"LifeLock Inc.'s chief executive officer is taking the offensive by proposing sweeping changes to how the three major credit bureaus operate as the company prepares for a potentially bitter legal battle with Experian. Todd Davis, co-founder and CEO of Tempe-based LifeLock, kicked off a multi-state tour this weekend in which he is urging businesses and consumers to demand that their legislators do more to fight identity theft and fraud."
Davis wants Fraud Alerts extended from 90 days to at least one year. According to the news report:
"The fraud alerts are at the heart of a lawsuit that Experian filed against LifeLock almost two weeks ago in U.S. District Court for the Central District of California. LifeLock charges customers $10 per month for its service, which includes signing them up for the temporary alerts with the three credit bureaus every three months."
It's important to note that the credit bureaus are mandated by law to provide the fraud alerts for free to consumers. The credit bureaus also offer for-fee credit monitoring services like LifeLock's service. (See the listing in the right column.) So, Experian's claim that Lifelock charges what Experian is forced to do for free, seems weak since it seems to ignore Experian's credit monitoring services.
The other change proposed by LifeLock:
"Davis said he hopes consumers will pressure their legislators to introduce measures that impose tougher prison standards for people convicted of ID theft and related crimes and limit the use of personal information, among other changes."
The article doesn't explain what Davis means by, "tougher prison standards for people convicted of ID theft..." and by, "...limit the use of personal information." If LifeLock is truly promoting changes for the consumers' benefits, I hope that their proposal includes:
- Restitution by the criminals for identity-theft victims
- Emphasis and funding for law enforcement to pursue identity-theft criminals. (Unfortunately, in the latest FTC report 8% of identity theft victims tried to file a police report and it wasn't taken. That's 8% too much)
- Clearer, consistent legislation across states about what consumers' personal data companies can archive, how they must protect it, and what items must be purged by when
- Consistent "Shine The Light" notification laws across states (requiring retailers to disclose where consumers' personal data is shared)
- Consistent data breach notification laws across states
- Consistent anti-skimming laws across states
- Stronger legislation to protect whistle blowers, and stronger penalties for companies and individuals who abuse them
- Suggestions to to strengthen data security among small businesses
A LifeLock press release mentions the company's tour through several Southeastern states, but doesn't mention any of the above details. Rather, Experian and Lifelock seem to be fighting over who gets the money from consumers in the growing credit monitoring services marketplace. But there's more:
"Davis argues that Experian doesn't want to spend the time or money to help all the consumers seeking protection. "What Experian is counting on is if a consumer has to renew this every 90 days, they won't stick with it," Davis said by telephone from Florida on Monday afternoon."
The news report quoted Equifax spokesman David Rubinger as saying:
"We believe (a 90-day fraud alert) provides ample time for a consumer to determine if they've been a victim of identity theft, and of course it can be renewed in a matter of minutes if they still need more time," Rubinger said.
Hmmmm. I definitely disagree with Rubinger's statement.
I started writing this blog after IBM exposed my personal data in February 2007. As I researched the identity theft issues, I found that current business practices heavily favor companies making money by trading consumers' personal data, while consumers bore an unfair portion of the risks after a data breach.
So far, nothing negative has appeared yet on my credit reports from IBM's data breach. For all I know, the identity thieves could still be trying to break the encryption on IBM's data tapes. Rubinger seems to suggest that after 90 days identity thieves would give up trying to crack the encryption on IBM's data tapes. That assumption sounds totally ridiculous to me. From everything I've read, identity thieves are persistent, so it seems wise to assume a continual threat and act accordingly. Plus, the value of consumers' personal data has a long life.
IBM still hasn't caught the perpetrators and still employs the same delivery service which lost their data tapes over a year ago. Like many other consumers, I placed consecutive Fraud Alerts on my credit reports when I first learned of the IBM data breach. Experian and LifeLock can fight all they want about Fraud Alerts. To me, the stronger tool for consumers is the Security Freeze tool.
But, a Security Freeze won't protect consumers against all types of identity fraud. As a nation, we seem to be in our infancy regarding effective identity theft legislation that balances the needs of both consumers and companies.