What No One is Telling You about Identity Theft
1 The thieves aren't who you think.2 Your data can never be fully safe.3 But ID theft can be stopped once and for all. Here's how.
By Michael Sivy

(MONEY Magazine) – On a sunny may morning on capitol hill, power suits were hard at work spinning members of Congress. There to testify were representatives of the financial giant Visa and of data brokers Acxiom and Thomson West. You may not know those last two outfits, but they know you better than you could ever imagine. Both are part of an industry that gathers personal data about millions of Americans and sells it to lenders, retailers, employers, government agencies or other parties. The speakers delivered much the same message: Don't worry; we're committed to keeping you and your most sensitive information safe from cyberpredators.

"Visa aggressively protects the cardholder information of its members," lobbyist Oliver Ireland stated in his testimony. And here's Acxiom executive Jennifer Barrett: "We employ a world-class information-security staff to help us fend off criminals."

Maybe so, but the criminals don't seem impressed. On the contrary, Americans' personal data is rapidly becoming about as secret as the contents of Paris Hilton's cell phone. In just the past six months, major security breaches have been reported across the country. At ChoicePoint, data on 145,000 people may have been compromised. At LexisNexis, 310,000. At Time Warner, publisher of this magazine, perhaps 600,000. At Bank of America, up to 1.2 million. Throw in files at Berkeley, Boston College and Tufts, and just this year more than 2.4 million Americans may have been left wide open to hackers, scamsters and, increasingly, gangsters.

The recent rash of mass data heists signals a new and sinister turn in the nature of identity theft, and Congress and state legislatures are finally beginning to respond in a big way. Now you may or may not find the prospect of politicians riding to the rescue reassuring. Members of Congress have railed in recent years against other scourges of the technology age (like, say, e-mail spam) to spectacularly little effect. You may even believe that the risk of identity theft--like the risk of spam, computer viruses and cell-phone radiation--is simply the price we pay for convenience in the digital era.

But that's not so. Identity theft could be made as obsolete a crime as cattle rustling or high-seas piracy. For instance, in a few states it's now possible to request a freeze on your credit report, stopping anyone from granting new credit without your approval. Why isn't this brutally simple and effective solution more widespread? Simply put, it disrupts the free flow of credit information on which consumer lenders and data sellers depend.

To be fair, big banks and other credit-card issuers, retailers and data peddlers aren't the only ones who thrive on the ready accessibility of information. You benefit too: It's never been easier to get a credit card, find a mortgage or buy a car. The financial industry has stressed that convenience when it argues against reform in state legislatures. It is now targeting Washington to water down further restrictions on how companies handle your personal information.

This is what no one acknowledges about identity theft: that there's a conflict of interest between the consumer and the system. Take the precautions you can (see page 99 for our advice), but realize that your identity can't be fully safe without new laws, like a credit freeze, that give you greater control over your own data. In other words, whether you'll still need to worry about ID theft in a few years will have less to do with your actions than with how well lawmakers do their jobs--and how well lobbyists do theirs.

What to Worry About

Consider these odds: About 2.6% of Americans have their homes burglarized in a year. But about 4.25% of adults (or 9.3 million Americans) are hit by ID theft, the Better Business Bureau and Javelin Strategy & Research estimate. This doesn't mean you ought to fear buying a patio chair online or opening your wallet in public. In fact, many identity crimes don't have lasting effects: More than half are simple credit-card fraud--somebody gets your account number and goes on a shopping spree. In most cases you can solve this with a couple of hours on the phone, since the card issuer typically is required by federal law to eat nearly all of the loss. (Indeed, Visa and other big card companies give customers 100% protection.)

The bigger worry is when someone gets enough information to borrow money or open other accounts in your name. When the con artist doesn't pay the bills, your credit is ruined. And you may not learn of the scam until a bill collector calls or you get turned down for a car loan, a mortgage or even a job. Such cases now account for a quarter of identity thefts. And according to one Federal Trade Commission survey, victims spent an average of $1,200 and 60 hours clearing their name.

