Know Your Data

When your identity is stolen and it is used fraudulently, the information that is provided (and accepted) in order to gain access to goods and services creates erroneous data. This inaccurate information purported to be true does not tell any “story” except one of criminality.

Using this data is not only ineffective, it should not be the basis for informing any research (for instance marketing). Yet, there does not seem to be any concerted effort to differentiate the origin of data. This is not surprising given that there is not much effort to thwart identity theft.

Take for instance the criminal who stole my identity. She commingled my identity with her own, thus creating someone who does not really exist - but is alive and well in data. 

If I search for information on myself in a search engine, I can see information that is generated that is supposed to be about “me,” but in reality is not me – it is rather a reminder that my identity was stolen as I see parts of the criminal’s identity included with mine. But, who else can tell that this is not the truth? I am truly the only one who can quickly identify these glaring errors. For others, they may accept the information for being accurate.

In another instance one of the companies where my information was fraudulently used has identified me as someone to keep on their mailing list, sending me their catalog in hopes that I will make a purchase. They clearly did not extract identity theft victims when updating their mailing list, but did they even consider these instances?

While there may be steps one can take to try and tackle each of these and other discrepancies, I have not had success in seeing immediate, if any, results. 

With millions upon millions (and growing) of cases of identity theft, this crime also leaves a deep trail of tainted information. Data needs to be carefully scrutinized from the onset (even before collection) in order to serve any meaningful purpose.

Photo by Francesco Paggiaro

Customer Service, Internal Communications and Identity Theft

Identity theft is ripe where poor customer service and weak internal communications converge.

Customer Service

Customer service is not tangible; it is engaging a customer in a way that is in their interest. Good customer service maintains this mindset in all facets of an operation - both internal and external. 

Requesting sensitive or other personal information in order to conduct business and then not protecting this information is customer disservice. Organizations must always operate to meet the needs and expectations of customers to realize success.                                                                    

Internal Communications

Customer service is at its best when internal communications is strong. Organizations must invest in meaningful communications with employees and stakeholders. If employees are supported by their organization, they are more apt to support, and protect, the customer – and the organization.

“Effective internal communications helps ensure that all members of the organization are working collaboratively toward a common goal. It develops a cohesive culture and empowers employees to make the right decisions in line with the organizations goals. This in turn leads to greater efficiency and productivity and improves customer service” (Ritchie, 2015).

Organizations must identify and deliver true customer service to those who seek their products, programs and services. There is not a one-size-fits-all customer service solution. Recognizing what is best for the customer is a process that includes examining all levels and areas of operation and working to be most effective with the customers’ needs in mind. Involve all who represent the organization to ensure that their needs are also considered. Internal communications informs customer service and when this is done well, it can thwart identity theft.


Ritchie, J. (2015, April 27). The importance of internal communications. Business Matters. Retrieved from


Out of Focus

Fire burns a structure. In the aftermath, investigators comb the scene in order to find the cause of the fire. Discovering this information is important. It is important in understanding not only how the fire started, but compiled data can help prevent future fires. If arson, charges can be filed with evidence gathered during the investigation.

A home is burglarized. An investigation is conducted in order to determine how the burglar gained entry into the premises. Information learned in this process can prevent future burglaries. This process can also lead to identifying the criminal and charges can be pressed.

When identity theft occurs, if following the pattern above – the process would look like this:

Your identity is compromised. An investigation is conducted in order to determine where the information was stolen. Investigation includes learning where the information was used in order to gain goods and/or services. Evidence can lead to charges against the person/s who stole the information, the person/s that used the information to acquire fraudulent goods or services, and the entity that did not have proper safeguards in place can also be held accountable.

However, it does not work like that. Instead it looks like this:

Your identity is compromised. If you are lucky (...really lucky), an investigation is conducted in order to determine who stole the information. (This will more likely only occur if the theft is in your same jurisdiction). Evidence may lead to charges against the criminal – at least the one that can be identified in using your personal information. And, not much, if any investigation includes holding the entities accountable where your information was compromised. And, while you are struggling to address these issues you are at the mercy of the same entities who helped make you a victim of identity theft.

There are many gaps with the way identity theft is investigated today. Too often identity theft is addressed on generalities. No real hard data. Because investigation of the cause of identity theft hardly occurs, addressing the root of identity theft is not happening. 

