Protecting Pretend Information

We live in times where efforts to protect sensitive information is abysmal – not to mention the outlandish methods used to capture information during every waking (and non-waking) second, and at mounting occurrence. It is equally appalling to see the dizzying attempts to bring some semblance of order to identity theft and privacy matters absent the significance that accuracy should be playing in the conversation.

The solution to identity theft is not found in discussions around privacy. It is rather found in discussions concerning accuracy.

As a victim of identity theft, and I realize that I have lots of company, we bear witness to the shear confusion of this situation. It is so confusing all the way around that it almost has to be purposeful. What is allowed to thrive by control behind the curtain is a question that needs to be answered.

In particular, there is a lot of misdirected energy from the entities who have information they collect and “store” to quickly point fingers at the “bad actors,” but exhibit little to no responsibility to protect information – or even question themselves as to why they need the identifying information in the first place (clue – it does not benefit much beyond the bottom line).

While continuing to live this real-time nightmare, a couple of days ago I received a letter from a company saying that my information had been compromised in a recent breach. The letter was sent to my current address using my maiden name. My maiden name is what was used by the criminal who stole my identity. I have never been a customer of this company, at least willingly.

When personal information is stolen, it is often commingled with information that is not true and in effect reflects a fictitious person (i.e. the criminal receiving goods and services at their actual home address or P.O. box that does not match the identity of the person whose credit has been compromised). And, this information is allowed to flourish because it goes unchecked.

So, I receive this letter, informing me that my information was compromised. I know this to be one of the companies where my stolen information was used to gain a service. Knowing that the reason any part of my information is in their system in the first place is due to fraudulent activity, why then does the part of my real identity continue to live and be represented in this company’s system in any form – and to the point where it is allowed to be compromised AGAIN.

Hearings are occurring in Washington D.C. that discuss privacy. We are skipping way ahead in this conversation. Before we can discuss privacy, we need to discuss the significance of accuracy (and I’ll throw in, permissions too).

When I learned that I was a victim of identity theft, and in the process of cleaning the mess (clearly not over), I am continuously in the position of needing to prove to a greater degree that I am who I say I am then the criminal who stole my information. The criminal had the green light in using my information with no regard, from anyone. And, the regard still does not exist. Not only did I have to prove my identity to not be liable for fraudulent activity (and this was up for judgment by those same entities that allowed the theft to occur in the first place), but in the seemingly never-ending journey to correct misinformation. Still, this action on my part, to correct information, has evidently led me nowhere – because there is no level of accuracy that is required.

Yet, the ability exists to get it right from the onset but this approach is wildly inconvenient for business. Isn’t identity theft? No, not really, for business that is, as the brunt is endured by the consumer.

Ensuring accuracy from the onset will undoubtedly reduce instances of identity theft by leaps and bounds. This is a non-negotiable first step and one we must not continue to skip or identity theft will only continue to grow in issue and in unnecessary, yet convenient, confusion.

Photo by Gwen King

Identity Theft and its Relationship with Systems

When identity theft is used in full force, the term “identity theft” does not tell the entire story. It could more accurately be called identity theft part one and identity theft part two because there can be at least two distinct theft parts. 

Identity theft part one occurs when an individual’s personal information is captured in order to be used without their knowledge. Identity theft part two is the act of when that personal information is applied fraudulently - and not only can that part happen once, it can happen literally hundreds of times (within many unique systems).

The prevalence of identity theft is so high because of the vulnerability of systems to be manipulated. Certainly systems have shown the ability to detect and thwart fraudulent activity, but systems as a whole have yet to be sophisticated enough to discern all fraud as identity theft continues to be the pervasive issue that it is today. Not to mention the repetitive failure of systems to protect the information it holds.

No matter the safeguards entities believe that they have in place, identity theft has time and time again showed that it can pierce through (with skill, or not) and flourish. 

