Where's The Value: Credit Monitoring Or Credit Restoration? (Poll Results)

Last year, American Banker interviewed me and representatives from Kroll and IBM for an article about the obligation companies have to assist ID-theft victims after a corporate data breach. IBM and Kroll representatives argued that ID-theft victims benefit more with credit restoration services: the processes and work to fix or clear the fraudulent records and accounts created by identity thieves. I argued that ID-theft victims would benefit more from credit monitoring services.

To explore this subject further, I ran a poll on this blog to see what I've Been Mugged readers value more: credit monitoring services or credit restoration services. The approach by companies should focus on the greatest need consumers have (and not what some corporate executive believes is best to minimize their company's post-breach costs). Since I began this blog, I've talked with dozens of consumers, both in-person and via e-mail. Most people seem to need the basic services first: monitoring their credit information, an understanding of the basic threats/scams, and ways to protect their data.

I know my poll does not contain a rigorous scientific design. Participants weren't chosen at random, but included readers of the I've Been Mugged blog who decided to take the poll.

The poll question: What is the most important feature of a credit monitoring service?

The results:

Question	%	Votes
Continuous monitoring of your data	45%	22
Credit restoration services	39%	19
Non-financial crime monitoring	2%	1
Credit score and credit analysis tools	6%	3
I don't know	8%	4
I don't care	0%	0
Total	100%	49

I'm impressed that 4 people were honest enough to admit that they didn't know what feature in a credit monitoring service was most important to them. I think that this statistic highlights an important need in the marketplace. It suggests that roughly 8% of consumers don't know or aren't sure what to look for in a credit monitoring service.

Knowing what to look for is important since after a data breach ID-theft victims must decide whether or not to accept their employer's (or former employer's) credit monitoring service offer. Even if the offer includes free services, it may not of value. Knowing what to look for is important for any consumer trying to decide which credit monitoring service to register with.

If you missed this poll, don't worry. There's another poll running on our ID-theft Polls page.

During the next few weeks I will share my reviews of the various credit monitoring services. You should judge for yourself, as your personal data and identity protection needs may be very different than mine. Like the ads say, your mileage may vary. So, shop around and shop wisely.

8 Of 10 Americans Worried About Identity Theft

According to a recent poll by Bankrate, 8 of 10 Americans are worried about identity theft, spcifically having their identities stolen. This concern is based upon:

"... personal knowledge of a victim. One-third of Americans (34 percent) know someone who has been a victim of identity theft. In the Northeast, it's closer to one in four (28 percent) while in the West almost one in two people (44 percent) know an ID theft victim."

The survey results were part of a broader study of Financial Literacy about identity theft. Bankrate had engaged Gfk Roper America to conduct a random survey of American households to understand consumers understanding of identity theft. Interviewers questioned 1,006 adults -- 524 women and 482 men. The report found that consumers' worry increased with their personal knowledge of identity theft victims. Basically, people who knew ID-theft victims were more worried than people who didn't.

The numbers could be much higher (or lower), due to consumers' varying definition of identity theft. According to Avivah Litan, vice president and analyst at Gartner:

"Everyone has their own definition of 'identity theft... For some it means wholesale identity hijacking. For others it could mean credit card theft. So it's hard to know what the respondents were thinking; thus the results could be skewed either way."

What are consumers doing to address their ID-theft concerns? Survey respondents reported the following activities:

Participants' Response to ID-Theft (Bankrate - GfK Roper survey - North America - April 2008)	Concerned About ID-Theft	Not Concerned About ID-Theft
More likely to shred documents with sensitive personal data	82%	52%
Use a secure snail-mail mail box (at post office or a locked box at home)	63%	51%
Avoid online banking	54%	55%
Check credit reports regularly	53%	30%
Refuse to shop online	42%	47%
Requested a Security Freeze on their credit reports	23%	6%
Only pay bills online	16%	13%
Haven't made any changes to avoid identity theft	35%	19%

I find the 35% statistic in the last row astounding. These people practice the "head in the sand" approach. These are people who personally know ID-theft victims, but still refuse to do anything to avoid identity theft. Maybe they have given up, or maybe the problem seems overwhelming.