Instead the focus is on "prevention" – and overwhelmingly on the shoulders of the consumer. Monitor data. Ask questions when asked about providing sensitive data. Do not click on links. Shred important documents. Do not post personal information. While all are smart practices, not one truly prevents identity theft. 

The focus of identity theft needs to undergo a seismic shift to how sensitive data – personal information – is captured, tracked, and scrutinized. And, who bears responsibility when that trust is breached. Without knowing this information, identity theft will continue to wreak havoc. 

The Roots of Identity Theft

Identity Theft does not occur serendipitously. 

There are many points of responsibility.

Let’s examine these areas:



1. Your personal information. 

            Yep, if you are a person, you have identifying information – this covers everyone. So, invest in yourself throughout your life in a positive way. Do this so that you want to continue to identify as you and only you and don’t become a criminal in the future stealing someone else’s identity, including mine (thanks!).

2. Where you store personal information.

            Where do you store the personal information that you have control over? Personal information includes social security number, date of birth, address, financial information (credit card, bank, etc.). Do you store this sensitive data in a locked filing cabinet or drawer, a safe, etc.? You are responsible at this point for making sure that your information and dependent’s information is kept in a safe place. What might not be a safe place? Top of refrigerator, in a pile, thrown in the trash (without shredding), vehicle, a computer – yes, I would categorize a computer as not a safe place. You must be very diligent in how you store information on the computer. Good rule of thumb – if it is on the computer, the whole world may be able to access the information. 

3. With whom do you share personal information?

            If you remember nothing else – remember this – just because an official looking document, or an official looking person, or an official looking place asks you for your (or your dependents) social security number – DOES NOT MEAN TO HAND IT OVER. (Side note – When we see stories about identity theft there is inevitably a picture of a scary masked person hunched over a computer in a dark room looking up to no good. Well, guess what. Nice looking people and places can steal your identity too – or at least not be protecting it as they should.) While there are many places that will ask you for personal information, that DOES NOT MEAN IT IS REQUIRED. (Then why do they ask for it? Because they can. Not because they should.) So, always – ALWAYS – ask why the personal information is required (chances are, it’s not). Better yet, do your homework and decide if the entity must be provided the information.


4. Who collects personal information?

We’ll term “an entity” as many things here – business, doctor’s office, school, non-profit, hotel, church, etc. When an entity asks for personal information, it had better be necessary. If necessary, mechanisms and protocol to protect the personal information it has now assumed responsibility must also be in place.  

5. When personal information is compromised, who suffers?

If personal information that an entity holds is accessed fraudulently that simply means that the appropriate safeguards were not in place – otherwise, the information would not have been accessed. Guess what an entity loses? The ability to call themselves a victim. Here, the true victims are the people who entrusted their information only to find themselves at risk. Instead, an entity can explore the definition of accessory to a crime.

6. When do you break the news?

If and when personal information that an entity has is compromised, report it immediately. Three months down the road to favor your timeline of preferred events so that you can plan which ala carte of canned response to the crisis is not immediately.   

7. Practice safeguards on both sides of the transaction.

This is a biggie. Read this one twice. Not only should an entity closely monitor the personal information it has, it should vet the personal information it receives during a transaction. Stolen personal information has no value to a criminal if it cannot be used to access goods and services. 

Integrating the latest in technology into the stream of the engagement process (with customers) – including point-of-sale –without any understanding of the technology itself can infinitely increase the chance of personal information being accessed and fraudulent personal information being used.


photo by Marta Tycinska


The Fun Never Ends

Identity theft has become a way of life. In its latest mass resurgence, Equifax admitted that “unauthorized access occurred from mid-May through July 2017” ("Equifax Announces Cybersecurity Incident," 2017) At this point, entities that "experience" these breaches are not victims, but rather part of the problem. Proper safeguards must be in place in order to conduct business.

Not only is the Equifax breach disturbing because of the sheer volume, “impacting approximately 143 million U.S. consumers,” but Equifax is a credit bureau ("Equifax Announces Cybersecurity Incident," 2017). Consumers cannot win. What power does a credit bureau wield? “While credit bureaus don't actually make lending decisions, they are very powerful institutions in finance and the information contained in their individual reports can have a substantial impact on an individual's financial future” ("Credit Bureau," n.d.) So, here we have an institution who is collecting and reporting information on us - impacting some of the biggest events in our life (at least financial) - yet, as demonstrated by this latest instance, it is 100% inept.  

