Be Prepared For ID Theft

Emil W. Henry Jr., left, and D. Scott Parsons with a Treasury Department DVD addressing identity theft.
Emil W. Henry Jr., left, and D. Scott Parsons with a Treasury Department DVD addressing identity theft. (By Dennis Brack -- Bloomberg News)
By Brian Krebs
Special to The Washington Post
Sunday, June 18, 2006

It may have already happened to you: A letter arrives in the mailbox from your bank or alma mater, stating that a hacker break-in or lost laptop has compromised sensitive data on thousands of people, and that you could be among the unlucky ones. What to do?

In the past 15 months, corporations, universities and other organizations alerted more than 85 million U.S. consumers that their personal or financial data might have been exposed through electronic breaches, disgruntled employees or just plain incompetence. While consumer data leaks don't automatically result in financial losses or identity theft, experts say your chances of becoming a victim depend on how well you know your rights and how quickly you spring into action.

A speedy response is most important in cases when a data breach or loss involves a consumer's Social Security number, which thieves can use to open new lines of credit in the victim's name, said Betsy Broder, assistant director of the Federal Trade Commission's Division of Privacy and Identity Protection.

"At that point, it's very important to move quickly and in an organized way," Broder said, adding that the FTC's Web site recently posted downloadable form letters and worksheets to help people navigate the complicated process often required to repair the damage wrought by identity thieves.

"It's essential that people document each and every step they take in this process," Broder said. "It can be daunting to get through this, but it's essential that people be careful and deliberate in how they go about it."

Beth Givens, director of the San Diego-based nonprofit Privacy Rights Clearinghouse, said anyone whose Social Security number was lost or stolen should immediately report it to one of the three major credit bureaus and request that a 90-day fraud alert be placed on all credit files. Consumers have the right to renew this alert indefinitely, but they must contact one of the credit bureaus every three months to do so.

The company you call is required to contact the other credit bureaus, which will place an alert on their versions of your report. By doing so, businesses and creditors will be required to call you before extending additional lines of credit. Givens suggests providing the credit bureaus with a cellphone number if you have one.

Consumers who have evidence of attempts to open fraudulent accounts in their name should contact those creditors immediately, and file a report with the local police department. If possible, obtain a copy of the police report, or at least the police report number. Evidence of fraudulent activity allows victims to request that a 90-day fraud alert be extended to seven years, though a credit bureau will require proof of identity and a copy of the police report.

Placing a fraud alert entitles you to a free copy of your credit report from each of the major bureaus, in addition to a free report the law allows every consumer to request annually. If you get a fraud-related credit report, Givens advises waiting a few months before ordering the annual free one.

Alert the credit bureaus and credit issuers in writing of any inaccurate information or fraudulent accounts listed in your credit reports. You also have the right to have the credit bureaus strike any inquiries against your credit history that were generated by fraud.

For many identity-theft victims, being denied a loan or line of credit or receiving a call from a debt collection agency is the first sign of trouble. By law, if you inform a collector that a debt is the result of identity theft, that collector also must inform the creditor, and creditors are prohibited from selling debt that results from identity theft or placing it for collection. You also are entitled to a copy of all information about fraudulent debt, including late notices and account statements.

At least 23 states have passed "security freeze" laws that allow consumers to indefinitely prevent anyone from issuing credit in their name. California, Colorado, Connecticut, Florida, Illinois, Kentucky, Louisiana, Maine, Minnesota, Nevada, New Hampshire, New Jersey, New York, North Carolina, Oklahoma, Utah, Vermont and Wisconsin provide all their residents with the option of placing a security freeze on their credit files. Hawaii, Kansas, South Dakota, Texas and Washington currently provide this option only to ID theft victims.

A number of state laws also are driving businesses to alert consumers about potential data losses, but legislation being considered on Capitol Hill could soon change that. Ed Mierzwinski, consumer program director of the U.S. Public Interest Research Group, a consumer watchdog group in Washington, said a bill recently passed by the House Financial Services Committee and supported by the major financial institutions would exempt companies from alerting consumers about data thefts or losses if the company does not know whether that loss places the consumer at a direct risk of identity theft. The bill also would reserve credit freezes for ID theft victims only.

Krebs is a staff writer for

© 2006 The Washington Post Company