I've Been Mugged Blog

I enjoy reading the Time Goes By blog written by Ronnie Bennett. She offers much practical advice and interesting perspectives about "what it's really like to get older." Recently, Ronnie wrote about identity theft:

"According to the Identity Theft Resource Center, ID theft is the fastest growing crime in the U.S., and in some other countries too. During just the first six months of 2007, in the United States alone, the Center has tracked 187 corporate security breaches [pdf] involving the exposure of 64,940,727 records of personal information."

There's no positive spin to this bad news. It is what it is. A huge problem. That's a lot of identities at risk and some have already been abused. Ronnie also wrote:

"The types of organizations from which this information was exposed or stolen will surprise you. Universities are at the top of list along with medical organizations. Others include JP Morgan Chase, IHOP, AOL, IBM, Turbo Tax, Radio Shack, Xerox and a number of federal and local government agencies including FEMA."

"Although other identifying numbers – credit or debit card numbers, drivers licenses, etc. - can lead thieves to steal your identity, Social Security numbers are the prize with which thieves can loot bank accounts, take out loans in your name, open credit card accounts, access your tax records, and use your identity when arrested by the police."

And most importantly:

"Remember that only certain government agencies, employers and organizations that are required to report financial transactions to the government, can legitimately require your Social Security number, so don't give it out to anyone else. Retailers, such as the company from which I tried to buy a sweater, cannot and should not ask for that number. I have stopped using one credit card because the issuing bank requires my Social Security number for identification with them."

Last, I'd like to wish I've Been Mugged readers an enjoyable and safe holiday weekend. I am going to do the same.

Next entry: How Safe Is Your Credit Card Company?

The Atlanta-Journal Constitution newspaper reported in an August 8 news story that a, "stolen wallet led to a Cobb County man's being jailed for a crime he didn't commit." The news story quoted Chamblee Police Chief Marc Johnson as saying, "the worst example of what can happen with identity theft."

The ID-theft victim was Andrew Garrett, a 26-year-old Kennesaw State University student. The police arrested Garret at his parents' home and charged him with auto theft. Even though the arrest warrant described Garrett as African-American, the police arrested Garret, who is Caucasian, anyway. Garrett was taken to DeKalb County jail and was unable to post bail because auto theft is a felony warrant. According to the newspaper report:

"Unbeknown to Chamblee police, Andrew Garrett's wallet had been stolen earlier in the year. And when a woman reported that her son's friend had stolen her rental car, she gave police the ID information that her son's friend had given her — Garrett's name, license number and address."

The charges were dismissed after a police investigator took Garrett's booking photo to the woman, who told him that Garrett wasn't the car thief.

What to make of this? I see several implications:

1. This is a good example of how criminals can use stolen identities during a crime for non-financial purposes. Not all identity theft includes breaking into financial accounts to steal money.
2. Don't blame the police for arresting Garret. They acted according to a judge's directions.
3. Garrett was lucky. Even though his situation was very scary, it was resolved fairly quickly. And it happened in the USA. The same situation in another country where distance, language, the availability of witnesses, and local laws are different could have resulted with a longer jail time and an extended nightmare.
4. This story is an excellent example of how the Credit Freeze, Fraud Alert, and mandatory data breach notification laws cannot protect consumers from certain types of identity theft. Hence, it is imperative for companies and government agencies to prevent data breaches in the first place by using current and effective data security methods to protect the sensitive data of employees, former employees, and customers.
5. It is important for ID-theft victims to complete a police report when your identity is stolen.

Next entry: identity theft and you

A prior blog entry discussed the pending identity theft legislation in Massachusetts. This month, our Massachusetts Governor signed a new identity theft law. According to the Boston Globe newspaper:

"Governor Deval Patrick signed legislation that requires businesses and government agencies to promptly notify consumers when private information such as Social Security and driver's license numbers have been lost or stolen. The law also allows residents to place a "security freeze" on their consumer credit reports to prevent identity thieves from fraudulently creating new accounts in their names. It also establishes rules for the disposal of old records containing personal information. Under those rules, state officials would be required to delete the first few digits of Social Security numbers when handling documents involving personal information if federal authorities don't require the full number. The law also requires companies and state agencies to destroy documents that contain personal information."