This breach was only a matter of time as Equifax is not the only credit bureau who has had data it was entrusted to protect breached. In 2015, Experian announced that one of its business units had been breached.

Who is responsible for monitoring credit bureaus? In 2012, “The Consumer Financial Protection Bureau (CFPB) adopted a rule ... to begin supervising larger consumer reporting agencies, which include what are popularly called credit bureaus or credit reporting companies. This is the first time these companies will be supervised at the federal level" ("CFPB to Supervise," 2012). I am curious what this supervisory role has entailed. Clearly, protecting consumers has not been a responsibility taken seriously.



CFPB to Supervise Credit Reporting. (2012, July 16). Retrieved from

Credit Bureau.(n.d.) Retrieved from

Equifax Announces Cybersecurity Incident Involving Consumer Information. (2017, September 7). Retrieved from 



photo by Jeremy Thompson


Rose-Colored Glasses for All

The lens that we currently view identity theft through is wrong. Especially when it comes to monitoring services. While I will never discourage anyone from being proactive about monitoring his or her data, it’s simply not an all-or-nothing game. As I mentioned in a previous post – not all transactions can be captured (nor all at once).

My point is not to dismiss being diligent about your data, but be clear about what is really being monitored. It is simply a way to feel like you have some control over something you have little or no control over.

Under the guise of tracking fraudulent activity, what monitoring programs are truly capturing are instances of gross inefficiencies in our transactional systems.

Entities are failing us in three ways: not protecting the data that you have entrusted to them, participating in fraudulent transactions and they have positioned themselves as victims and look to you to buttress their inadequacies. And, consumers have unquestionably accepted this burdensome responsibility.

This current view is not working. Until identity theft is no longer tolerated as being shouldered by consumers, it will continue to be an insurmountable threat and one that will drain resources.


        photo courtesy of Derek Gavey

Times New Roman Does No Wrong

Last week, while running errands, I stopped inside a store to pay a bill and had to sign-in first. I had been in this store before and knew the drill - type your name and toggle through the options that best explain your visit. I filled-in the information as I told myself next time to save this hassle and mail my payment.

As I finished, I looked around for a good place to awkwardly stand until my name was called.

"Steve M."

A customer service representative came to the lobby to greet next-in-line customer "Steve M."

"What?!," a group of people waiting at the front of the store declared. "We have been waiting and now two people have been called before us!"

Their patience was gone and Steve M. didn't recuse and seemed excited at his good fortune of skipping ahead of the line. I looked at the CSR to see what action she would take.

She just shrugged her shoulders and assured the group that they would be waited on next.

Back at the service counter I heard the CSR confide in Steve M. that she didn't know what the deal was that caused the situation; she was just doing what the computer told her to do and according to it, Steve M. was next.

And therein lies the problem.

Computer content is developed by humans. Sure, maybe there is a computer program that is programmed to "think for itself" - but that ability is created by humans. No chicken or egg question here.

Therefore, content generated by technology or populated by input is subject to human error and must be scrutinized. However, there is some type of phenomena that despite the repeated occurrences and mounting evidence of technology vulnerabilities - people continue to put much trust in the information that is captured on a screen. Even though wherever the information goes or where it comes from no one ever seems to surely know for certain. Somewhere in a cloud or something, right? Sure. OK. Sounds cool and works for me. 

While being skipped in line may land in the minor inconvenience end of the spectrum of life, there are certainly more serious ramifications that can occur if due diligence is not practiced in scrutinizing information and questioning data and processes.


photo courtesy of interestedbystandr

Business as Usual

Despite the threat of identity theft, I am surprised at the number of places that continue to ask for a social security number.

Some (a FEW) do need it. For example, filing your taxes. Some (a LOT) do not need it. For example, a doctor’s office – the exception being people on Medicare since your ID number is your social security number followed by a code. Consumer Reports provides a good overview of, Why you shouldn't give your doctor your Social Security number(Umansky, 2015).

Another place that does not need it are schools - this includes providing your child's SSN and your SSN. According to a fact sheet issued by the U.S. Department of Justice and the U.S. Department of Education,  "A school district may not prevent your child from enrolling in or attending school if you choose not to provide your child’s social security number."  

A good rule of thumb is to leave the SSN space blank or if you are asked in person for it tell them “no.” Frankly, I think an even better idea is for places not to ask for it if it is not necessary in the first place. If you are questioned for not providing the SSN, do your research to ensure it is legally required otherwise do not provide it.


