may be entitled to collect compensation, in certain circumstances, if you are damaged by a person's negligent or intentional failure to comply with the credit reporting act." May be? To me, penalties are important should a credit bureau fail to implement a Security Freeze within the days specified, or discloses a consumer's credit report despite an in-place Security Freeze
• The new law doesn't state whether or not the Security Freeze feature applies to C.L.U.E. reports. The new law does mention "consumer reporting agency" which probably applies to ChoicePoint, the dominant C.L.U.E. reports provider
• Disposal of records feature: the penalty for violators seems very weak, in my opinion. the law reads, "Any person or agency who violates the provisions of this chapter shall be subject to a covol fine of not more than $100 per data subject affected, provided said fine shall not exceed $50,000 for each instance of improper disposal." $100? Geez! We need stronger laws here to encourage compliance, not weak laws to undermine compliance.
• The new law doesn't state whether the Massachusetts department of justice will post data breach notices online, like New Hampshire does

What do you think of the new law? How does it compare to your state's ID-theft law? Has your former employer provided substitute notice? I've Been Mugged readers want to know.

Next entry: data breaches and lawsuits

New ID Theft Law in Massachusetts

A prior blog entry discussed the pending identity theft legislation in Massachusetts. This month, our Massachusetts Governor signed a new identity theft law. According to the Boston Globe newspaper:

"Governor Deval Patrick signed legislation that requires businesses and government agencies to promptly notify consumers when private information such as Social Security and driver's license numbers have been lost or stolen. The law also allows residents to place a "security freeze" on their consumer credit reports to prevent identity thieves from fraudulently creating new accounts in their names. It also establishes rules for the disposal of old records containing personal information. Under those rules, state officials would be required to delete the first few digits of Social Security numbers when handling documents involving personal information if federal authorities don't require the full number. The law also requires companies and state agencies to destroy documents that contain personal information."

This is great news!!! While the new law won't stop all forms of ID theft and fraud, the Credit Freeze provision is far better and stronger protection than the existing Fraud Alert tool from the credit bureaus. I also like the portions of the law that clarify which personal data elements entities (e.g., companies and government agencies) can and cannot retain, and when state government entities should destroy documents with our personal data.

More good news... the new law mandates data breach notification by companies. According to an August 10, 2007 e-mail message I received from Janet S. Domenitz, Executive Director of MASSPIRG:

"The new law, which will go into effect in November, will address the crime of identity theft on several fronts. It will set standards for how consumer information is protected and disposed of by both businesses and government agencies. It will require companies that store this type of data to notify affected individuals if it is lost or stolen. And it allows consumers to proactively prevent identity thieves from opening credit in their name by blocking access to their credit reports through a 'security freeze.' "

I am still reviewing the draft legislation and the text of the new law, to understand the provisions that made it to the final version of the new law... especially:

• Penalties for corporate violators,
• Protections for ID-theft victims of data breaches by former employers,
• Details about the fees and administration of the new "security freeze" option,
• Promotional guidelines to inform consumers, and
• Guidelines for outsourcing and/or off-shoring personal data.

If you want to read the draft state senate and house bills, plus the new law (St.2007, c.82: Security Freezes and Notification of Data Breaches), there are links in the right column under "Massachusetts Resources."

Next entry: Mistaken for a car thief, ID theft victim jailed

Identity Theft Legislation in Massachusetts

Since I live in Massachusetts, any state legislation about Identity Theft is important. About 35 states have laws requiring companies to inform citizens of a data breach, but Massachusetts does not. About 25 states have laws providing their citizens with a Credit Freeze tool. Massachusetts is not on this list either. No matter where you live, you should check both lists to see how seriously your state government considers Identity theft.

Thankfully, change is underway in Massachusetts. And it is long overdue. An Identity Theft bill in Massachusetts has been passed by the state House and is under consideration by the state Senate. I haven't read the actual legislation yet. When I do, I will comment about the legislation and if it goes far enough with strong enough identity theft protections.

Some background: a Credit Freeze is a critical and powerful tool for consumers to protect against Identity theft. With a Credit Freeze, a company or a creditor cannot access a consumer's credit file unless the consumer provides consent. Today's U.S. financial system allows the national credit bureaus (and other companies) to freely share your credit information with creditors (good or bad)... even after you've placed a Fraud Alert on your credit file. As you might expect, the national credit bureaus oppose state legislation with the Credit Freeze tool.

If Massachusetts offered a Credit Freeze option, I would have used it immediately when IBM notified me of their data breach. As I mentioned in an earlier blog entry, the U.S. financial system is heavily tilted towards companies making money by freely sharing consumers' credit information, and tilted away from strong protections and notifications for consumers. In my case, IBM was a prior employer and not a retailer I'd purchased products from.

One reasons why I started this blog is to raise consumers' awareness of the identity theft problem, particularly where employers lose personal data about prior employees. And everyone has one or more prior employers. I believe we can fix this tilted system. As you might expect, the national credit bureaus view the Credit Freeze tool as a burden and oppose legislation with it at the state level. Surprisingly, there is a discussion about whether or not consumers should be notified about data breaches.

To me, consumer notification should be required of all companies, especially when that company is a prior employer who has chosen to archive personal data for an extended period. Consumer notification should be required for all data breaches. And, the Credit Freeze tool should be available to all consumers nationwide. These are two critical tools for protection against identity theft.

Next entry: a conversation with IBM (part 1)