Identity theft is an enticing crime as most incidents remain unsolved only leaving a multitude of unanswered questions for the victim, namely, How was my personal information accessed? Who stole my information? Where was it used? What was it used to gain?

The crime of identity theft is difficult to detect on the surface because the crime is hidden in seemingly real identities and correlating presumed appropriate activities. The outside of a system may appear pristine and run appropriately in its function. But by no means should the appearance of a functioning system and a perceived smooth running operation tell a story of accuracy. For the data a system manages and generates may not be authentic.

I know this all too well from personal experience. My personal information is commingled with the criminal who stole my identity. A simple search on the web reminds me of this reality. And, no one, except primarily the criminal and me, could quickly notice the inaccurate information that paints the wrong picture.

In the same spirit as it is suggested to be proactive and protect and manage your personal information since it is not a matter of if you are a victim of identity theft, it is when - any and all systems should be approached with the same vigor.



Photo by Joshua Coleman

CHECK YOUR CREDIT REPORTS...what are you waiting for?

First of all, if your credit is not already frozen you may want to strongly consider FREEZING your credit with all three major credit bureaus (Equifax, Experian and TransUnion). Trust me, any inconvenience pales in comparison in dealing with being an identity theft victim. Does this action then prevent all identity theft that could be committed? No. But, it can go a long way. And, it sends a signal to the criminal, or anyone else, not to use your information and that you are protective of your information.

One site where you can access your reports from the major credit bureaus is Annual Credit Report.com. This is where the Federal Trade Commission will direct you to gain your free credit report. And, new in 2020 as referenced on the Federal Trade Commission’s website, six free copies of your report are available a year through 2026.

As the Federal Trade Commission, Consumer Information, site outlines:

The Fair Credit Reporting Act (FCRA) requires each of the nationwide credit reporting companies — Equifax, Experian, and TransUnion — to provide you with a free copy of your credit report, at your request, once every 12 months. The FCRA promotes the accuracy and privacy of information in the files of the nation’s credit reporting companies. The Federal Trade Commission (FTC), the nation’s consumer protection agency, enforces the FCRA with respect to credit reporting companies.

A credit report includes information on where you live, how you pay your bills, and whether you’ve been sued or have filed for bankruptcy. Nationwide credit reporting companies sell the information in your report to creditors, insurers, employers, and other businesses that use it to evaluate your applications for credit, insurance, employment, or renting a home.

Now, I scroll through my credit reports very similarly to watching a scary movie with my hands covering my eyes because I’m afraid of what may lurk given my past experience. Like watching the creepy girl crawl out of the well in The Ring…same exact vibe. That being said, reviewing your credit really takes no time at all and is easy - as long as you don’t have any surprises. Then, it takes forever. And while forever can be scary, take time to review, understand and be in control.



References:

Free Credit Reports. (n.d.). Retrieved from https://www.consumer.ftc.gov/articles/0155-free-credit-reports

As Timing Would Have It

Many people have reached out to me over the years sharing their story of identity theft (thanks to all of you). A recent theme that has emerged is the permanence that this crime leaves to its victims.

Perhaps it is due to the introduction of technology that is expected to be used in our day-to-day lives that has made identity theft the permeating issue it is today. The opportunities for identity theft to occur is enhanced with technology due to the large volume of people that can be impacted, since with the use of technology, human presence (and confirmation) can easily be substituted. Not to mention that identity theft data itself seems to find no expiration in the systems where it lives.

Identity theft has long been in existence albeit in different forms. As one online article on identity theft reminds us, “The phrase ‘identity theft’ is a relatively new term for what is actually a centuries old problem.” This is true with more recent identity theft examples of those by phone (still happens), identity theft from digging through trash for personal documents (still happens), identity theft by internet (yes) and so on (Hur, n.d.).

Not only does identity theft remain an issue, it is very much a mounting issue since no form of identity theft has been extinguished to find itself victim free.