This is great news!!! While the new law won't stop all forms of ID theft and fraud, the Credit Freeze provision is far better and stronger protection than the existing Fraud Alert tool from the credit bureaus. I also like the portions of the law that clarify which personal data elements entities (e.g., companies and government agencies) can and cannot retain, and when state government entities should destroy documents with our personal data.

More good news... the new law mandates data breach notification by companies. According to an August 10, 2007 e-mail message I received from Janet S. Domenitz, Executive Director of MASSPIRG:

"The new law, which will go into effect in November, will address the crime of identity theft on several fronts. It will set standards for how consumer information is protected and disposed of by both businesses and government agencies. It will require companies that store this type of data to notify affected individuals if it is lost or stolen. And it allows consumers to proactively prevent identity thieves from opening credit in their name by blocking access to their credit reports through a 'security freeze.' "

I am still reviewing the draft legislation and the text of the new law, to understand the provisions that made it to the final version of the new law... especially:

• Penalties for corporate violators,
• Protections for ID-theft victims of data breaches by former employers,
• Details about the fees and administration of the new "security freeze" option,
• Promotional guidelines to inform consumers, and
• Guidelines for outsourcing and/or off-shoring personal data.

If you want to read the draft state senate and house bills, plus the new law (St.2007, c.82: Security Freezes and Notification of Data Breaches), there are links in the right column under "Massachusetts Resources."

Next entry: Mistaken for a car thief, ID theft victim jailed

I listed in Part One four opt-out resources for consumers who want to exercise control to limit the distribution of their personal data among companies and creditors. According to the  Truston ID-Theft blog, there is a fifth resource for consumers:

Here’s some good advice from Clark Howard on yet another database that keeps records on you related to your auto and homeowners’ insurance.  According to Clark’s tip, it is called the C.L.U.E. report and you should check what yours says about you.

Apparently, your C.L.U.E. report is a file that insurance companies use about whether to offer insurance to you. And, the insurance companies insert notes into your C.L.U.E. report. You can order a free C.L.U.E. report once each year, just like a free credit report. I'd never heard about this C.L.U.E. report before. Have you?

Next entry: New ID Theft Law in Massachusetts

Reactions to IBM's data breach notification seem to vary. This June 26, 2007 post by Shelby was too entertaining not to mention:

"Staying on the sunny side of life, IBM informed me that the information had not surfaced anywhere and that it was in such a format that it required specialized equipment to access it. They also assured me that according to their extensive investigation, the information had simply been lost, not stolen. And also, they were really, really sorry about it. In exchange for being dumbasses, they have offered me a free year's membership in a credit monitoring service, which I accepted. The service looks pretty cool, and I bet [Kroll] threw a huge party when they got the IBM deal. I didn't have to provide any kind of payment information and the service would not be automatically renewed after IBM stopped paying, but of course I'm welcome to continue their service should I choose after my free period expires. Thanks IBM!"

I know how Shelby feels. IBM's carelessness has inconvenienced us both in time and money. Plus, the risk window (during which an identity thief could sell, resell, and/or abuse our personal data) extends far beyond IBM's one year of free credit monitoring offer. Thanks IBM!

Next entry: Opt-out Resources for Consumers (Part 2)

In a prior blog entry, I discussed IBM's data breach which affected an undisclosed number of current and former IBM employees. IBM offered its ID-theft victims one year of free credit monitoring with Kroll. This offer seemed attractive since prices range from "$50 to $200 per year" for a credit monitoring service. I signed up for Kroll's service in June to judge what Kroll provides -- and what IBM arranged.

