It's happened again. This time up to
310,000 people may have had their names, addresses, and social security numbers stolen. It's not the fault of the big three credit agencies--Equifax, Experian, and TransUnion--who are playing by the rules (and even working with the Federal Trade Commission to reduce ID theft and fraud); it's companies such as LexisNexis, Axiom, and
ChoicePoint, third-party data warehouses now under increasing federal scrutiny. These companies mine public documents for information about you, which they sell to others. As
I've noted before, data warehousing is the new wild, wild West, with rogue companies harvesting whatever data they can so that they can sell your good name and reputation to others. Not only are data warehouses playing fast and loose with your personal information, identity thieves also steal laptops containing sensitive personal data. Fortunately, there's progress being made on both fronts.
Numbers are rising
Within the first few months of 2005, we've heard about thousands and thousands of individuals who have had their personal data exposed to fraudsters and thieves through no fault of their own. In fact, this has been happening for years. We've only started hearing about these thefts because of a 2003 California law, SB 1386, which states that any organization conducting business with California residents must notify those individuals if files containing their names, addresses, and other personal information have been breached. Other states are considering similar legislation, but California's senior senator, Dianne Feinstein (D-CA) has proposed new national legislation (more on that in a moment).
 The new wild, wild West: rogue companies harvest whatever data they can so that they can sell your good name and reputation to others.
|  |
|
Not to diminish the staggering numbers of individual identities being reported stolen in the news, but not all are cases of clear-cut identity theft. For example, a laptop containing stockholder information was recently stolen from Science Applications International, and at UC Berkeley, a laptop containing personal information regarding 98,369 graduate students or graduate-school applicants went missing. In both cases, however, the physical laptop, not the data stored within, may have been the actual target. Nonetheless, we would not have known about these thefts had the California disclosure law not been in effect.
New national legislation
The new national legislation proposed by Senator Feinstein is modeled after California's SB 1386, but her proposal goes beyond the current state law. The Feinstein bill would allow potential ID theft victims to put a seven-year fraud alert on their credit report (currently this is available for actual ID-theft victims only). Fraud alerts force companies that want to issue new credit or loans to ask for additional information from anyone applying for new credit in your name or to run the risk of losses associated with fraud.
Feinstein's bill also carries stiffer penalties for companies and organizations that fail to inform potential victims of ID theft: the bill asks for $1,000 per individual, not to exceed $50,000 per day per company or organization. Like the California law, the Feinstein bill would exempt companies that contact law enforcement immediately after discovering a database breach until the investigation is complete. The Senate Judiciary Committee, of which Feinstein is a member, has started hearings on the matter, and committee chairperson, Senator Arlen Specter (R-PA) has promised legislation this session to facilitate data-leak disclosures and new regulation of third-party data warehouses.
New data archive initiative
To safeguard data, particularly archived information, the National Science Foundation has awarded a $19 million grant to the University of California at Berkeley to create a new Science and Technology Center, with an eye toward "strengthening computer trustworthiness." A similar grant was awarded to the University of Kansas. Both of these campuses were recent targets of either criminal hackers who stole data or thieves who stole laptops containing sensitive information on current and past students.
Joining the UC Berkeley initiative are Stanford University, Mills College, Smith College, and Vanderbilt University, with the combined effort dubbed Team for Research in Ubiquitous Secure Technology (TRUST). Corporations assisting with the TRUST research will be Hewlett-Packard, Cisco Systems, IBM, Intel, Microsoft, Qualcomm, Sun Microsystems, and Symantec. The result of this research will be to devise a means to keep student records safe, such as new encryption standards or more secure information archival procedures.
Next steps
How do you know if you're among the potential victims of identity theft? Chances are you won't. Unless a company informs you, you have no way of knowing whether your personal information has been compromised. My recommendation is to check your credit report annually.
|
How do you know if you're among the potential victims of identity theft? Chances are you won't.
| |
|
The Federal Trade Commission Web site has information on obtaining free credit reports from the major reporting agencies. Not everyone can do so today. The FTC divided the country so that currently only residents the Western and Midwestern United States can obtain their reports for free. Residents in the Southeast must wait until June 1, and all U.S. residents, including those living in U.S. territories, may obtain a free credit report starting September 1, 2005. Also, under certain circumstances, such as being turned down for a loan or having already become a victim of ID theft, you can obtain a free credit report no matter where you live within the United States.
The three major credit agencies have established one central clearinghouse (the FTC site has contact information). If anyone other than the central clearinghouse offers to provide you with a free credit report, be suspicious. From the clearinghouse, you can order one, two, or all three credit reports--it's up to you. My advice is to stagger your reports. Information from one credit agency may not be the same as information in another. By staggering your free reports (say, every four months), you are, in effect, monitoring your credit reports throughout the year.
If that's too much work, each of the big three credit agencies offers paid services. For an annual fee, the agency will provide additional notification to you whenever someone requests your credit information (something you won't get with the free report). Personally, I think that's too much information; checking one free agency report every four months is probably enough for most of us, and it's well worth the extra burden of remembering to do so.
Have you checked your credit report lately? Why or why not? Talk back to me