U.S. Department of Justice (n.d.). Fact Sheet: Information on the Rights of All Children to Enroll in School. Retrieved from

Umansky, D. (2015, February 10). Why you shouldn't give your doctor your Social Security number. Retrieved from


photo courtesy of sboneham



Offering Free Credit Monitoring Does Not Make It All Better

Offering free credit monitoring seems to be the go-to canned response to every breach, data hack, and the like – as if it is the solution to right the wrong.

But credit monitoring does little to help anyone who has had his or her information compromised. You are not providing any ounce of protection at this point. No, at this point you have provided a disservice by not initially protecting the personal information that you hold in the first place.

All credit monitoring does is keep tabs on the status of an individual’s credit and is intended to send alerts when there is activity – which is all well and good, but knowing that the information has already been compromised what if a victim’s credit is used by a criminal, for instance an account is established at a store where it wasn’t authorized – now what will the victim do?

While credit monitoring can alert you to the first instance of fraud in order to try to stop the activity in its tracks and give good reason to freeze credit if not done so already, keep in mind not all instances where a social security number could be fraudulently used will necessarily show-up on the traditional credit reports (Experian, Equifax and TransUnion). These can include tax returns, health care services (which only show-up if there is a payment due that goes into default after 180 days)(Karp, 2015) and bank accounts (ONeil, 2015). Furthermore, if it is a child’s social security number that is compromised, chances are they do not have a credit report to monitor – unless the criminal creates one for them by utilizing the child’s information as their own.

Once information is stolen there is not a 100% foolproof protection option to put in place. And, if the credit monitoring service includes someone “helping” if credit is fraudulently accessed, the last thing a victim may want is yet someone else with his or her hands in their personal matters; they may be inclined to fix the mess themselves.

Credit can be monitored all day long, but how are entities who do not have the proper safeguards implemented and allow the information to be accessed going to help once the bad guys get the data? They aren’t going to – instead pointing to the free credit monitoring – which virtually means nothing to the victim. In this day and age, consumers should be monitoring their credit regardless of whether they are a victim of identity theft.

Offering free credit monitoring as a consolation for ineptness isn’t doing anyone any favors and instead signals a weak public relations move. Alternatively, assume some accountability and do a better job of preemptively monitoring and securing the data that you have been entrusted to protect.


Karp, G. (2015). Protect your medical records from identity theft. Chicago Tribune. Retrived from

ONeil, E. (2015). Do Checking Accounts Affect Your Credit? About Money. Retrieved from






A Purse or Wallet is Not a Safe

Last night I had a dream that my purse was stolen. I went to visit someone, parked out front of a house and left my purse in the car since I was just running in for a minute. While I would never think of leaving my purse in my car – one minute or not – apparently I didn’t question this action in my dream state.

My dream continued when I went to leave and not only was my car gone, but so was my purse. Double whammy. I had to remember all of the information I kept in my purse and contact all of the companies and get everything shutdown, re-issued, etc. Since my cell phone was in my purse I couldn’t even use it to start the process. And, I remember the sinking feeling of knowing some thief had their hands on my personal information. Although I have lived this reality, albeit not by a purse theft, this was more like a nightmare!

When I woke up, I was relieved that it was just a dream, but it is a good reminder to be careful of what you carry in your purse or wallet if it is ever misplaced or stolen.

Do you know what is in your purse or wallet? If you lost yours, do you have a list of contact information so that you could minimize the damage and take care of everything immediately?

While modern times have brought along with it modern ways to steal identities, the old-fashioned purse or wallet stealing is alive and well. 

According to the Dallas Police Department, one of the most reported property crimes are those involving the theft of a purse or wallet.

Although you probably don’t think it will ever happen to you, consider the following:

1) Clean out your purse or wallet and be aware of the important information you carry around with you and what could happen if it got in the wrong hands.

2) Never carry anything that contains your social security number, these items can be stored in a safe place – a purse or wallet is not a safe place.

3) Consider only carrying around necessary cards and identification – do you really need to always carry around every credit or debit card you have, the same can be said about your insurance or prescription cards, you might want to consider storing these in a safe place and only accessing them when necessary.

There are also thieves who do not steal your actual purse or wallet, but will sift through it and take pictures of credit cards numbers, and other pertinent personal information. You can never be too careful, so be aware of what you carry with you and take the time to be pro-active and in control of the information important to you and your family and how you protect it – so my nightmare doesn’t become your reality.


photo by donna sutton