Other ID theft victims are judging Kroll, too. DCG wrote the following comment about the credit-monitoring service IBM arranged with Kroll:

"I'm an EX IBM'er also. I enrolled in this service.. It's a negotiated down version that's specific to IBM. They normally provide you with copies of your credit report from all 3 agencies. The deal with IBM does not provide this. Once you enroll, they need to "baseline" your credit - that means that they need to establish what lines of credit exist right now. If your ID is stolen already, you're screwed. It'll take 1-3 months from the date of enrolling before "Theftsmart" will start generating reports. There is zero data in my account right now.. Lovely service, eh?"

When I checked my Kroll account, I noticed that mine was empty, too. When I compared my Kroll account to another credit monitoring service I've had since 2004, Kroll's service seems (so far) insufficient with far less information. For example, my other credit-monitoring service provides the full text of my credit reports from the three national credit bureaus, plus a lot more detailed information about my credit status. My Kroll account doesn't.

If DCG's comments are true, then IBM has taken a huge shortcut -- the cheap route by arranging a watered-down version of Kroll's services. I am trying to keep an open mind... to continue comparing my two credit monitoring services. In a future blog entry, I'll share my findings.

For a different opinion, a reader at radioAe6rt posted these comments about Kroll:

"You’re lucky that IBM chose the best IMHO. If you check out [Kroll's] coverage, I believe that you will find that it also is a UNIQUE restoration coverage, in addition to having a monitoring benefit. In a data loss of non public information, IBM or any other company or organization, is liable for your losses plus fines under FACT. If a financial fraud is not contested within 60 days of the bill being mailed, then under FTC Regulation E, you owe that amount, even if it was mailed to a fake address. The average financial identity theft is over $93,000 and under FACTA, the company or organization is liable for that loss if the NPI data loss cause your identity theft. The few bucks they might save on a cheap MONITORING ONLY coverage, is minor compared to losing almost $100,000 per person. (Otherwise Penny wise, pound foolish)"

I will verify this reader's comments in future blog entries. More importantly, I get the impression that IBM's offer of free credit monitoring makes it easy for IBM to shift the liability for its data breach to the data breach victim. The logic: we've given you credit monitoring... if the victim doesn't check their credit, then it's their fault. I find this insulting... let's remember that IBM caused the problem in the first place by exposing personal data for an undisclosed number of employees.

This reader also wrote:

"To large companies they [Kroll] offer a coverage similar to what we offer to individuals. Kroll is the only company which I know of that offers a TRUE “RESTORATION” coverage which does virtually all the work to RESTORE your identity or your spouse or significant other. The next best thing is a “RESOLUTION” coverage which is often advertised to sound like a “restoration” coverage. The next best thing gives you advise, but the victim does all the work for an average of OVER 600 hours of a trial and error that can turn into a nightmare. Almost 1/3 (27%) of those who do-it-themselves FAIL and never get their identity fixed, even after 5, 10, or more years. A restoration coverage has experts do virtually all the work to restore your identity by you just giving them a limited power of attorney to do the WORK FOR YOU, if a ID theft is discovered. The victim will still need to file a police report and maybe appear in court."

And:

"Kroll’s EXPERTS include former FBI and CIA agents, former law officers, forensic accountants, lawyers, etc. They are a 34+ year old publicly traded company with over 4,000 employees worldwide. They have been fighting identity theft for many years before the public became aware of it for the big corporations which are being hit. Then they decided they need to help those on the family side of identity theft. Most of the Identity theft services out there are only “monitoring” service either owned directly by the three main credit repositories (aka credit bureaus), or an affiliate who is reselling the services of these 3 companies. They may be offering the service under another name. I can send you more details about why restoration is the ONLY wise choice, and it can cost less than just a simple monitoring service. Ironically, a monitoring service can cost you DOUBLE what you can get the best KROLL coverage for at a discount, if the monitoring service charges full price to monitor each person in a couple."

Is this reader a Kroll employee or a paid consultant? I wonder.

Anyway, I can tell you this: I do not work for, nor am I affiliated with any computer manufacturing, software development, credit bureau, credit investigations, credit attorney, credit monitoring, or credit-consulting companies. You can rely on the fact that I've Been Mugged is independent. I've Been Mugged operates independently so my blog entries aren't tainted by corporate interests or hired consultants.