Like burglary, ID theft is a crime whose true cost is measured not just in dollars but also in fear and anxiety. Most of the 310,000 victims of the LexisNexis breach may never have their identities stolen, but all should spend time checking for surprises on their credit reports. "Having your identity stolen is somewhat like contracting a chronic, protracted disease," observes privacy expert Daniel Solove, a law professor at George Washington University. Once you've been hit, you can't ever be 100% sure you are in the clear.

Geeks and Mobsters

A crook has two advantages: The rise of fast credit and the easy availability of the information he needs to pretend to be you. The first thing anyone you do business with wants to know about you is: Are you good for it? Lenders, department stores or cell-phone companies can get your credit information in moments with only a whiff of detail about you, explains consumer activist Ed Mierzwinski of U.S. Public Interest Research Group in Washington. Then it's up to them to verify that you are who you say you are and, let's face it, some have little incentive to probe deeply. Result: If a bad guy knows enough about you, and your credit score is reasonably good, there soon could be a half-dozen accounts in your name, with the bills being sent to an address you've never heard of.

Your Social Security number, of course, is one of the most important things to protect. "It's like the key to the castle," says John Pironti, a security consultant for Unisys. Too bad thousands of people can easily see it. DMVs and county courthouses have it; so do employers, health insurers and colleges. Small-time thieves can start their hunt using an Internet search for online public records or simply digging through your trash.

Big data heists require more organization, but not necessarily WarGames-style hacking. Criminals often prey on human trust to get people to unlock secure data. ChoicePoint actually sold its files to people posing as legitimate businessmen. And selling your Social Security number, by the way, is in many cases perfectly legal.

Making matters worse: Once your data gets downloaded, the Internet makes it easier for criminals to buy and sell it around the world, from gangs in Nigeria and Eastern Europe to boiler rooms in California. "They form almost a type of crime family, called Web mobs, set up like the old Mafia," says Matt Ziemniak, an analyst at the National Cyber Forensics and Training Alliance. "They know each other only online except at the very top."

Get the picture? The toothpaste is out of the tube. Tons of people have data about you. Tons can use that data. You don't know who most of these people are. Most will be honest, but all it takes is a few crooks. The remedy isn't more locks and cops to keep your data safe. The key is giving you more control over how your data can be used.

Your Data Should Be Yours

None of the businesses collecting your data want you to be a victim of ID theft. Crime is bad for business, after all. The industry simply has different priorities from yours. "They look at it like trading futures, trading oil, trading gas, trading corn--pick a commodity," observes Rep. Joe Barton (R-Texas). So naturally, they fight efforts to make their trading more difficult or less profitable.

The states, not the federal government, have been at the forefront of efforts to give consumers more privacy protections. Those advances have often come despite fierce opposition from business.

» NORTH DAKOTA Banks fought a referendum requiring them to get permission from customers before sharing information with other businesses. The campaign featured dramatic TV ads depicting a wall going up around North Dakota, keeping out all sorts of businesses if the ballot measure passed. But the referendum won with 73% of the vote. "It's not their information," says Republican state legislator Jim Kasper today. "It's ours."

» VERMONT Beginning July 1, the state will let residents put a freeze on their credit reports if they are victims of ID theft. The idea: No one can issue credit to you--or someone pretending to be you--until you contact the credit agencies and turn off the freeze. Financial services groups lobbied hard against the bill, recalls former state senator John Bloomer. "They were able to fly people up here," he says, "which for Vermont is a big step."

» CALIFORNIA Here you'll find the nation's toughest collection of privacy laws. Indeed, California allows all residents--not just identity theft victims--to freeze their credit. And we might never have learned of what happened at ChoicePoint or LexisNexis without California's law requiring that companies with data breaches notify the people affected. But another major privacy law, requiring bank customers to give their advance approval (or "opt in") before banks can share their information with other companies, was nearly squashed by industry opposition, says state Sen. Jackie Speier. Privacy advocates collected enough signatures around the state to qualify for a referendum, forcing the industry back to the table--and a bill passed. Not long after, however, bank groups sued in federal court to overturn a provision that allows Californians to tell banks never to share info with their own affiliates, such as insurance companies or brokerages. The banks lost but are appealing the decision.