The ramifications of identity theft absolutely last a lifetime. While no one should let ones guard down when it comes to protecting personal information, for those that have knowingly had their identity compromised (oftentimes at no fault of their own) there are occurrences that provide a constant reminder of the peril and the never ending job that persists in policing personal information. 

While we do not know how and where identity theft will lurk next, history tells us that identity theft has proven itself to be an ever-thriving crime given its unique ability to remain disguised amongst a trusting landscape.



References:

Hur, Johnson (n.d.). History of Identity Theft Protection. [Blog post]. Retrieved from https://bebusinessed.com/history/history-of-identity-theft-protection/

Know Your Data

When your identity is stolen and it is used fraudulently, the information that is provided (and accepted) in order to gain access to goods and services creates erroneous data. This inaccurate information purported to be true does not tell any “story” except one of criminality.

Using this data is not only ineffective, it should not be the basis for informing any research (for instance marketing). Yet, there does not seem to be any concerted effort to differentiate the origin of data. This is not surprising given that there is not much effort to thwart identity theft.

Take for instance the criminal who stole my identity. She commingled my identity with her own, thus creating someone who does not really exist - but is alive and well in data. 

If I search for information on myself in a search engine, I can see information that is generated that is supposed to be about “me,” but in reality is not me – it is rather a reminder that my identity was stolen as I see parts of the criminal’s identity included with mine. But, who else can tell that this is not the truth? I am truly the only one who can quickly identify these glaring errors. For others, they may accept the information for being accurate.

In another instance one of the companies where my information was fraudulently used has identified me as someone to keep on their mailing list, sending me their catalog in hopes that I will make a purchase. They clearly did not extract identity theft victims when updating their mailing list, but did they even consider these instances?

While there may be steps one can take to try and tackle each of these and other discrepancies, I have not had success in seeing immediate, if any, results. 

With millions upon millions (and growing) of cases of identity theft, this crime also leaves a deep trail of tainted information. Data needs to be carefully scrutinized from the onset (even before collection) in order to serve any meaningful purpose.

Photo by Francesco Paggiaro

Customer Service, Internal Communications and Identity Theft

Identity theft is ripe where poor customer service and weak internal communications converge.

Customer Service

Customer service is not tangible; it is engaging a customer in a way that is in their interest. Good customer service maintains this mindset in all facets of an operation - both internal and external. 

Requesting sensitive or other personal information in order to conduct business and then not protecting this information is customer disservice. Organizations must always operate to meet the needs and expectations of customers to realize success.                                                                    

Internal Communications

Customer service is at its best when internal communications is strong. Organizations must invest in meaningful communications with employees and stakeholders. If employees are supported by their organization, they are more apt to support, and protect, the customer – and the organization.

“Effective internal communications helps ensure that all members of the organization are working collaboratively toward a common goal. It develops a cohesive culture and empowers employees to make the right decisions in line with the organizations goals. This in turn leads to greater efficiency and productivity and improves customer service” (Ritchie, 2015).

Organizations must identify and deliver true customer service to those who seek their products, programs and services. There is not a one-size-fits-all customer service solution. Recognizing what is best for the customer is a process that includes examining all levels and areas of operation and working to be most effective with the customers’ needs in mind. Involve all who represent the organization to ensure that their needs are also considered. Internal communications informs customer service and when this is done well, it can thwart identity theft.



References:

Ritchie, J. (2015, April 27). The importance of internal communications. Business Matters. Retrieved from http://www.bmmagazine.co.uk/opinion/the-importance-of-internal-communications/

 

Out of Focus

Fire burns a structure. In the aftermath, investigators comb the scene in order to find the cause of the fire. Discovering this information is important. It is important in understanding not only how the fire started, but compiled data can help prevent future fires. If arson, charges can be filed with evidence gathered during the investigation.

A home is burglarized. An investigation is conducted in order to determine how the burglar gained entry into the premises. Information learned in this process can prevent future burglaries. This process can also lead to identifying the criminal and charges can be pressed.