Like most other ID theft victims, I'm just an individual consumer trying to navigate a complicated ID-theft landscape which is full of potholes and detours. I am willing to ask the hard questions. I hope that you are, too.

What do you think of Kroll's services? If you are an IBM data breach victim, have you signed up for Kroll? Why or why not?

Next entry: Identity Theft Humor

First, congratulations to Lori Magno, a coworker at Digitas and one of the 103 authors of the new social media book The Age of Conversation. I look forward to reading the book and Lori's chapter titled "Speak to me TJX." Lori's Moda di Magno blog is a fun and entertaining read, which I highly recommend. Lori's interests include jewelry design, precious metal, clay, gemstones, 60's California pop music and Noir films.

Now, on to today's topic...

Some I've Been Mugged readers have asked what RSS is. (You can receive alerts of new entries for this blog via e-mail or RSS. See the 2 links in the right column.) Basically, RSS -- known as either "Rich Site Summary" or "Really Simple Syndication" -- is a format to deliver frequently updated or changing content. Many news sites, blogs and other online publishers distribute their content via RSS feeds -- for free.

I like RSS a lot because it makes my Internet use far more efficient. How? I don't waste time visiting each web site individually to see what's new. Instead, I use software called a "newsreader" or "feedreader" which automatically checks the web sites for the RSS feed topics I specify. (A well-designed web site offers several RSS feeds, each for a different topic.) The feedreader software can check several RSS feeds for updates far faster than I can manually. I just open my feedreader and browse the headlines and summaries for the RSS feeds I've specified. Each headline is a link to the web site for the full text. I can click on the headline link, or not.

An example: in about 2 minutes, I can scan all of the latest new headlines from the New York Times, BBC, Xinhuanet, Kyodo, CNN, and 5 of my favorite Identity Theft blogs. If I surfed to each site separately, the same task would have taken me an hour or more. I also like RSS because it is FREE and it reduces e-mail in-box clutter. I sign up for fewer e-mail newsletters since I get the publisher's RSS feed instead. And I don't have to worry about e-mail spam. There's no spam with RSS. Most RSS feeds don't have ads. You see ads only when you visit the feed publisher's web site.

So, you can think of RSS as your personal news clipping service, except there are no scissors, no paper, no wait, no fee, and no limit to the topics you can view via RSS. Web sites continually update their RSS feeds whenever the web site contains new content.

If these aren't enough reasons for you to upgrade to RSS, then consider that many consider RSS the best of the Web 2.0 features.

Long before IBM's data breach, I used the web-based Google Reader feedreader -- which is FREE. My wallet likes that. For even greater efficiency, I also use the RSS feedreader embedded in my Firefox web browser. That's FREE, too. My wallet likes that, too. If you want to learn more about RSS, visit the What Is RSS page or Wikipedia.

Next entry: Kroll's offering from IBM deserves scrutiny

Many of my coworkers know I write this blog. Matt, a coworker in my employer's New York City office, shared his identity theft story with me. When Matt and I first traded e-mails on July 16th, I gave him the link to I've Been Mugged. Portions of Matt's e-mail message highlighted how quickly identity thieves operate:

I’m neck deep in this BS and the number of places an individual could have obtained the info they have is extremely (dare I say frighteningly) limited. My info isn’t publicly available, but this person somehow got hold of my SS#, too. By the time you’d sent your note, I’d only known about the theft for roughly ten days but had contacted every financial institution and credit granting and reviewing agency under the sun."

"But that wasn’t enough. Despite having had the security alerts placed, the person still managed to open up a bank account in Chicago (complete with checking, debit and credit cards and a massive line of credit), obtain a credit card from Radio Shack and another one from a company I’ve never heard of. Thankfully, they’ve also been denied at another half dozen places so the pseudo helpful protection measures work to a limited extent. It’s been an incredibly time consuming nightmare. Thanks again for the [I've Been Mugged] link!"