» WASHINGTON STATE Lawmakers in Olympia have passed a security breach law similar to California's. But there's a key difference: Banks successfully fought for language that lets the company decide if a breach is serious enough to warrant a mass notice. "What does 'serious' mean?" asks Robert Pregulman of the consumer group WashPIRG. "You could spend years in court arguing about it."

What's the case against more consumer control? Industry types say such measures not only crank up their cost of doing business but can make life tougher for the very consumers the laws are supposed to help. Take the credit freeze. Mortgage brokers fight it because it can take several days to "thaw" your credit again--so if you have a freeze on yourself, forget about house hunting in a hot market. "It's a seller's market, and in a seller's market you have to be ready to bid immediately," says Pat Naselow of the Washington Association of Mortgage Brokers.

Maybe. But unlike some parts of the world, the U.S. hardly suffers from restrictions on credit; consumers here are loaded with debt. And the reforms being proposed would have a negligible effect on costs--credit cards charging 17% or more a year ought to be able to figure out how to make a profit somehow. C'mon, shouldn't consumers be the ones to weigh the trade-off between spur-of-the-moment loans and lasting peace of mind?

Trade groups correctly note that federal law already gives you some important rights. And since the market for credit is now national, rules and protections should be too. Data-intensive businesses often support federal laws that pre-empt states from making their own hodgepodge of rules. But the question here has to be: Would the federal rules undercut tougher state rules? "A lot of times," observes Rep. Ed Markey (D-Mass.), "industries attempt to use Congress to wipe out good work being done at the state level."

How to Fix It All

Grinding through the D.C. sausage factory is some constructive legislation that clamps down on the use of Social Security numbers and further restricts the sharing and brokering of data. But real, permanent protection requires giving consumers more control.

» You should be able to request a credit freeze at minimal cost. Credit rating agencies and mortgage brokers hate this one. But consumers ought to have the choice of limiting access to their own data--and that power should extend to all consumers, not just victims of ID theft or security breaches. This could add some inconvenience to your life, but Vermont attorney general William Sorrell thinks businesses overstate the problem. "A person who would put a freeze on would have the brains to think ahead before they go out and buy a car or apply for a card," he says.

» You should be notified whenever a third party asks an agency for your credit rating. Privacy advocates like Solove have proposed this idea to help people who don't want to keep their accounts frozen. But the credit rating industry grumbles that a notification rule like this would force it to give away something for free. If people are going to grant credit in your name without your permission, however, you should know about it.

» You must be notified when personal data is stolen or goes missing. This is already required by several states and certain federal regulators. Many businesses embrace the idea in principle, though they'd like more say in deciding which dangers you need to hear about. "We get into a situation where there's a 'crying wolf' syndrome," says Acxiom's Barrett, who would like a federal law pre-empting California's. Then again, notes consumer activist Mierzwinski, forcing firms to admit to serious data security breaches might embarrass them into beefing up their protections.

» It should be much easier for you to repair your credit after an ID theft. If the government can't stop identity theft, it can certainly help you clean up the mess by putting the entire time-eating, paper-gobbling process on one simple website that creditors can check so that you don't have to contact each one individually. Observes Indiana University professor Fred Cate: "Identity theft victims tell us that their biggest problem is just getting their reputations cleaned up."

Can the credit industry's interests and your privacy needs be reconciled? They will have to be--the status quo won't hold much longer. Criminal networks stealing hundreds of thousands of names at a pop could become a nightmare for the data industry, not just consumers. And bubbling public anger could boil over into an issue that Washington pols won't be able to ignore. Both the industry and the politicians should face up to the fact that the foot dragging can't continue. After all, consumers' interests are everybody's interests.