My impression: some companies probably rely upon this "head in the sand" attitude after a data breach. After a data breach, these companies rely on many ID-theft victims (e.g., employees, former employees, retirees, contractors, etc.) to "keep their heads in the sand" and not take advantage of the company's credit monitoring service offer... which is often free for a year or two. It lowers the company's post-breach costs. Companies know this, and are less likely to enact stronger data security measure when they know consumers don't do all they can to protect their sensitive personal data.

The survey results by gender:

• Women were more likely than men to shred documents
• Women were more likely than men to use a secure mailbox
• Men were more likely than women to avoid online banking
• Women were more likely than men to check their credit reports regularly
• Men were more likely than women to request a Security Freeze on their credit reports
• Men are more likely than women to practice the "head in the sand" approach

Now that you know what other consumers are (and are NOT) doing, I hope that more people will take action to avoid identity theft, and after a data breach will accept the company's credit monitoring service offer.

2008 Identity Theft Survey - Javelin Research (Part Two)

Yesterday's post discussed the results of the latest identity theft and identity fraud survey in the USA by Javelin Research. In it's report, Javelin recommended the following for consumers to detect identity theft and identity fraud:

• Monitor your bank and credit card account activity regularly. Check the activity online, via phone, or via ATM machine
• Use e-mail or telephone alerts to monitor activity on your accounts. Activity can include deposits, withdrawals, balance transfers, specific charges, address changes, new names added to your accounts
• Javelin emphasizes that the longer it takes a consumer to detect fraud, the greater the amount stolen

Javelin recommends the following for consumers to resolve identity theft and identity fraud:

1. Contact your bank or credit card company immediately
2. Close any accounts that have been compromised
3. Ask your financial provider about fraud resolution teams or services to help you fix your credit and recover any money lost
4. Place a Fraud Alert on your credit reports at all three credit bureaus
5. Know the data breach notification rights in your state. When an employer or prior employer  loses your personal data (or it is stolen), in many states that company is required by law to notify you of that loss/theft. Other rights, such as free credit monitoring services, may also be available to you in your state
6. Consider placing a Security Freeze on your credit reports at all three credit bureaus. this will prevent criminals from opening new accounts and obtaining credit in your name. Some states require a Security Freeze to be free to identity theft victims
7. File a report with the local police
8. Notify the U.S. Federal Trade Commission (FTC). The FTC tracks complaints and identity theft activity
9. Consider signing up for a credit monitoring service, which can help you monitor your credit reports at the three credit bureaus

While all of the above items are solid and valuable recommendations, they focus on financial identity fraud. Unfortunately, there are so many ways criminals can abuse stolen personal data. They can use it to commit medical identity fraud, insurance identity fraud, criminal identity fraud, obtain a fraudulent driver's license, or apply fraudulently for a job, and none of these activities will show up on your credit report.

If that sounds awfully scary, it is. And it should scare you. This is the current state of U.S. business and government systems. A good first step would be to write to your elected officials and ask them what they plan to do about it.

2008 Identity Theft Survey - Javelin Research (Part One)

Last week, I spent some time reading the "2008 Identity Fraud Research Report" by Javelin Strategy And Research. Javelin survey about 5,000 adults and identity-theft victims in the United States. Key findings from the survey:

• There is a difference between "Identity theft" and "Identity Fraud." Identity Theft is when, "your personal information is accessed by someone else without your explicit permission. Identity Fraud occurs when a criminal takes the illegally-obtained information to use it for financial gain."
• The most common ways criminals steal consumers' personal data: lost/stolen wallets (33%); "shoulder surfing" while conducting a transaction (23%); "friendly" theft by family members oro others you know (17%); online (12%); and data breaches (7%).
• Vishing is on the rise. Vishing is a phone-based version of the phishing scam. Vishing is when criminals attempt to trick a consumer into providing personal data over the phone. In some instances, criminals contact consumers fist via e-mail with a bogus phone number for replies

So, what can consumers do to protect themselves? Javelin recommends a 3-step approach (e.g., Prevention, Detection, Resolution) similar to the U.S. Federal Trade Commission (e.g., Deter, Detect, Defend). The basic idea is that consumers should use a range of methods to protect their personal data, since criminals use a variety of methods to steal personal data.