When I read a story like this, it confirms with me the need for timely and fast notification by companies (especially prior employers) of data breaches; including when that company was merged or bought by another company. A 2-month delay for breach notification is far too long (do you hear that IBM and TJX?).

Next entry: RSS Explained (Simply)

On July 18, I discussed IBM's data breach with Mr. Windall White, a representative at IBM's North Carolina facility. During this phone conversation, Mr. White and I discussed my letter to Barbara Brickmeier, IBM's Vice President of Human Resources, since IBM's data breach notification came from Mrs. Brickmeier's office. Part One in this blog discussed questions about IBM's breach notification and the data breach. This blog entry covers more questions Mr. White and I discussed on July 18:

Does IBM still maintain archived data tapes with my personal data?

Mr. White explained that it has been IBM's policy to archive the personal data of former employees. After the "loss" of the back-up data tapes (with my 16-year-old data), IBM reconstructed the list of affected employees and former employees. To contact some former employees  (like me), IBM hired Kroll to search public records. So, IBM (and Kroll) now have my current personal data. Mr. White did not say how long IBM planned to continue to archive my personal data, or when (or if) IBM might destroy my personal data.

Why does IBM archive records with personal data of former employees?

Mr. White explained that it has been IBM's policy to archive personal data for all former employees since different states and courts have varying requirements for records retention. He also repeated the statements from IBM's breach notificcation about, "... for a variety of legal, tax, and other reasons, as well as to verify IBM employment." I reminded him that the personal data IBM originally had about me was 16 years old... not very useful for employment verification. i also reminded him that I have no relationship with IBM (e.g., pension, retirement account, 401-K account, etc.) so the "tax" reason seemed irrelevant. Again, I received the standard answer.

Mr. White also indicated that IBM's protocols were under review. It was hard for me to judge how sincere a statement this is. Is IBM truly reviewing its protocols regarding records retention, or is this a convenient (and vague) answer to get me to go away quietly?

How long does IBM plan to archive my personal data?

Again, Mr. White (and IBM) were vague in answering this question. Mr. White indicated that it has been IBM's policy to retain personal data for former employees. Mr. White did not indicate when, if at all, IBM would destroy my personal data. I emphasized with Mr. White that destroying the personal data of former employees would reduce the risk to both IBM and to me of any future data breaches. I left the phone call with the understanding that IBM was continuing to archive my personal data with no destruction date planned.

What processes is IBM using to protect my personal data?

I didn't expect IBM to divulge any trade secrets, but I did ask this question because I need to feel confident that IBM is doing everything it can to protect my personal data it archives. Again, Mr. White 's answers were vague and unhelpful.

Why did it take IBM 2.5+ months to notify me of their data breach?

First, I applaud IBM for notifying me of their data breach, especially since data breach notification is not required (yet) in the state (Massachusetts) where I live. Second, I asked this question since I received IBM's breach notification letter over 2 months after the data breach; plenty of time for identity thieves to do damage. I emphasized with Mr. White that I need to feel confident that IBM will contact me in the future in a more timely manner. Mr. White explained that IBM will use the IBM data breach notification web site and other means -- I assume to be surface postal mail and/or the telephone. My inquiry to IBM included my current e-mail address (which IBM hasn't used so far).

If other former IBM employees want to contact IBM, I've listed Mr. White's contact information below. Maybe you can get more detailed answers from IBM than I did:

Mr. Windall White
IBM, Inc.
3039 East Cornwallis Road
P.O. Box 12195
Research triangle Park, North Carolina 27709-2195
Phone: (919) 543-5246

Post-IBM-conversation thoughts and considerations: My biggest take-aways from my conversation with IBM were that: a) IBM has had, and still has, an internal policy to archive personal data for all employees, and b) to archive this data forever. This policy sounds like a huge C-Y-A move based on the off-chance that IBM may have to defend itself in a lawsuit. IBM's records retention policy may have been effective in past decades before digital data, the Internet and home computers, but the policy now appears antiquated and obsolete given today's data environment, security needs, and ID theft threats. (Example: under IBM's existing policy, it stored employees complete SS# and address. For increased security, many states today mandate retailers to stored only a partial employees' SS# and still perform the validation and checks required. IBM could do the same.)

