Rapid Response Is Best Defense Against ID Theft

By Brian Krebs
washingtonpost.com Staff Writer
Friday, June 16, 2006; 2:54 PM

It may have already happened to you: A letter arrives in the mailbox from your bank or alma mater, stating that a hacker break-in or lost laptop may have compromised sensitive data on thousands of people, and that you may be among the unlucky ones. What to do?

As a potential identity-theft victim, your first step is to "move quickly and in an organized way" before the thieves attempt to use the information, said Betsy Broder, assistant director of the Federal Trade Commission's division of privacy and identity protection.

In the past 15 months, corporations, universities and other organizations alerted more than 85 million U.S. consumers that their personal or financial data might have been compromised due to data breaches, disgruntled employees or just plain incompetence. While consumer data leaks don't automatically result in financial losses or cases of identity theft, experts say your chances of becoming a victim depend on how well you know your rights and how rapidly you spring into action.

A speedy response is most important in cases where a data breach or loss involves a consumer's Social Security number, which can be used to open new lines of credit in the victim's name.

The FTC recently made available on its Web site downloadable form letters and worksheets to help people navigate the myriad steps often required to repair such damage, Broder said.

"It's essential that people document each and every step they take in this process," Broder said. "It can be daunting to get through this, but ... people [should] be careful and deliberate in how they go about it."

Any potential theft of a Social Security number should immediately be reported to one of the three major credit bureaus, said Beth Givens, director of the San Diego-based nonprofit Privacy Rights Clearinghouse. That report should include a request that a 90-day fraud alert be placed on your credit files (consumers have the right to renew this alert indefinitely, but they must contact one of the credit bureaus every three months to do so).

The company you call must contact the other credit bureaus, who will place an alert on their versions of your report. This means that businesses and creditors will have to call you before extending additional lines of credit in your name. Givens suggests providing the credit bureaus with a cell phone number if you have one.

Consumers who have evidence of attempts to open fraudulent accounts in their name should contact those creditors immediately and file a report with the local police department (then get a copy of the police report, or at least the police report number). Evidence of fraudulent activity also allows victims to request that a 90-day fraud alert be extended to seven years, though a credit bureau will require proof of identity and of the existence of a police report.

Placing a fraud alert entitles you to a free copy of your credit report from each of the major credit bureaus. This is in addition to the free annual credit reports already allowed by federal law. Givens advises consumers to wait a few months after receiving their fraud-alert credit reports before requesting any other free reports to which they may be entitled.

If you see any inaccurate information or fraudulent accounts listed in your credit reports, alert the credit bureaus and credit issuers in writing. You also have the right to have the credit bureaus strike any inquiries against your credit history that were generated by fraud.

For many identity-theft victims, the first sign of trouble is a denial of credit or a call from a debt-collection agency. By law, if you inform a collector that a debt resulted from identity theft, that collector must also inform the creditor. Creditors are then prohibited from selling such debts or placing them for collection. You also are entitled to a copy of all information about fraudulent debt, including late notices and account statements.

Some 23 states have passed "security freeze" laws that allow consumers to indefinitely prevent anyone from issuing credit in their name. California, Colorado, Connecticut, Florida, Illinois, Kentucky, Louisiana, Maine, Minnesota, Nevada, New Hampshire, New Jersey, New York, North Carolina, Oklahoma, Utah, Vermont and Wisconsin provide all their residents with the option of placing a security freeze on their credit files, while Hawaii, Kansas, South Dakota, Texas and Washington currently provide this option only to ID theft victims.

Business have been driven to alert consumers about potential data losses thanks to a proliferation of state laws requiring such notifications, but legislation being considered on Capitol Hill could soon change that. Ed Mierzwinski, director of the U.S. Public Internet Research Group, a consumer watchdog group in Washington, said a bill recently passed by the House Financial Services Committee and supported by the major financial institutions would exempt companies from alerting consumers about data thefts or losses if the company does not know whether that loss places the consumer at a direct risk of identity theft. The bill also would reserve credit freezes for ID theft victims only.

© 2006 The Washington Post Company