Fraud Alerts
Protecting Yourself

IBM's Offer

A prior blog entry discussed how IBM had lost data tapes containing the personal data for thousands of current and former employees. What was IBM's offer for the affected employees? One year of free credit monitoring. While a Fraud Alert is free, consumers can pay anywhere from "$50 to $200 per year" for a credit monitoring service.
I really do appreciate IBM's offer of free credit monitoring service for one year. Credit monitoring is wise because the 2003 FTC Identity theft survey found that consumers who monitor their credit tend to lose less money to identity theft and spend less time and money fixing the problem. has a page that clearly explains the benefits of a credit monitoring service. However, a credit monitoring service has its limitations.
First, credit monitoring is like any other service. Some consumers like it, some say the value isn't there, and others prefer stronger protection. A recent BBB and Javelin study found that credit monitoring services uncovered about 11% of fraud. A credit monitoring service won't protect you against all types of identity theft, just the scams where the thief applies for credit, a loan, or a product purchase where the company checks with one of the three national credit bureaus for your credit data. An example, a credit monitoring service won't protect you when an identity thief gives law enforcement your stolen identity during a traffic stop or a crime.

Second, while credit monitoring is strongly recommended, paying for a credit monitoring service isn't for everyone. The Identity Theft Resource Center advises the following after a data breach:

Place a fraud alert with each bureau (asking companies to contact you prior to issuing credit) and request your free copy of the credit report. It is free because your information was breached. If asked, you are a potential victim of id theft... Check your report carefully for any irregularity...Use the annual credit reports system to monitor your credit report over the next year. Stagger them out by ordering one every four months.

According to the Security Breach Guide at the Privacy Rights Clearinghouse site:

"Every consumer, whether or not a victim of identity theft, can receive one free credit report every 12 months from each of the three national credit bureaus. This is over and above the free credit report that you can request upon establishing a fraud alert. See the Resources at the end of this guide for information on how to order your free report. In addition, laws in several states give individuals other opportunities to obtain free credit reports."

So, you can order your free annual credit report from all three national credit bureaus at once, or stagger when you receive them over several months.

Third, if you already have credit monitoring, then another offer of free credit monitoring is really minimal or no help at all. When IBM notified me, I had already established a credit monitoring service through my Discover Card 4 or 5 years earlier. At worst, IBM's offer is no help because it duplicates an existing credit monitoring service. At best, IBM's offer is an opportunity for me to compare over time two credit monitoring services and cancel the poorer service at the end of the year. What I did learn is this: make sure that whatever credit monitoring service you use, a)provides real-time alerts about inquiries into your credit file; and b) monitors all three national credit bureau services. My service monitored one, but it provided a free upgrade to all three credit bureaus. Obviously, I happily upgraded.

Fourth, IBM's offer of free credit monitoring for one year could be seen as a slick effort to shift focus and responsibility from IBM to the consumer and his/her credit monitoring service. IBM still has a duty to protect the personal data for all current and former employees, to inform us of IBM's processes to protect our data (e.g., through various required  correspondence, IBM now has my current personal data), and to inform us of the results of its investigation about the data tape loss/theft. The credit monitoring service is not and should never be an excuse for any company to avoid responsibility for protecting the personal data it stores.

Fifth, IBM's offer of free credit monitoring for one year doesn't address the fact that the risk period of identity theft extends far beyond one year. IBM created this risk when their subcontractor lost (or stole) my personal data. Smart identity theft thieves can just sit on the data for 2 years or longer, and then use (or sell) the stolen data. Or it may take more than a year for the thief to sell the data and for a buyer to use the stolen personal data.

In my opinion, the length of the free credit monitoring service should match the risk period. IBM lost my personal data. There has to be a consequence when a company doesn't adequately protect personal data. If the free credit monitoring period doesn't match the risk period, then IBM has unfairly shifted the burden from themselves to the ID theft victim. In the instances where a victim already has a credit monitoring service, the company should reimburse the consumer for that risk period.

Moreover, IBM's offer is like giving me the sleeves from a vest. It does not solve the problem that led to the data tape loss/theft. It does not address IBM's internal process and policies, or lack of enforcement, which led up to an IBM contractor losing (or stealing) the employee data. It does not address IBM's responsibility to inform victims and to protect the personal data consumers have entrusted it with.

Next entry: protecting yourself


Feed You can follow this conversation by subscribing to the comment feed for this post.


Here’s the problem: 80 percent of identity fraud today is called synthetic ID fraud or ID cloning. What the ID thieves do is steal only your SSN and through a variety of nefarious, but quite clever methods, create a brand new person. The problem for you is that the fraud usually won’t show up on credit reports because the only identifier that matches you is the SSN.

And what if the fraud is not financial in nature?

It won’t show up at all…comforting, huh?

There are hundreds of ways your identity can be used that will never show on any credit report: immigration fraud, medical fraud, false driver’s licenses, tax fraud, utilities fraud, employment fraud…how is monitoring your credit going to find these?

Answer: It won't.

Credit monitoring will not detect, prevent, or help you with any of the above crimes. It can barely even detect financial fraud: Experian actually admitted to the New York Times that their credit-monitoring products could not detect fraud cases in which a credit applicant used his/her own name, address and phone number with someone else's (i.e. YOU) Social Security number. Again, this is over 80%of ID Fraud today!

The sad truth is that you alone cannot protect your identity. Your information resides in thousands of databases nationwide and your information is only as secure as the database it’s in. We’re talking about billions of data points, including Social Security, Driver’s License, Motor Vehicle, Criminal, Civil, Legal, Licensing, Financial, Medical, Marketing, Consumer- there is no way that you and I as individuals can keep up with this information.

It seems like every week there’s a new story about a security breach in which people’s personal information has been compromised. Data breaches increased 47% between 2007 and 2008, reaching 656 breaches in 2008 alone. MILLIONS of identities have been compromised in these breaches and given that most people are unaware of the true nature of identity theft,this means tens of thousands of people are already a victim of Identity Theft and have yet to find out!

Thankfully, there are now a few companies out there that monitor your full identity by monitoring more than just your credit. When it comes to finding a good company to protect your identity from theft and fraud, look for companies that can:

1. Find it.
2. Stop it.
3. Fix it.

Hope that helps: LRK

The comments to this entry are closed.