I also wonder why IBM kept my personal data for 12 years; 16 years including the time Lotus archived it, too. IBM's records retention policy seems to fly against generally accepted retention guidelines. Bradley University has compiled tables with the federal and state laws for records retention by:

• Hiring and Employment Actions
• Benefits and Leave Records
• Payroll and Tax Records
• Health Records

When I reviewed these tables, I noticed that most conditions for retention ended before 3 or 4 years. Only two Health Records conditions specified a longer retention period: 30 years for "Exposure and monitoring records," and "Employment physicals/medical exams." While I am not a legal or records retention expert, neither condition seems to apply to my situation. Nothing in the tables seem to valid IBM's decision to archive former employee data for 16 years, or more. I don't have any pension, retirement, 401-K, or active files with IBM; except for the new investigation file IBM has created due to their February 2007 data breach.

I'd probably have no problem with IBM archiving my personal data if either; a) IBM's record retention policy wasn't to archive former employee personal data forever, and b) I felt confident that IBM was doing everything possible to protect my personal data. There are just too many gaps and vague answers from IBM for me to feel confident. And, the one year of free credit monitoring just doesn't cover the risk period IBM's data breach has created.

What do you think? Are IBM's answers satisfactory to you? What do you make of the Bradley University tables about records retention?

Next entry: Identity Thieves Operate Quickly

A prior post discussed the importance of shredding to reduce your risk of identity theft risk from pre-approved credit offers sent via snail-mail. While you can shred these snail-mail letters, we have no way of knowing if we have received all of our snail mail; especially if our snail-mail mailbox doesn't have a lock.

One solution is to opt-out of pre-screened credit and financial offers. Why? You have less to shred, and this reduces your risk of ID theft by thieves who scavenge snail-mail boxes. According to the Truston blog:

It occurred to me that with all the noise about different opt-out methods, by far the most important one to do is call your existing bank, credit union or card issuer and ask them to opt you out of all marketing offers, including (especially) any promo or convenience checks.

You know your bank and credit card issuer. Their phone number is on the reverse side of your cards. Call them today and tell them you don't want any pre-screened loan offers, credit card offers, or convenience checks. I did. And, I also visited these web sites:

• The Do Not Call Registry operated by the U.S. Federal Trade Commission. This opt-out resource helps you eliminate pesky phone calls from telemarketing companies. Residents in some states should also consider the Telephone Preference Service opt-out operated by the Direct marketing Association (DMA).
• The DMA also provides the E-mail Preference Service for consumers to opt-out of e-mail offers. This resource won't stop all e-mail offers; only those from companies that use the DMA to clean their e-mail lists.
• The DMA also provides the Mail Preference Service for consumers to opt-out of snail-mail offers.
• The Opt-out Pre-screen resource operated by the Consumer Credit Recording Industry. I've already noticed a reduction in the number of pre-approved snail-mail offers I receive.
• To make it tougher for people to access your personal data, you can also contact your local phone company and opt-out of both the printed and online phone directories. I did many years ago. There is usually a monthly fee, which I feel is well worth it.

In an earlier blog entry, I commented about how the U.S. financial system is tilted towards making it easy for companies to share our credit information, and tilted away from strong protections for consumers. Notice the pattern with the above list of web sites. Consumers have to opt-out, which means the system's default is to automatically opt-in consumers. This is a good example of the "tilted" system.

Next entry: a conversation with IBM (part 2)

To determine how well my state helps protect me against identity theft, I look at what other states have done. New Hampshire is one of the few states that are leading the way on identity theft protection for consumers. According to the Security Bytes blog:

"There are a few states that demand that organizations that suffer security breaches that compromise customer data report those incidents to the state as well as the affected individuals. One of those forward-thinking states is New Hampshire, and the state has gone a step further and decided to post to its Department of Justice Web site all of the notification letters it receives. The archive only goes back to November 2006 right now and includes a few dozen entries, but that will grow as more companies are breached."