When identity theft occurs, if following the pattern above – the process would look like this:

Your identity is compromised. An investigation is conducted in order to determine where the information was stolen. Investigation includes learning where the information was used in order to gain goods and/or services. Evidence can lead to charges against the person/s who stole the information, the person/s that used the information to acquire fraudulent goods or services, and the entity that did not have proper safeguards in place can also be held accountable.

However, it does not work like that. Instead it looks like this:

Your identity is compromised. If you are lucky (...really lucky), an investigation is conducted in order to determine who stole the information. (This will more likely only occur if the theft is in your same jurisdiction). Evidence may lead to charges against the criminal – at least the one that can be identified in using your personal information. And, not much, if any investigation includes holding the entities accountable where your information was compromised. And, while you are struggling to address these issues you are at the mercy of the same entities who helped make you a victim of identity theft.

There are many gaps with the way identity theft is investigated today. Too often identity theft is addressed on generalities. No real hard data. Because investigation of the cause of identity theft hardly occurs, addressing the root of identity theft is not happening. 

Instead the focus is on "prevention" – and overwhelmingly on the shoulders of the consumer. Monitor data. Ask questions when asked about providing sensitive data. Do not click on links. Shred important documents. Do not post personal information. While all are smart practices, not one truly prevents identity theft. 

The focus of identity theft needs to undergo a seismic shift to how sensitive data – personal information – is captured, tracked, and scrutinized. And, who bears responsibility when that trust is breached. Without knowing this information, identity theft will continue to wreak havoc. 

The Roots of Identity Theft

Identity Theft does not occur serendipitously. 

There are many points of responsibility.

Let’s examine these areas:

POINTS WHERE YOU ARE RESPONSIBLE

 

1. Your personal information. 

            Yep, if you are a person, you have identifying information – this covers everyone. So, invest in yourself throughout your life in a positive way. Do this so that you want to continue to identify as you and only you and don’t become a criminal in the future stealing someone else’s identity, including mine (thanks!).

2. Where you store personal information.

            Where do you store the personal information that you have control over? Personal information includes social security number, date of birth, address, financial information (credit card, bank, etc.). Do you store this sensitive data in a locked filing cabinet or drawer, a safe, etc.? You are responsible at this point for making sure that your information and dependent’s information is kept in a safe place. What might not be a safe place? Top of refrigerator, in a pile, thrown in the trash (without shredding), vehicle, a computer – yes, I would categorize a computer as not a safe place. You must be very diligent in how you store information on the computer. Good rule of thumb – if it is on the computer, the whole world may be able to access the information. 

3. With whom do you share personal information?

            If you remember nothing else – remember this – just because an official looking document, or an official looking person, or an official looking place asks you for your (or your dependents) social security number – DOES NOT MEAN TO HAND IT OVER. (Side note – When we see stories about identity theft there is inevitably a picture of a scary masked person hunched over a computer in a dark room looking up to no good. Well, guess what. Nice looking people and places can steal your identity too – or at least not be protecting it as they should.) While there are many places that will ask you for personal information, that DOES NOT MEAN IT IS REQUIRED. (Then why do they ask for it? Because they can. Not because they should.) So, always – ALWAYS – ask why the personal information is required (chances are, it’s not). Better yet, do your homework and decide if the entity must be provided the information.

WHEN AN ENTITY IS RESPONSIBLE FOR YOUR INFORMATION

4. Who collects personal information?

We’ll term “an entity” as many things here – business, doctor’s office, school, non-profit, hotel, church, etc. When an entity asks for personal information, it had better be necessary. If necessary, mechanisms and protocol to protect the personal information it has now assumed responsibility must also be in place.  

5. When personal information is compromised, who suffers?

If personal information that an entity holds is accessed fraudulently that simply means that the appropriate safeguards were not in place – otherwise, the information would not have been accessed. Guess what an entity loses? The ability to call themselves a victim. Here, the true victims are the people who entrusted their information only to find themselves at risk. Instead, an entity can explore the definition of accessory to a crime.