Javelin recommends the following to prevent identity theft and identity fraud:

• Protect your personal computer, laptop, PDA, and mobile phone with paswords
• Do not use PIN numbers or passwords that are easily guessed (e.g., birthdays, your maiden name, your kids' names, your pet's name, etc.)
• Shred sensitive documents before placing them in the trash
• Use a locked mailbox or a Post Office Box for your snail mail
• Do not leave documents with your personal data laying around, especially documents with your bank account numbers or social security number
• Monitor your online accounts (e.g., bank, credit card, retirement, and othe financial accounts) for suspicious or unauthorized activity
• Move your paper financial statements to online accounts. Avoid paying bills with checks, and instead pay via online banking
• Review your credit reports at least once a year. You can visit annualcreditreport.com or call toll-free at (877) 322-8228

Tomorrow: more recommendations by Javelin.

Clients Should Be Informed By Companies of Data Breaches

From the Charleston Daily Mail:

"A survey of AARP members in West Virginia shows that a majority of them want laws requiring companies to notify clients of security breaches on their personal information. Under existing law, businesses do not have to contact clients if they lose or compromise any of their personal data."

The survey by AARP West Virginia included 1,000 members, of which 90% participated in the survey. Additional survey results:

"... 70 percent of members would be likely to vote for a candidate supporting such a measure, said Ginger Thompson McDaniel, associate state director of AARP West Virginia."

About 40 states have data breach notification laws requiring companies to notify consumers. Many feel there should be a national law requiring both breach notification and penalties. This makes sense to me, since state laws vary regarding penalities.

Online Privacy Concerns Increase

The Associated Press news services reported the results of a new survey by the University of Southern California's Center for the Digital Future:

"Privacy concerns stemming from online shopping rose in 2007, a new study finds, as the loss or theft of credit card information and other personal data soared to unprecedented levels. Sixty-one percent of adult Americans said they were very or extremely concerned about the privacy of personal information when buying online, an increase from 47 percent in 2006. Before last year, that figure had largely been dropping since 2001.  People who do not shop online tend to be more worried, as are newer Internet users, regardless of whether they buy things on the Internet..."

In 2007, about 57% of survey respondents were very or extremely concerned about credit card security. In 2006, the same number was 53 percent. In 2007, about two-thirds of adult Internet users shop online, compared with just 50 percent in 2006. Most spend $100 or less a month, and two-thirds of online shoppers have reduced buying at brick-and-mortar stores. The survey included a random selection of 2,021 Americans contacted from Feb. 28 to Aug. 6, 2007.

More survey results about online usage:

"... online parents are more likely than ever to withhold Internet use as punishment — 62 percent in 2007, compared with 47 percent a year earlier and 32 percent in 2000... Nearly two-thirds of parents, meanwhile, worry about kids participating in online communities and about half believe online predators to be a threat..."

4 Of 10 Small/Medium Businesses in the US Are Not Secure

Darknet recently reported the results of a recent survey of 455 small and medium-sized businesses in the United States:

• "42% do not consider their networks to be secure
• 32% have suffered a breach over the past 12 months
• 96% and 93% have anti-virus software and firewalls; 80% have anti-spam products
• 71% say downtime and security issues are their main daily IT concerns
• 51% identify user support as a major daily concern
• 39% say email viruses are the greatest security risk
• 55% spend 10% or less of their IT budget on security measures
• 77% say this budget is enough to cover their security requirements
• 48% believe that better awareness on security among employees would improve the level of security while 25% want senior management to be more aware of security issues"

Of the 32% that reported a breach, the breach was caused:

"mainly due to a virus attack (69%), followed by infected internet downloads (30%) and loss of hardware, e.g. laptops (24%). Only 2% reported a breach involving some form of fraud or identity threat."

The survey was conducted in October 2007 by eMediaUSA for GFI Software. The survey respondents were senior executives or senior IT administrators. Download full survey results and methodology (Adobe PDF).