At the NH site, you can view IBM's data breach notification dated April 26, 2007; more than two months after the February 2007 data breach incident. I received IBM's notification in May 2007, and my letter didn't even have a date printed on it. Is that how a world-class computing and software company operates?

Congrats to New Hampshire and to its citizens! I look forward to similar efforts by Massachusetts and other states. Does your state post data breach notification letters online? If so, tell us below. I've Been Mugged readers want to know.

Next entry: Opt-out Resources for Consumers

A friend writes the Boston Downtown Women's Club blog. Diane's blog post about how society obsesses with the clothing choices of female politicians is definitely worth a read.

Now, on to today's blog topic...

For many people, identity theft is a scary topic. However, several identity theft web sites prove that a serious and scary topic can be presented in an engaging and entertaining manner... and still be highly informative. Listed below is my short list of the best online ID theft quizzes.

What makes a good ID theft quiz? In my opinion, an outstanding quiz:

• Presents a mix of visual and textual content, since some users are visual while others love to read. Poor quizzes tend to be all text or all images.
• Provides clear and easy-to-read feedback both during the quiz and at the end. Feedback during the quiz includes a "progress meter" to inform the user how long the quiz is, where the user is within the quiz, and how much of the quiz remains to be completed
• Allows the user to print and/or save quiz results
• Is short in length. A long quiz feel like work, which can be intimidating. If the quiz must be long, then it allow the user to complete the quiz in segments
• Provides feedback at the end of the quiz, which is easy-to-read, easy-to-understand, and actionable: the user can take action immediately to better protect his/herself from identity theft
• Is easy to find. With a simple keyword search at any of the leading search engines (e.g., Google, Yahoo), the user should be able to easily find the quiz in the first search results page
• And most importantly, the online quiz should not require the user to disclose personal data

My short list of quizzes is from sites for users USA residents. I'm sure that there are many more quizzes worldwide. If you've found a good quiz, share it. I've Been Mugged readers want to hear about the quiz you think is best.

Now, my top picks:

1. ID Theft Faceoff (the music and animation are a hoot!)
2. Identity Fraud Safety Quiz by the BBBOnline and Javelin Strategy
3. Identity Theft Protection Quiz by TD Banknorth
4. Phishing IQ Test by SonicWall
5. Honorable mention: Identity Theft IQ Quiz by Privacy Rights Clearinghouse (the "mother" of all quizzes which many sites and blogs reference)

Next entry: New Hampshire Does It Right

To determine how well my state helps protect me from ID theft, I look at what other states have done. On July 31, 2007 the Caveat Emptor blog wrote:

"Starting tomorrow, a new law takes effect in Minnesota that will prohibit merchants from storing a customer’s PIN, CVV security code, or magnetic stripe information for more than 48 hours. In another year, the penalty provisions of the law kick in, which allow a banks to sue merchants for security breaches. The law essentially gives teeth to security standards already put in place by Visa, MasterCard, and American Express."

This Minnesota law helps prevent payment fraud where an ID thief has stolen a customer's credit card information. Retailers can still retain the customer's card number, expiration date, and card name. My impression is that this new law was facilitated by the TJX breach.

There are some good comments by readers on The Consumerist blog about the advantages and disadvantages of this new law. One reader commented:

"In order to settle with the card companies and handle disputes, retailers have to retain this data [name, card number, and expiration date]. Mastercard allows 12 months for disputes, Visa 18 months, and AmEx 24 months. Your data will be retained for some period, I guarantee it. If it was not retained, then card fraud would increase dramatically and costs would go up even more. The problem is keeping unnecessary data and not controlling properly the usage, retention, and storage. Security requirements (known as the PCI DSS) mandated by Visa, Mastercard, Discover, and AmEx already prohibit storage of the information mandated in this law. Not that MOST merchants are compliant. Maybe this will help. Maybe. What this will do is help the merchant banks, card issuers, and card companies further push liability for breaches to merchants. This is NOT necessarily a good thing, although there is a certain amount that needs to happen. I don't want to debate here the extent that a company should go to to protect personal data. The bar needs to be higher than it already is, but regulation in this area will ultimately only lead to INNEFECTIVE and EXPENSIVE security controls, instead of useful ones."