6. When do you break the news?

If and when personal information that an entity has is compromised, report it immediately. Three months down the road to favor your timeline of preferred events so that you can plan which ala carte of canned response to the crisis is not immediately.   

7. Practice safeguards on both sides of the transaction.

This is a biggie. Read this one twice. Not only should an entity closely monitor the personal information it has, it should vet the personal information it receives during a transaction. Stolen personal information has no value to a criminal if it cannot be used to access goods and services. 

Integrating the latest in technology into the stream of the engagement process (with customers) – including point-of-sale –without any understanding of the technology itself can infinitely increase the chance of personal information being accessed and fraudulent personal information being used.

 

photo by Marta Tycinska

 

The Fun Never Ends

Identity theft has become a way of life. In its latest mass resurgence, Equifax admitted that “unauthorized access occurred from mid-May through July 2017” ("Equifax Announces Cybersecurity Incident," 2017) At this point, entities that "experience" these breaches are not victims, but rather part of the problem. Proper safeguards must be in place in order to conduct business.


Not only is the Equifax breach disturbing because of the sheer volume, “impacting approximately 143 million U.S. consumers,” but Equifax is a credit bureau ("Equifax Announces Cybersecurity Incident," 2017). Consumers cannot win. What power does a credit bureau wield? “While credit bureaus don't actually make lending decisions, they are very powerful institutions in finance and the information contained in their individual reports can have a substantial impact on an individual's financial future” ("Credit Bureau," n.d.) So, here we have an institution who is collecting and reporting information on us - impacting some of the biggest events in our life (at least financial) - yet, as demonstrated by this latest instance, it is 100% inept.  


This breach was only a matter of time as Equifax is not the only credit bureau who has had data it was entrusted to protect breached. In 2015, Experian announced that one of its business units had been breached.


Who is responsible for monitoring credit bureaus? In 2012, “The Consumer Financial Protection Bureau (CFPB) adopted a rule ... to begin supervising larger consumer reporting agencies, which include what are popularly called credit bureaus or credit reporting companies. This is the first time these companies will be supervised at the federal level" ("CFPB to Supervise," 2012). I am curious what this supervisory role has entailed. Clearly, protecting consumers has not been a responsibility taken seriously.


 

Resources:

CFPB to Supervise Credit Reporting. (2012, July 16). Retrieved from https://www.consumerfinance.gov/about-us/newsroom/consumer-financial-protection-bureau-to-superivse-credit-reporting/

Credit Bureau.(n.d.) Retrieved from http://www.investopedia.com/terms/c/creditbureau.asp

Equifax Announces Cybersecurity Incident Involving Consumer Information. (2017, September 7). Retrieved from https://www.equifaxsecurity2017.com. 

 

 

photo by Jeremy Thompson

 

Rose-Colored Glasses for All

The lens that we currently view identity theft through is wrong. Especially when it comes to monitoring services. While I will never discourage anyone from being proactive about monitoring his or her data, it’s simply not an all-or-nothing game. As I mentioned in a previous post – not all transactions can be captured (nor all at once).

My point is not to dismiss being diligent about your data, but be clear about what is really being monitored. It is simply a way to feel like you have some control over something you have little or no control over.

Under the guise of tracking fraudulent activity, what monitoring programs are truly capturing are instances of gross inefficiencies in our transactional systems.

Entities are failing us in three ways: not protecting the data that you have entrusted to them, participating in fraudulent transactions and they have positioned themselves as victims and look to you to buttress their inadequacies. And, consumers have unquestionably accepted this burdensome responsibility.

This current view is not working. Until identity theft is no longer tolerated as being shouldered by consumers, it will continue to be an insurmountable threat and one that will drain resources.

 

        photo courtesy of Derek Gavey