Another reader commented:

"For a receipt lookup, a store could easily get away with storing just the last 4 of the card number and expiration date and then doing a match in their database with that and the UPC. Store the cardholder's name too, so in the one-in-a-gajillion chance someone else with the same last 4 and same expiration date bought the exact same item as you, the cashier can just ask you for the name on the card and match it up."

I wonder which other states provide a law similar to this new one in Minnesota.

To me, a law like this is a step in the right direction. A better law would have been to limit retailers to storing only the last 4 digits of the consumer's credit card number. Regardless, this new law is good news since it, a) clarifies who is responsible for what (e.g., the retailer vs. the credit card company; b) specifies what personal data should be retained vs. destroyed and by when; and c) provides consumers with greater protection against identity theft.

However, this new legislation is limited in that it seems to focus on retail data breaches. The Privacy Rights Clearinghouse has compiled since 2005 a list of data breaches, which documents both retailer and employer data breaches. Hence, effective legislation needs to focus on both retailer and employer breaches: a ) how long employers can retain unnecessary personal data about former employees, b) the personal data employers are allowed to retain, c) the personal data employers must delete and by when, and d) penalties for violators.

In a prior blog entry, I discussed how IBM updated my 16-year-old personal data; an update approach it probably did for many other former employees, too. What do you think?

Next entry: Fun with ID Theft

On July 22, 2007, Sky News reported:

"People who use internet networking sites could be putting themselves at risk of becoming victims of identity theft, a credit information group is warning. Equifax said people who were members of sites such as MySpace, Bebo, Facebook and Friends Reunited may be putting too many personal details about themselves online. Neil Munroe, external affairs director for Equifax, said: 'Fraudsters are taking advantage of the new craze for social networking.' "

Thanks Equifax for the warning. Yes, it is appropriate to warn people not to give out too much personal data at any site, not just online social networking sites. The U.S. Federal Trade Commission has a web page dedicated to identity theft and social networking sites with safety tips for teens and tweens. I think that it is rather arrogant for a national credit bureau to give this warning when there are so many issues with credit bureaus and their credit reports (e.g., re-aging, errors, privacy, etc.). Plus, the weak Fraud Alert tool doesn't provide consumers with the protections needed. And, the national credit bureaus oppose beneficial state legislation like the Credit Freeze tool which provides consumers with stronger protections.

My message to the credit bureaus: clean up your act first, before you focus on somebody else's issues.

Regarding the social networking sites, I am very selective about the ones I use. In fact, I only use LinkedIn for networking among business colleagues.

Next entry: New ID Theft Law in Minnesota

I have an old (Win98 @166 Mhz) desktop PC I need to dispose of in a secure manner. I had planned to reformat the hard drive. I found this blog post by Bob Congdon which is too entertaining not to mention:

"I'm getting rid of an ancient PC. It still runs but is old enough that none of the parts are worth saving. It's going to get recycled but I didn't want to go through the trouble of wiping the hard drive. So I decided to destroy it. Initially I tried to take it apart but the drive unit is sealed and I couldn't get the cover off. So I took a hammer to it. The case is lot more sturdy than I expected But after a few whacks, the cover was off. And now the drive is in pieces and it's unlikely that anyone but the NSA could get the data off its mangled platters. But it took a while."

Bob's post also mentions a Network World article about Guard Dog, a device to wipe clean a hard drive with sensitive data on it. I think that I'll use the sledgehammer... it's cheaper and more fun.

Next entry: Networkers Warned About ID Theft